impl ff::{Field, PrimeField, FromBytesUniform} as macro

Cargo.toml

@@ -43,6 +43,9 @@ hex = { version = "0.4", optional = true, default-features = false, features = [
 blake2b_simd = "1"
 rayon = "1.8"
 unroll = "0.1.5"
+blake2 = "0.10.6"
+sha2 = "0.10.8"
+digest = "0.10.7"
 
 [features]
 default = ["bits"]

src/bn256/curve.rs

@@ -11,7 +11,6 @@ use crate::ff::WithSmallOrderMulGroup;
 use crate::ff::{Field, PrimeField};
 use crate::group::Curve;
 use crate::group::{cofactor::CofactorGroup, prime::PrimeCurveAffine, Group, GroupEncoding};
-use crate::hash_to_curve::svdw_hash_to_curve;
 use crate::{
     impl_add_binop_specify_output, impl_binops_additive, impl_binops_additive_specify_output,
     impl_binops_multiplicative, impl_binops_multiplicative_mixed, impl_sub_binop_specify_output,
@@ -39,7 +38,7 @@ new_curve_impl!(
     G1_A,
     G1_B,
     "bn256_g1",
-    |curve_id, domain_prefix| svdw_hash_to_curve(curve_id, domain_prefix, G1::SVDW_Z),
+    |domain_prefix| crate::hash_to_curve::hash_to_curve(domain_prefix, G1::default_hash_to_curve_suite()),
 );
 
 new_curve_impl!(
@@ -52,17 +51,26 @@ new_curve_impl!(
     G2_A,
     G2_B,
     "bn256_g2",
-    |_, _| unimplemented!(),
+    |domain_prefix| hash_to_curve_g2(domain_prefix),
 );
 
-const G1_GENERATOR_X: Fq = Fq::one();
+#[allow(clippy::type_complexity)]
+pub(crate) fn hash_to_curve_g2<'a>(domain_prefix: &'a str) -> Box<dyn Fn(&[u8]) -> G2 + 'a> {
+    let suite = G2::default_hash_to_curve_suite();
+    Box::new(move |message| {
+        let r0 = suite.hash_to_curve(domain_prefix, message);
+        r0.clear_cofactor()
+    })
+}
+
+const G1_GENERATOR_X: Fq = Fq::ONE;
 const G1_GENERATOR_Y: Fq = Fq::from_raw([2, 0, 0, 0]);
-const G1_A: Fq = Fq::from_raw([0, 0, 0, 0]);
+const G1_A: Fq = Fq::ZERO;
 const G1_B: Fq = Fq::from_raw([3, 0, 0, 0]);
 
 const G2_A: Fq2 = Fq2 {
-    c0: Fq::from_raw([0, 0, 0, 0]),
-    c1: Fq::from_raw([0, 0, 0, 0]),
+    c0: Fq::ZERO,
+    c1: Fq::ZERO,
 };
 
 const G2_B: Fq2 = Fq2 {
@@ -195,6 +203,26 @@ impl CofactorGroup for G2 {
 
 impl G1 {
     const SVDW_Z: Fq = Fq::ONE;
+
+    fn default_hash_to_curve_suite() -> crate::hash_to_curve::Suite<Self, sha2::Sha256, 64> {
+        crate::hash_to_curve::Suite::<G1, sha2::Sha256, 64>::new(
+            b"bn256_g1_XMD:SHA-256_SVDW_RO_",
+            Self::SVDW_Z,
+            crate::hash_to_curve::Method::SVDW,
+        )
+    }
+}
+
+impl G2 {
+    const SVDW_Z: Fq2 = Fq2::ONE;
+
+    fn default_hash_to_curve_suite() -> crate::hash_to_curve::Suite<Self, sha2::Sha256, 128> {
+        crate::hash_to_curve::Suite::<G2, sha2::Sha256, 128>::new(
+            b"bn256_g2_XMD:SHA-256_SVDW_RO_",
+            Self::SVDW_Z,
+            crate::hash_to_curve::Method::SVDW,
+        )
+    }
 }
 
 #[cfg(test)]

src/bn256/engine.rs

@@ -237,10 +237,10 @@ impl G2Prepared {
             tmp3.square_assign();
             tmp3 -= &tmp0;
             tmp3 -= &tmp2;
-            tmp3.double_assign();
+            tmp3 = tmp3.double();
 
             let mut tmp4 = tmp0;
-            tmp4.double_assign();
+            tmp4 = tmp4.double();
             tmp4 += &tmp0;
 
             let mut tmp6 = r.x;
@@ -265,9 +265,9 @@ impl G2Prepared {
             r.y -= &r.x;
             r.y.mul_assign(&tmp4);
 
-            tmp2.double_assign();
-            tmp2.double_assign();
-            tmp2.double_assign();
+            tmp2 = tmp2.double();
+            tmp2 = tmp2.double();
+            tmp2 = tmp2.double();
 
             r.y -= &tmp2;
 
@@ -277,23 +277,23 @@ impl G2Prepared {
             // tmp3 is the first part of line 12
             tmp3 = tmp4;
             tmp3.mul_assign(&zsquared);
-            tmp3.double_assign();
+            tmp3 = tmp3.double();
             tmp3 = tmp3.neg();
 
             // tmp6 is from line 14
             tmp6.square_assign();
             tmp6 -= &tmp0;
             tmp6 -= &tmp5;
 
-            tmp1.double_assign();
-            tmp1.double_assign();
+            tmp1 = tmp1.double();
+            tmp1 = tmp1.double();
 
             tmp6 -= &tmp1;
 
             // tmp0 is the first part of line 16
             tmp0 = r.z;
             tmp0.mul_assign(&zsquared);
-            tmp0.double_assign();
+            tmp0 = tmp0.double();
 
             (tmp0, tmp3, tmp6)
         }
@@ -328,8 +328,8 @@ impl G2Prepared {
 
             // t4 corresponds to line 6
             let mut t4 = t3;
-            t4.double_assign();
-            t4.double_assign();
+            t4 = t4.double();
+            t4 = t4.double();
 
             // t5 corresponds to line 7
             let mut t5 = t4;
@@ -373,7 +373,7 @@ impl G2Prepared {
             // corresponds to line 15
             t0 = r.y;
             t0.mul_assign(&t5);
-            t0.double_assign();
+            t0 = t0.double();
 
             // corresponds to line 12, but assigns to r.y instead of T.y
             r.y = t8;
@@ -389,18 +389,18 @@ impl G2Prepared {
             t10 -= &ztsquared;
 
             // corresponds to line 18
-            t9.double_assign();
+            t9 = t9.double();
             t9 -= &t10;
 
             // t10 = 2*Zt from Algo 27, line 19
             t10 = r.z;
-            t10.double_assign();
+            t10 = t10.double();
 
             // t1 = first multiplicator of line 21
             t6 = t6.neg();
 
             t1 = t6;
-            t1.double_assign();
+            t1 = t1.double();
 
             // t9 corresponds to t9 from Algo 27
             (t10, t1, t9)