Implement CurveExt::hash_to_curve for {bn256::G1,grumpkin::G1}
#47
Conversation
han0110
force-pushed
the
feature/hash-to-curve
branch
2 times, most recently
from
2b01631 to
c6b96bf
Compare
han0110
force-pushed
the
feature/hash-to-curve
branch
from
c6b96bf to
3561be6
Compare
|
I can confirm this branch forms the last bit needed to create a Nova that's working and tested using the Grumpkin/bn256 cycle implemented in this repo: microsoft/Nova@main...huitseeker:Nova:bn-gr-h2c (joint work with @leonardoalt) |
han0110
force-pushed
the
feature/hash-to-curve
branch
2 times, most recently
from
bc24236 to
3ba1790
Compare
han0110
changed the title
CurveExt::hash_to_curve for {bn256::G1,grumpkin::G1,secp256k1::Secp256k1}CurveExt::hash_to_curve for {bn256::G1,grumpkin::G1}
Thanks for sharing the idea for testing, I've merged the PR and now it should be easier to review the implementation with those test vector. |
han0110
force-pushed
the
feature/hash-to-curve
branch
from
1486577 to
10cbe04
Compare
|
You can verify this implementation against my own as well: mratsim/constantine#190. This includes Sage code to derive H2C constants: https://github.com/mratsim/constantine/pull/190/files#diff-cbd719879e1fff4703a911a07be9385db426686f3313c61509d06a4ebff579ca If H2C via SVDW is a bottleneck, the work from @dishport optimizes it:
|
@mratsim, thank you for citing my works. However, some of them are not relevant anymore. The state-of-the art in H2C research is exhibited in my last article https://eprint.iacr.org/2021/1082. |
- Refactor svdw_map_to_curve function for better modularity - Update map_to_curve function to accept precomputed constants and curve values
han0110
force-pushed
the
feature/hash-to-curve
branch
from
10cbe04 to
7fb9ac9
Compare
han0110
force-pushed
the
feature/hash-to-curve
branch
from
7fb9ac9 to
421537b
Compare
This PR takes the
hash_to_fieldfrompasta_curvesand implements the restCurveExt::hash_to_curvefor these curves:bn256::G1andgrumpkin::G1With Shallue-van de Woestijne method. Originally I was exploring implementation of Simplified SWU for AB == 0 for them, but after playing with the sage script to find their isogeny it turns out the degree is so high (59) which might be even slower than the SVDW method (I saw in gnark they are also using SVDW method for BN256).
Although the spec doens't prepare test vectors for these 2 curves, I found in
gnarkthey have the output of the same input from the spec with the same method forbn254here, so perhaps checking with that we can have more confidence on the implementation. This PR aims for letting the CI to run the check for us, and the difference betweenpasta_curvesand spec could be found in this diff, simply speaking the difference inhash_to_fieldare:sha256instead ofblake2bk = 128instead ofk = 256(which seems more accurate)from_u512For the first point it seems fine, but for the other 2 I'm not sure if we should follow the implementation of
pasta_curvesor the spec..secp256k1::Secp256k1With Simplified SWU for AB == 0. Parameters are taken from 3-isogeny map for secp256k1 and implementation is modified from https://github.com/zcash/pasta_curves.It turns out we need to update the
new_curve_implto supporta != 0curve to have isogeny ofsecp256k1to do the addition (we could copy paste the addition algorithm but it seems not looking good). So I'd keep this for future work.And internally the hash function is using
blake2bfollowingpasta_curves, not sure if we need to make it generic but at least for IPA parameter generation I think it's fine to just useblake2b.