pirate-librustzcash/sapling-crypto/src/group_hash.rs

use jubjub::{
    JubjubEngine,
    PrimeOrder,
    edwards
};

use pairing::{
    PrimeField
};

use blake2_rfc::blake2s::Blake2s;
use constants;

/// Produces a random point in the Jubjub curve.
/// The point is guaranteed to be prime order
/// and not the identity.
pub fn group_hash<E: JubjubEngine>(
    tag: &[u8],
    personalization: &[u8],
    params: &E::Params
) -> Option<edwards::Point<E, PrimeOrder>>
{
    assert_eq!(personalization.len(), 8);

    // Check to see that scalar field is 255 bits
    assert!(E::Fr::NUM_BITS == 255);

    let mut h = Blake2s::with_params(32, &[], &[], personalization);
    h.update(constants::GH_FIRST_BLOCK);
    h.update(tag);
    let h = h.finalize().as_ref().to_vec();
    assert!(h.len() == 32);

    match edwards::Point::<E, _>::read(&h[..], params) {
        Ok(p) => {
            let p = p.mul_by_cofactor(params);

            if p != edwards::Point::zero() {
                Some(p)
            } else {
                None
            }
        },
        Err(_) => None
    }
}
General code quality improvements. 2018-03-08 00:41:47 -07:00			`use jubjub::{`
			`JubjubEngine,`
			`PrimeOrder,`
			`edwards`
			`};`

			`use pairing::{`
Use little endian for everything in Sapling. 2018-05-17 00:19:57 -06:00			`PrimeField`
General code quality improvements. 2018-03-08 00:41:47 -07:00			`};`

Switch to using the blake2-rfc crate instead. 2018-03-05 17:58:34 -07:00			`use blake2_rfc::blake2s::Blake2s;`
Move first block of group hash to constants submodule. 2018-03-08 00:09:34 -07:00			`use constants;`
Group hash should use a first block containing random data as per spec. 2018-03-05 18:08:49 -07:00
Fix group hash comment. 2018-03-06 22:26:03 -07:00			`/// Produces a random point in the Jubjub curve.`
			`/// The point is guaranteed to be prime order`
			`/// and not the identity.`
Relocate grouphash implementation. 2017-12-18 11:00:10 -07:00			`pub fn group_hash<E: JubjubEngine>(`
			`tag: &[u8],`
Adopt BLAKE2s personalization throughout protocol. 2018-03-05 19:21:41 -07:00			`personalization: &[u8],`
Relocate grouphash implementation. 2017-12-18 11:00:10 -07:00			`params: &E::Params`
Change group_hash to output points in the twisted Edwards form. 2018-01-29 08:56:58 -07:00			`) -> Option<edwards::Point<E, PrimeOrder>>`
Relocate grouphash implementation. 2017-12-18 11:00:10 -07:00			`{`
Adopt BLAKE2s personalization throughout protocol. 2018-03-05 19:21:41 -07:00			`assert_eq!(personalization.len(), 8);`

Relocate grouphash implementation. 2017-12-18 11:00:10 -07:00			`// Check to see that scalar field is 255 bits`
			`assert!(E::Fr::NUM_BITS == 255);`

Adopt BLAKE2s personalization throughout protocol. 2018-03-05 19:21:41 -07:00			`let mut h = Blake2s::with_params(32, &[], &[], personalization);`
Move first block of group hash to constants submodule. 2018-03-08 00:09:34 -07:00			`h.update(constants::GH_FIRST_BLOCK);`
Switch to using the blake2-rfc crate instead. 2018-03-05 17:58:34 -07:00			`h.update(tag);`
Use little endian for everything in Sapling. 2018-05-17 00:19:57 -06:00			`let h = h.finalize().as_ref().to_vec();`
Relocate grouphash implementation. 2017-12-18 11:00:10 -07:00			`assert!(h.len() == 32);`

Use little endian for everything in Sapling. 2018-05-17 00:19:57 -06:00			`match edwards::Point::<E, _>::read(&h[..], params) {`
			`Ok(p) => {`
Relocate grouphash implementation. 2017-12-18 11:00:10 -07:00			`let p = p.mul_by_cofactor(params);`

Change group_hash to output points in the twisted Edwards form. 2018-01-29 08:56:58 -07:00			`if p != edwards::Point::zero() {`
Implementation of Montgomery point addition in the circuit. 2017-12-22 02:57:34 -07:00			`Some(p)`
			`} else {`
			`None`
			`}`
Use little endian for everything in Sapling. 2018-05-17 00:19:57 -06:00			`},`
			`Err(_) => None`
Relocate grouphash implementation. 2017-12-18 11:00:10 -07:00			`}`
			`}`