pirate-librustzcash/src/group_hash.rs

use jubjub::*;
use pairing::*;
use blake2_rfc::blake2s::Blake2s;

/// This is chosen to be some random string that we couldn't have anticipated when we designed
/// the algorithm, for rigidity purposes.
pub const FIRST_BLOCK: &'static [u8; 64] = b"0000000000000000002ffe76b973aabaff1d1557d79acf2c3795809c83caf580";

/// Produces an (x, y) pair (Montgomery) for a
/// random point in the Jubjub curve. The point
/// is guaranteed to be prime order and not the
/// identity.
pub fn group_hash<E: JubjubEngine>(
    tag: &[u8],
    personalization: &[u8],
    params: &E::Params
) -> Option<edwards::Point<E, PrimeOrder>>
{
    assert_eq!(personalization.len(), 8);

    // Check to see that scalar field is 255 bits
    assert!(E::Fr::NUM_BITS == 255);

    let mut h = Blake2s::with_params(32, &[], &[], personalization);
    h.update(FIRST_BLOCK);
    h.update(tag);
    let mut h = h.finalize().as_ref().to_vec();
    assert!(h.len() == 32);

    // Take first/unset first bit of hash
    let s = h[0] >> 7 == 1; // get s
    h[0] &= 0b0111_1111; // unset s from h

    // cast to prime field representation
    let mut y0 = <E::Fr as PrimeField>::Repr::default();
    y0.read_be(&h[..]).expect("hash is sufficiently large");

    if let Ok(y0) = E::Fr::from_repr(y0) {
        if let Some(p) = edwards::Point::<E, _>::get_for_y(y0, s, params) {
            // Enter into the prime order subgroup
            let p = p.mul_by_cofactor(params);

            if p != edwards::Point::zero() {
                Some(p)
            } else {
                None
            }
        } else {
            None
        }
    } else {
        None
    }
}
Relocate grouphash implementation. 2017-12-18 11:00:10 -07:00			`use jubjub::*;`
			`use pairing::*;`
Switch to using the blake2-rfc crate instead. 2018-03-05 17:58:34 -07:00			`use blake2_rfc::blake2s::Blake2s;`
Relocate grouphash implementation. 2017-12-18 11:00:10 -07:00
Group hash should use a first block containing random data as per spec. 2018-03-05 18:08:49 -07:00			`/// This is chosen to be some random string that we couldn't have anticipated when we designed`
			`/// the algorithm, for rigidity purposes.`
			`pub const FIRST_BLOCK: &'static [u8; 64] = b"0000000000000000002ffe76b973aabaff1d1557d79acf2c3795809c83caf580";`

Relocate grouphash implementation. 2017-12-18 11:00:10 -07:00			`/// Produces an (x, y) pair (Montgomery) for a`
			`/// random point in the Jubjub curve. The point`
			`/// is guaranteed to be prime order and not the`
			`/// identity.`
			`pub fn group_hash<E: JubjubEngine>(`
			`tag: &[u8],`
Adopt BLAKE2s personalization throughout protocol. 2018-03-05 19:21:41 -07:00			`personalization: &[u8],`
Relocate grouphash implementation. 2017-12-18 11:00:10 -07:00			`params: &E::Params`
Change group_hash to output points in the twisted Edwards form. 2018-01-29 08:56:58 -07:00			`) -> Option<edwards::Point<E, PrimeOrder>>`
Relocate grouphash implementation. 2017-12-18 11:00:10 -07:00			`{`
Adopt BLAKE2s personalization throughout protocol. 2018-03-05 19:21:41 -07:00			`assert_eq!(personalization.len(), 8);`

Relocate grouphash implementation. 2017-12-18 11:00:10 -07:00			`// Check to see that scalar field is 255 bits`
			`assert!(E::Fr::NUM_BITS == 255);`

Adopt BLAKE2s personalization throughout protocol. 2018-03-05 19:21:41 -07:00			`let mut h = Blake2s::with_params(32, &[], &[], personalization);`
Group hash should use a first block containing random data as per spec. 2018-03-05 18:08:49 -07:00			`h.update(FIRST_BLOCK);`
Switch to using the blake2-rfc crate instead. 2018-03-05 17:58:34 -07:00			`h.update(tag);`
			`let mut h = h.finalize().as_ref().to_vec();`
Relocate grouphash implementation. 2017-12-18 11:00:10 -07:00			`assert!(h.len() == 32);`

			`// Take first/unset first bit of hash`
			`let s = h[0] >> 7 == 1; // get s`
			`h[0] &= 0b0111_1111; // unset s from h`

			`// cast to prime field representation`
Change group_hash to output points in the twisted Edwards form. 2018-01-29 08:56:58 -07:00			`let mut y0 = <E::Fr as PrimeField>::Repr::default();`
			`y0.read_be(&h[..]).expect("hash is sufficiently large");`
Relocate grouphash implementation. 2017-12-18 11:00:10 -07:00
Change group_hash to output points in the twisted Edwards form. 2018-01-29 08:56:58 -07:00			`if let Ok(y0) = E::Fr::from_repr(y0) {`
			`if let Some(p) = edwards::Point::<E, _>::get_for_y(y0, s, params) {`
Relocate grouphash implementation. 2017-12-18 11:00:10 -07:00			`// Enter into the prime order subgroup`
			`let p = p.mul_by_cofactor(params);`

Change group_hash to output points in the twisted Edwards form. 2018-01-29 08:56:58 -07:00			`if p != edwards::Point::zero() {`
Implementation of Montgomery point addition in the circuit. 2017-12-22 02:57:34 -07:00			`Some(p)`
			`} else {`
			`None`
			`}`
Relocate grouphash implementation. 2017-12-18 11:00:10 -07:00			`} else {`
			`None`
			`}`
			`} else {`
			`None`
			`}`
			`}`