HashToPoint for Ed25519 (for pedersen commitments)

[HarryR]

See find_group_hash @ https://github.com/daira/zcash-test-vectors/blob/master/sapling_generators.py#L31

def group_hash(D, M):
    digest = blake2s(person=D)
    digest.update(CRS)
    digest.update(M)
    p = Point.from_bytes(digest.digest())
    if not p:
        return None
    q = p * JUBJUB_COFACTOR
    if q == Point.ZERO:
        return None
    return q

def find_group_hash(D, M):
    i = 0
    while True:
        p = group_hash(D, M + bytes([i]))
        if p:
            return p
        i += 1
        assert i < 256

[barryWhiteHat]

The problem is Point.from_bytes call. You can follow it to sapling_jubjub.py and you can see it needs to get the square root (u = u2.sqrt())[https://github.com/daira/zcash-test-vectors/blob/master/sapling_jubjub.py#L157)

I have not gotten that working yet. You can see https://github.com/barryWhiteHat/baby_jubjub_ecc/blob/master/tests/sapling_jubjub.py#L81 that i am trying to reverse engineer it. But have not gotten it to work yet.

[HarryR]

Can you not just provide a witness for the points u coordinate and verify is_on_curve(u, v) and v == v_from_hash(...) ?

One problem with that is there may be more than one u coordinate for any given v and visa versa, e.g. negative points with the sign bit have the X coordinate flipped.

So it's not safe to just verify is_on_curve unless you also verify the sign bit of the encoded point and whether or not the X coord is negative or positive.