Add hashing into the curve.

[mmaker]

Hello.
A few days ago @zmanian said it'd be nice if somebody added hashing to the curve to pairing, and I found myself with a few spare days in bed, soo… I'd like to propose the folllowing changes:

• Add Legendre symbol for Fq and Fq2, with test cases
• Implement Foque-Ticouchi's hashing to the curve algorithm

The algorithm is pretty much along the lines of https://github.com/herumi/mcl/blob/9fbc54305d01b984e39d83e96bfa94bb17648a86/include/mcl/bn.hpp#L65-L127 , as suggested by @zmanian.

[ebfull]

(Awesome work!)

I don't have time to review this today, but one comment: why can't SqrtField have the Legendre symbol defined over it instead of making a new trait?

[ebfull]

Two additional comments:

1. The implementations of SqrtField internally perform residue tests that are perhaps redundant with legendre().
2. I think the implementation of rand in G1/G2 should probably just use this hashing, if it works.

[ebfull]

As far as I can tell this implementation does not currently guarantee hashing into the correct subgroup. BLS12-381 has nontrivial cofactors for G1/G2, whereas BN curves have h=1 for G1.

[daira]

If we add this then I'd like to make sure it is consistent with the hashing we specify for Sapling (if we decide to use diversified addresses and/or the generalized-Pedersen approach to UITs), so bear with me until I have time to review it and the Fouque–Joux–Tibouchi paper properly. Yes we'll need to hash into the subgroup.

[Edit: I had the wrong paper here.]

At first sight, +1 on moving legendre() into SqrtField and factoring out any redundancy there.

[daira]

Why is this if let QNonResidue =? (Maybe I'm just missing something about Rust pattern matching, but I would have expected if self.legendre() != QResidue for similarity to the existing code. I know the zero case is handled above.)

[ebfull]

This is idomatic Rust. In order to do if self.legendre() != QResidue you need to implement PartialEq (equality) for LegendreSymbol, but absent a good reason to do this, it's preferable to use if let.

So, speaking of which, this code should use a match instead of if let and handle the Zero case of LegendreSymbol.

[mmaker]

Because I'm a n00b.
I've polished that function a bit here mmaker@e27801d and it looks a bit better.

[daira]

Can the hash be defined never to output the point at infinity?

[mmaker]

That is just Rust not understanding that the function it will return before for sure. That line is never executed.

I wasn't really sure what would have been conventional to do there, whether panic! or return a silly point like infinity - bn.h returns an ERR_POINT as far as I remember.
Plus, from ocaml I had this feeling that exceptions are bad and that I should keep my functions pure, so …

In any case, I'm happy to change it if needed!
As a side note, making it constant-time will probably get rid of that for loop and the silly return
(as described on the paper). For now I am aiming at a state that allows me to generate test-vectors.

[ebfull]

If it's true that the algorithm never can produce the point at infinity, then this should return unreachable!().

[daira]

@ebfull, what's the policy for "cannot happen" cases? (Without having thought about it very hard, a panic! seems fine to me.)

[ebfull]

unreachable!() is idiomatic rust. It just panics with "unreachable code".

[mmaker]

The implementations of SqrtField internally perform residue tests that are perhaps redundant with legendre().

At first sight, +1 on moving legendre() into SqrtField and factoring out any redundancy there.

Initially I created a separate trait because I wasn't sure I really needed to implement the legendre symbol for all fields implementing sqrt. Turns out this is the case.

I merged SqrtField and LegendreField at mmaker@e6014d1 as a separate commit. (can squash if needed!)

[mmaker]

The implementations of SqrtField internally perform residue tests that are perhaps redundant with legendre().

Right. So, fr.rsuses it; fq.rs and fq2.rs do not, and I don't really see how they would use it - the algorithms for sqrt mod 4 already understand if it is a quadratic residue or not.

[mmaker]

As far as I can tell this implementation does not currently guarantee hashing into the correct subgroup. BLS12-381 has nontrivial cofactors for G1/G2, whereas BN curves have h=1 for G1.

If we add this then I'd like to make sure it is consistent with the hashing we specify for Sapling (if we decide to use diversified addreses and/or the generalized-Pedersen approach to UITs), so bear with me until I have time to review it and the Foque-Ticouchi paper properly. Yes we'll need to hash into the subgroup.

oh silly silly me I didn't check at all this. Okay mm so in the meantime I'll dive into that loooong issue of yours

Thanks for poining this out!

[zmanian]

I'm unsure if Fouques and Tabouchi works with cofactor != 1.

This implies that we should potentially use some variant of Eligator -Squared (https://eprint.iacr.org/2014/043.pdf & https://hal.inria.fr/hal-01275711/document)

@hdevalence has argued that providing a mapping to curve point should be considered an essential part any curve library.

[mmaker]

what happens if I multiply by the cofactor at the end of the function?
The point is going to be in the subgroup no?

Edit: indeed the paper mentions BLS curves and suggests to multiply by the cofactor:

Our results apply almost without change to any elliptic curve of the form […]: this includes in particular the curves constructed by Barreto, Lynn and Scott in [2, §3.1] and […]
The elliptic curve group in those cases is not usually of prime order, […], so hashing to the prime order subgroup requires multiplying the point obtained with the technique described herein by the cofactor. This does not affect indifferentiability, as was shown in [12, §6.1].

In an attempt to see this with my own eyes I tried to add a patch that multiplies by the cofactor at the end, together with some test cases that verify "some images" are in the desidered subgroup.
Tests suceeds for G1, still failing for G2. The reason they fail for G2 (I think) is that the cofactor is "too big" for our type:

sage: cofactor_g2 = Integer(x**8 - 4*x**7 + 5*x**6 - 4*x**4 + 6*x**3 - 4*x**2 - 4*x + 13) / 9                   
sage: cofactor_g2           
305502333931268344200999753193121504214466019254188142667664032982267604182971884026507427359259977847832272839041616661285803823378372096355777062779109                                                     
sage: Fr(cofactor_g2)             
52435875175126190477137643957470197624944050669916493059025303477134612409005     

and I need to do arithmetic outside Fr to do so. How can I do it?
Note: for G1 tests also properly fail if I comment out multiplication by the cofactor.

[ebfull]

Yes, the G2 cofactor is very large.

I'll have to think about a clean way to allow us to perform scalar multiplications of such magnitude. I don't want that capability to be generally available to downstream users because I never want to encourage them to multiply by non-Fr scalars.

In some of my tests I just manually perform double-and-add, like this:

// Cofactor of G2 is 305502333931268344200999753193121504214466019254188142667664032982267604182971884026507427359259977847832272839041616661285803823378372096355777062779109.
// Calculated by: ((x**8) - (4 * (x**7)) + (5 * (x**6)) - (4 * (x**4)) + (6 * (x**3)) - (4 * (x**2)) - (4*x) + 13) // 9
// where x is the BLS parameter.
for b in "101110101010100001110101001010101000001010011100111111100010000100100011101010100000111100100101000011101101010001000000010110011011001000111011110010001010100011100001000010110101011101010100110100010100010000001011011001011100101101001111101110111111010011000101000111100011100101101001101100111101000001011101111001000010101001101111110001010010011101001100110100100011010111000010110000101101110110001101110011110000110111100001100011100001100111100011100001110001110001100011100011100100011100011100101"
         .chars()
         .map(|c| c == '1')
{
    g2.double();

    if b {
        g2.add_assign_mixed(&p);
    }
}

You can just use this until we figure it out.

[daira]

Lots of comments.

[daira]

Will this return an object that stays zero if self is mutated?

[mmaker]

I don't know; but it's behaving as it was before. https://github.com/ebfull/pairing/blob/master/src/bls12_381/fr.rs#L560-L562 @ebfull?

[ebfull]

Yes, it dereferences self which copies it.

[daira]

Maybe assert somewhere that q mod 16 = 1.

(Nonblocking; I know this hasn't changed in this PR.)

[daira]

wishes that diff would not try so hard to find accidentally matching lines within modified blocks

[daira]

Maybe assert somewhere that q mod 4 = 3. (Nonblocking.)

[daira]

Also, add constants for (q - 3)/2 and -1.

[ebfull]

This can be left to another PR btw.

[daira]

Maybe assert that it is a quadratic nonresidue, now that we have legendre(). (Nonblocking.)

[daira]

Why does it say "= 2", btw, @ebfull? (Nonblocking.)

[ebfull]

It's 2 in the field. (Represented in Montgomery form, which is why it looks random.)

[daira]

For each group, assert that the cofactor times the group order is the curve order.

[daira]

These comments don't make sense to me; what is t initially? Is this a naming clash?

[mmaker]

don't know; it was already there. See https://github.com/ebfull/pairing/blob/master/src/bls12_381/fr.rs#L569

[daira]

What is this constant?

[mmaker]

don't know; it was already there. See https://github.com/ebfull/pairing/blob/master/src/bls12_381/fr.rs#L571

[ebfull]

It's explained in the algorithm I think.

[daira]

Be clearer about the properties of the mapping.

[mmaker]

done, I tried to elaborate a bit more.

[daira]

"Legendre". (The method name is fine as lowercase.)

[mmaker]

done!

[ebfull]

Our review is going to be really exhaustive, I hope you can bear with us! 😅

@bmerge try

[bmerge]

⌛ Trying commit 84c9a83 with merge 80a963e...

[ebfull]

unreachable!()

[ebfull]

Separate these statements into individual lines.

[ebfull]

QuadraticResidue and QuadraticNonResidue

[ebfull]

This blocks for me, I prefer explicit names like this. 😸

[ebfull]

Instead of making a trait let's add this to SqrtField (which will require us to additionally implement it for Fr.)

[ebfull]

This is idomatic Rust. In order to do if self.legendre() != QResidue you need to implement PartialEq (equality) for LegendreSymbol, but absent a good reason to do this, it's preferable to use if let.

So, speaking of which, this code should use a match instead of if let and handle the Zero case of LegendreSymbol.

[ebfull]

Yes, it dereferences self which copies it.

[ebfull]

It's explained in the algorithm I think.

[ebfull]

This can be just p.is_on_curve().

[ebfull]

Well, it cannot map points from small subgroups into the G2 subgroup. I would rather call this scale_by_cofactor.

[ebfull]

This can be left to another PR btw.

[bmerge]

💔 Test failed - pairing-linux64-try

[ebfull]

Don't worry; that test failure has nothing to do with you. It's our clippy lints failing to compile on the latest nightly Rust. If you want, change Cargo.toml to use clippy version 0.0.150 and I can try again.

edit: actually, this would be a rabbit hole. Don't do it yet.

[ebfull]

(By the way, all of the other tests passed just fine.)

[ebfull]

There has to be something in the literature (like this paper) which we can apply here to avoid the huge G2 cofactor scaling.

[ebfull]

As @mmaker mentioned, the paper says:

We also assume that q ≡ 7 (mod 12) and that g(1) = 1 + b is a nonzero square in Fq.

I cannot tell if these assumptions are important or relied on strongly by the paper, but they aren't satisfied by BLS12-381. Fq(5) is nonsquare in Fq, and for G2, q^2 is 1 mod 12. (Perhaps the paper made a typo and meant for p to be 7 mod 12?)

One of the advantages of BLS12-381 is that all of the curve constants can be determined uniquely by a single parameter, which happens also to be part of a subfamily of parameters that are good candidates for standardization.

However, if we're willing to forgo this, we could get this hashing to work for G1 by using a different isomorphism. Barreto pointed out to me many months ago, with regards to BLS12-381:

there's a nicer isomorphic curve, E(F_p): y^2 = x^3 + 24, that admits G = h*(1, 5) as the generator for group G_1.

And of course, with Fq(25) being a nonzero square, it satisfies the assumptions of this paper. But since you still don't get G2 hashing with this... it's probably not worth it.

I would much rather implement hashing via a "try-and-increment" algorithm as suggested in the BLS signatures paper. This also avoids problems with points of small order.

[mmaker]

I cannot tell if these assumptions are important or relied on strongly by the paper, but they aren't satisfied by BLS12-381.

Going after the introduction to section 2:

Later works such as [31] use a different point as the generator, and the corresponding
construction does no longer ensure that 1 + b is a square. This only causes a minor inconvenience for our purposes, namely two extra elements of Fq that have to be treated separately in the encoding given in Section 3.

What happens in section 3 is that we have to handle the cases t = 0 and t^2+b+1 = 0 separately (see page 8, when giving a rational parametrization of the conic), mapping them to arbitrary points.

In fact, they already do this in Definition 2 for t = 0: they construct a nice map from Fq* to the curve, and they "program" the encoding for the case t = 0 reducing it to one of the cases already handled:

The encoding can be extended to all of Fq by sending 0 to some arbitrary point in E(Fq). Since
x1 is well-defined […]

I added a commit that does exately that (mapping to arbitrary points), in case you were interested in checking it out anyway.

I would much rather implement hashing via a "try-and-increment" algorithm as suggested in the BLS signatures paper. This also avoids problems with points of small order.

Alright, I can give it a shot and benchmark the two. Could you please pretty please bear with me and just take a look at both? This way we have some comparative terms.

[ebfull]

Hm, the way we would implement "try-and-increment" could vary. @daira might have some good ideas.

We'd like to be able to "hash to" Fr and Fq elements for the purpose of both hashing to BLS12-381 and hashing to constants/embedded curves for zk-SNARKs. I suppose we can build "hashing to" Fq2 and the curve on top of this.

I'm prepared to bite the bullet and let BLAKE2b be a dependency of pairing. :)

[ebfull]

Just return Self::zero()

[mmaker]

done!

[ebfull]

@bmerge try

[bmerge]

⌛ Trying commit 3ce634a with merge 54b48e1...

[bmerge]

☀️ Test successful - pairing-linux32-try, pairing-linux64-try, pairing-windows32msvc-try, pairing-windows64msvc-try
State: approved= try=True

[ebfull]

I don't know if this change still needs to be in this PR anymore, it could be separate. I don't think y2_from_x is used directly in sw_encode etc. anymore. But, it's not a bad refactoring.

(Does not block this PR.)

[ebfull]

I suspect this inverse could be optimized away. (Does not block this PR.)

[dis2]

1/w^2 is w^(q-4). Trouble is, this is much slower than egcd inverse.

Unless you have completely different formula for x3 in mind.

[ebfull]

• A = t^2
• B = A + b + 1
• C = 3 * A
• D = B * C
• E = D^(-1)
• F = E * B makes for F = 1/(3t^2)
• G = E * C makes for G = 1/(t^2 + b + 1)

I don't have time to write the rest of the formulas out, but I think that's one inversion that gets you everything you need.

[ebfull]

Oh, we should check assert_eq!(p, G1::one()) since these are well-defined edge cases.

[ebfull]

@bmerge try

[bmerge]

⌛ Trying commit a3bbece with merge d9f9b95...

[bmerge]

☀️ Test successful - pairing-linux32-try, pairing-linux64-try, pairing-windows32msvc-try, pairing-windows64msvc-try
State: approved= try=True

[burdges]

What is the status of this? As written, ff wants to take over much of this, but not sure if that's optimal.

[dignifiedquire]

@ebfull any update on the status of this and the intent of moving forward with it? Looks like I could really use this. Is it only a matter of using this as a baseline and making a PR on ff?

[ebfull]

I'm sorry that I haven't revisited this. This PR was in excellent shape prior to some modifications to master, and we've begun an effort to refactor the implementations which has put this on the sideline. (Zcash itself doesn't need hashing to the curve, but it's an absolute requirement for BLS signatures.)

I will try to revisit this in our new implementation of BLS12-381 which is an ongoing WIP and I'll update this thread with more info as soon as I have it.

[paberr]

While looking for an implementation of BLS signatures using BLS12-381, I stumbled across this PR after reading through the code of the bls crate.

There seems to be some pretty new work by Wahby and Boneh on "Fast and simple constant-time hashing to the BLS12-381 elliptic curve".
Are you already aware of this work and how does their Shallue–van de Woestijne map differ from your adaption?

[mmaker]

hey, yes I'm aware though I still have to look into that - I'm really sorry it's taking me so long.
Anyhoo SWU map aside, I already did some work on the fast cofactor multiplication here #102 which is what Boneh also is suggesting

[tuxxy]

So what's the deal with this being closed? Are there any plans to add hash_to_curve support in this lib?

[str4d]

@tuxxy no; this PR was closed because this crate no longer contains an implementation of BLS12-381. Hash-to-curve would need to be added to the bls12_381 crate instead.