From f00e8a8292cdfea69f8bdba68883c691fbe2d046 Mon Sep 17 00:00:00 2001 From: Sean Bowe Date: Mon, 29 Jan 2018 08:56:58 -0700 Subject: [PATCH] Change group_hash to output points in the twisted Edwards form. --- src/group_hash.rs | 12 ++++++------ src/jubjub/mod.rs | 4 +++- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/src/group_hash.rs b/src/group_hash.rs index 2b53972..01824c8 100644 --- a/src/group_hash.rs +++ b/src/group_hash.rs @@ -10,7 +10,7 @@ use digest::{FixedOutput, Input}; pub fn group_hash( tag: &[u8], params: &E::Params -) -> Option> +) -> Option> { // Check to see that scalar field is 255 bits assert!(E::Fr::NUM_BITS == 255); @@ -25,15 +25,15 @@ pub fn group_hash( h[0] &= 0b0111_1111; // unset s from h // cast to prime field representation - let mut x0 = ::Repr::default(); - x0.read_be(&h[..]).expect("hash is sufficiently large"); + let mut y0 = ::Repr::default(); + y0.read_be(&h[..]).expect("hash is sufficiently large"); - if let Ok(x0) = E::Fr::from_repr(x0) { - if let Some(p) = montgomery::Point::::get_for_x(x0, s, params) { + if let Ok(y0) = E::Fr::from_repr(y0) { + if let Some(p) = edwards::Point::::get_for_y(y0, s, params) { // Enter into the prime order subgroup let p = p.mul_by_cofactor(params); - if p != montgomery::Point::zero() { + if p != edwards::Point::zero() { Some(p) } else { None diff --git a/src/jubjub/mod.rs b/src/jubjub/mod.rs index 34859ce..a74748f 100644 --- a/src/jubjub/mod.rs +++ b/src/jubjub/mod.rs @@ -110,10 +110,12 @@ impl JubjubBls12 { while pedersen_hash_generators.len() < 10 { let gh = group_hash(&[cur], &tmp); + // We don't want to overflow and start reusing generators + assert!(cur != u8::max_value()); cur += 1; if let Some(gh) = gh { - pedersen_hash_generators.push(edwards::Point::from_montgomery(&gh, &tmp)); + pedersen_hash_generators.push(gh); } }