search

cfrg / draft-irtf-cfrg-hash-to-curve

Hashing to Elliptic Curves
Other
78 stars 27 forks source link

python support and minimum working example in python? #348

Closed davejakenic closed 1 year ago

davejakenic commented 1 year ago

Hi,

would you be willing to give assistance in utilizing your module in python?

Particularly, I wish to have a hash function H that maps a byte string to a point on an elliptic curve. A minimum working example in python would be nice.

And the particular curve matters of course, since obviously the hash cannot be linearly dependent on the generator. How about brainpoolP256r1 ?

Can you give a list of all the curves for which your hash can be used?

Sorry, I am a practitioner. I am sure you wrote wonderful papers.

mratsim commented 1 year ago

The parts that don't involve elliptic curve cryptography are in Python, like https://github.com/cfrg/draft-irtf-cfrg-hash-to-curve/blob/main/poc/hash_to_field.py

Those that involve ECC are in SageMath like https://github.com/cfrg/draft-irtf-cfrg-hash-to-curve/blob/main/poc/svdw_generic.sage which is basically Python with extras.

For full Python PoC, you need to look into external repos like:

but those need to reimplement field and elliptic curve arithmetic from scratch.

brainpoolP256r1

I don't think many are interested in that curve but you can always create a suite based on Generic SVDW.

Can you give a list of all the curves for which your hash can be used?

The generic fallback is SVDW

kwantam commented 1 year ago

Note that brainpoolP256r1 can be used with the optimized SSWU construction, since its j-invariant is nonzero. That would give better performance than SVDW. See section 6.6.2 of the hash-to-curve document for more information on this mapping.

If you're happy using Sage, not just Python, then you can pretty easily implement such a mapping using the OptimizedSSWU implementation in poc/sswu_optimized.sage. That would be as simple as

# parameters for brainpoolP256r1 per https://neuromancer.sk/std/brainpool/brainpoolP256r1
p = 0xa9fb57dba1eea9bc3e660a909d838d726e3bf623d52620282013481d1f6e5377
a = 0x7d5a0975fc2c3057eef67530417affe7fb8055c126dc5c6ce94a4b44f330b5d9
b = 0x26dc5c6ce94a4b44f330b5d9bbd77cbf958416295cf7e1ce6bccdc18ff8c07b6

F = GF(p)
map = OptimizedSSWU(F, a, b)

To turn this into a proper hash-to-curve suite, you can use the BasicH2CSuite implementation in poc/h2c_suite.sage. For examples of use, see poc/suite_p256.sage (and others).

As @mratsim says, if you want to use Python you will first need to implement your curve operations in Python. I'm not sure why you want to use brainpoolP256r1, but in any case I'm not aware of any Python implementations that I can recommend as well tested, etc.

Good luck!

kwantam commented 1 year ago

I'm going to close this issue as answered. Please feel free to reopen if there are other questions we can help with.