Closed omershlo closed 5 years ago
Note that there are several hash-to-curve methods which are potentially applicable to EdwardsPoint
s, some of which are covered in draft-irtf-cfrg-vrf
and draft-sullivan-hash-to-curve
:
https://tools.ietf.org/html/draft-irtf-cfrg-vrf-02#section-5.4.1 https://tools.ietf.org/html/draft-sullivan-hash-to-curve-00
draft-irtf-cfrg-vrf
covers the method you describe in section 5.4.1.1: ECVRF_hash_to_curve_try_and_increment
, however it also raises the question of whether methods that can run in constant time should be preferred, some of which are covered in draft-sullivan-hash-to-curve
.
As @tarcieri mentioned, there's lots of different ways to use Elligator for Curve25519. I think @isislovecruft went through a bunch of existing implementations last year and found that they were basically all inconsistent, but I'm not totally clear on the details since it wasn't work I did.
We might consider adding a builtin EdwardsPoint::from_uniform_bytes
later, but for now I think we would encourage people to use Ristretto instead. The reason is that in most of the applications where you would want to get a random point, you are probably doing something (like a Pedersen commitment) that should really be implemented using a prime-order group like Ristretto.
@hdevalence , @tarcieri thanks for the answers. The conclusion in @hdevalence comment is true : I should restrict pedersen commitment to prime order groups. Would love to get @isislovecruft insights on her research though.
Closing this ticket since we'd prefer that people use Ristretto.
I want to implement a Pedersen Commitment based on curve25519. For Ristretto I can use
from_uniform_bytes
for the blinding factor base point (like you do in bulletproof) but I can't find such option forEdwardsPoint
. Is there a way to do create such blind points forEdwardsPoint
? If currently there is none I would suggest afrom_bytes
method forCompressedEdwardsY
followed by call todecompress
to test if the point is valid and returnResult<EdwardsPoint, Error>
. This is similar to what you can find for secp256k1 (https://docs.rs/secp256k1/0.9.2/secp256k1/key/struct.PublicKey.html#method.from_slice).Thanks for the great work!