Consider adding a method "from_uniform_bytes" to EdwardsPoint

dalek-cryptography / curve25519-dalek

A pure-Rust implementation of group operations on Ristretto and Curve25519

Other

887 stars 451 forks source link

Consider adding a method "from_uniform_bytes" to EdwardsPoint #188

Closed omershlo closed 5 years ago

omershlo commented 6 years ago

I want to implement a Pedersen Commitment based on curve25519. For Ristretto I can use from_uniform_bytes for the blinding factor base point (like you do in bulletproof) but I can't find such option for EdwardsPoint. Is there a way to do create such blind points for EdwardsPoint? If currently there is none I would suggest a from_bytes method for CompressedEdwardsY followed by call to decompress to test if the point is valid and return Result<EdwardsPoint, Error>. This is similar to what you can find for secp256k1 (https://docs.rs/secp256k1/0.9.2/secp256k1/key/struct.PublicKey.html#method.from_slice).

Thanks for the great work!

tarcieri commented 6 years ago

Note that there are several hash-to-curve methods which are potentially applicable to EdwardsPoints, some of which are covered in draft-irtf-cfrg-vrf and draft-sullivan-hash-to-curve:

https://tools.ietf.org/html/draft-irtf-cfrg-vrf-02#section-5.4.1 https://tools.ietf.org/html/draft-sullivan-hash-to-curve-00

draft-irtf-cfrg-vrf covers the method you describe in section 5.4.1.1: ECVRF_hash_to_curve_try_and_increment, however it also raises the question of whether methods that can run in constant time should be preferred, some of which are covered in draft-sullivan-hash-to-curve.

hdevalence commented 6 years ago

As @tarcieri mentioned, there's lots of different ways to use Elligator for Curve25519. I think @isislovecruft went through a bunch of existing implementations last year and found that they were basically all inconsistent, but I'm not totally clear on the details since it wasn't work I did.

We might consider adding a builtin EdwardsPoint::from_uniform_bytes later, but for now I think we would encourage people to use Ristretto instead. The reason is that in most of the applications where you would want to get a random point, you are probably doing something (like a Pedersen commitment) that should really be implemented using a prime-order group like Ristretto.

omershlo commented 6 years ago

@hdevalence , @tarcieri thanks for the answers. The conclusion in @hdevalence comment is true : I should restrict pedersen commitment to prime order groups. Would love to get @isislovecruft insights on her research though.

hdevalence commented 5 years ago

Closing this ticket since we'd prefer that people use Ristretto.