Does MCL supports HashToCurve?

[liuweiran900217]

I notice that MCL supports HashToG operations for bilinear groups. Does MCL supports HashToCurve for normal ellptic curves, e.g., secp256k1? If so, how to do that? Sorry that I do not find such interfaces in the header file.

[herumi]

The naive way to map t to G is as the followings:

// t is a hashed value
void naiveMapTo(Ec& P, const Fp& t)
{
  Fp x = t;
  for (;;) {
    Fp y;
    Ec::getWeierstrass(y, x);
    if (Fp::squareRoot(y, y)) {
      P.set(x, y, false);
      return;
    }
    x += Fp::one();
  }
}

But if you want a way defined in https://tools.ietf.org/id/draft-irtf-cfrg-hash-to-curve-11.txt , I'm sorry that there are no plans to implement it at this time because it is heavy task.

[liuweiran900217]

The naive way to map t to G is as the followings:

// t is a hashed value
void naiveMapTo(Ec& P, const Fp& t)
{
  Fp x = t;
  for (;;) {
    Fp y;
    Ec::getWeierstrass(y, x);
    if (Fp::squareRoot(y, y)) {
      P.set(x, y, false);
      return;
    }
    x += Fp::one();
  }
}

But if you want a way defined in https://tools.ietf.org/id/draft-irtf-cfrg-hash-to-curve-11.txt , I'm sorry that there are no plans to implement it at this time because it is heavy task.

Thank you very much for the kindly reply! I saw the code and found that this is the naive way of implementing HashToCurve, that is, hash the input into the x cord and see if we can find y that follows the elliptic curve equation. I personally implemented HashToCurve using Java under the Bouncy Castle framework, but it is very slow. Look forword to the implementation so that I can design a JNI wrapper for that to be used in my experience.

[herumi]

What language do you want to use mcl with?

[liuweiran900217]

What language do you want to use mcl with?

I am implementing many multi-party computation (MPC) protocols, most of which need efficient ECC operations. For example, the classic Diffie-Hellman based private set intersection protocol need n hash-to-curve operations and 2n ECC multiplication operations, where n stands for the parties' element size.

Directly implementing all operations in C/C++ is OK for the PoC. However, in actual system, we need to make it compatible with our existing communication system that uses Java Netty framework. For this reason, I should use MCL with Java. I use Hex encoding for Ec (in MCL) and ECPoint (in Bouncy Castle) conversions. During the implementation, I found that getStr() in MCL is in the form of "Z X Y" while toString() in Bouncy Castle is in the form of "(X, Y, Z)". I think it is worth sharing to you to may have better compatibility in JNI version of MCL.

[herumi]

Is this what you want?

https://github.com/herumi/mcl/commit/2d2f29abadfeb1310c0bcee7f54647af8b61df23

[liuweiran900217]

Is this what you want?

2d2f29a

Sorry for the late reply. I noticed that there exisits JNI for MCL. However, I don't think it is what I want (not because of the functionality, but of the efficiency). Also, it seems that current MCL does not have mcl::ec::tryAndIncMapTo. I think I will mannually implement naive hashToCurve inspired by your code. Thank you very much!

[herumi]

it seems that current MCL does not have mcl::ec::tryAndIncMapTo. I think I will mannually implement naive hashToCurve inspired by your code.

I implemented it at the dev branch. https://github.com/herumi/mcl/commit/b1f7940bf2f0506ad7d141a1100ce4e932e8145c I think that I'll push it into master if it is okay.

[liuweiran900217]

it seems that current MCL does not have mcl::ec::tryAndIncMapTo. I think I will mannually implement naive hashToCurve inspired by your code.

I implemented it at the dev branch. b1f7940 I think that I'll push it into master if it is okay.

I have tested the code and it runs well. I will close the current Issue. Please feel free to let me know if you plan to implement standard HashToCurve functionality. Thank your again for all your help!