mclBnG1_hashAndMapTo produce all zero result under MCL_MAP_TO_MODE_HASH_TO_CURVE - Githubissues

herumi / mcl

a portable and fast pairing-based cryptography library

BSD 3-Clause "New" or "Revised" License

450 stars 151 forks source link

mclBnG1_hashAndMapTo produce all zero result under MCL_MAP_TO_MODE_HASH_TO_CURVE #171

Closed levyfan closed 1 year ago

levyfan commented 1 year ago

The following code will reproduce all zero results of g called after g.HashAndMapTo

msg := []byte("hello world")
g := new(mcl.G1)
if err := g.HashAndMapTo(msg); err != nil {
    t.Error(err)
}
fmt.Printf("%x", g.Serialize())

The init is as follows:

mcl.Init(mcl.CurveFp254BNb)
mcl.SetMapToMode(mcl.IRTF)

The reason might be that struct MapTo_WB19::init is not called?

herumi commented 1 year ago

IRTF is for only BLS12-381. It should become an error if the value is set for CurveFp254BNb.

herumi commented 1 year ago

You can use a default HashAndMapTo without SetMapToMode though it may not be what you want.

levyfan commented 1 year ago

We can also apply simplified SWU for BN curves as stated in the irtf draft? https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/

6.6.3.  Simplified SWU for AB == 0

herumi commented 1 year ago

It is necessary to decide on some parameters for the algorithm. I think that only BLS12-381 is standardized. Why do you want to use Fp254BNb?

levyfan commented 1 year ago

We are doing some latency critical applications and BN254 is much faster than BLS12-381.

herumi commented 1 year ago

The algorithm which is implemented in mcl for BN254 is https://github.com/herumi/mcl/blob/master/include/mcl/bn.hpp#L333-L338 , which is the basis for the IRTF scheme. How about using the hashmap at your own risk though I don't know the safety rating?

herumi commented 1 year ago

I modified setMapToMode to return false for mcl.IRTF in using BN254 at v1.76.