Kirk baird patch 01 #79
Conversation
Signed-off-by: Kirk Baird <[email protected]>
Signed-off-by: Kirk Baird <[email protected]>
Signed-off-by: Kirk Baird <[email protected]>
| okm = okm + previous | ||
|
|
||
| # Return first `length` bytes. | ||
| return okm[:length] |
There was a problem hiding this comment.
Since we discard the end of this can we exit early from the loop above once the condition okm >= length is satisfied?
There was a problem hiding this comment.
Yep, though okm >= length after n iterators of the loop.
The loop could be changed to the condition while len(okm) < length
Then we would not have to calculate n. However since it is following RFC5869 and that is the way it's mentioned there I think it'd be better to leave it with n.
Signed-off-by: Kirk Baird <[email protected]>
Signed-off-by: Kirk Baird <[email protected]>
|
Update: Sorry I've been off this for awhile I've been working on a couple of other things + DevCon but I'll finish implementing it from now. |
Signed-off-by: Kirk Baird <[email protected]>
Signed-off-by: Kirk Baird <[email protected]>
Signed-off-by: Kirk Baird <[email protected]>
Signed-off-by: Kirk Baird <[email protected]>
Signed-off-by: Kirk Baird <[email protected]>
|
Although this branch should now be usable there are a few things left todo:
Also worth noting that compression/decompression will need to be updated (currently looks like they will be made to match zcash). |
| ISO_3_B = FQ2([1012, 1012]) | ||
| ISO_3_Z = FQ2([1, 1]) | ||
| P_MINUS_9_DIV_16 = 1001205140483106588246484290269935788605945006208159541241399033561623546780709821462541004956387089373434649096260670658193992783731681621012512651314777238193313314641988297376025498093520728838658813979860931248214124593092835 # noqa: E501 | ||
| SQRT_I = 1028732146235106349975324479215795277384839936929757896155643118032610843298655225875571310552543014690878354869257 # noqa: E501 |
There was a problem hiding this comment.
I have some discomfort from having all of these constants floating around. Is there a formal/canonical spec that we can include a link to so that it's easy to reference/cross-check these constants are indeed the values they are supposed to be?
There was a problem hiding this comment.
There are soo many constants! Unfortunately they are necessary for the isogeny mapping.
Most of them come from
BLS General Constants: https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-04#section-8.7
ISO constants: https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-04#appendix-C.2
Signed-off-by: Kirk Baird <[email protected]>
Signed-off-by: Kirk Baird <[email protected]>
|
Update: Version 5 of the hash-to-curve spec is out. I will update the code soon to match the new version. This is expected to be the last breaking change so hopefully won't be too long before we'll be able to merge. |
Signed-off-by: Kirk Baird <[email protected]>
Signed-off-by: Kirk Baird <[email protected]>
Signed-off-by: Kirk Baird <[email protected]>
|
I happy for this to be merged now :) Some final notes:
|
| temp2 = temp1 ** 2 * v - u | ||
| if temp2 == FQ2.zero() and not valid_root: | ||
| valid_root = True | ||
| result = temp1 |
There was a problem hiding this comment.
It seems okay to break here.
| result = temp1 | |
| result = temp1 | |
| break |
There was a problem hiding this comment.
This is where I deliberate left it as a constant time implementation.
We could get some speed ups here if we were to remove those checks.
Ethereum does not need constant time hash to curve cause the messages are public so I'm happy to add the break statements in there if you would like?
There was a problem hiding this comment.
Not sure if this instinct is right but maybe lets leave this as constant time since that seems like a safe default.
We can track this in an issue as an option for performance improvements if needed.
There was a problem hiding this comment.
Sure I'll leave it as is and write-up an issue for it now.
Signed-off-by: Kirk Baird <[email protected]>
Co-Authored-By: Chih Cheng Liang <[email protected]>
Signed-off-by: Kirk Baird <[email protected]>
Signed-off-by: Kirk Baird <[email protected]>
Signed-off-by: Kirk Baird <[email protected]>
Signed-off-by: Kirk Baird <[email protected]>
Looks good, I'll add all of these! |
* repin flake8, bump tox to >=4.0.0 as that's where whitelist was deprecated, misc updates
What was wrong?
Updating the BLS
hash_to_G2implementation to match the standard and ethereum/consensus-specs#1398How was it fixed?
Implement
hash_to_curvefor G2 which uses Boneh & Wahby method.There are three parts to this:
hash_to_field- convert a message to a point in the finite field.map_to_curve- SWU Map to 3-Isogenous Curve + 3-Isogeny Map to BLs12-318 G2clear_cofactor- ensure that the point is in the correct subfield.Note: This is a Work In Progress PR to show progress and may not always be passing tests.
Cute Animal Picture