primeorder: convert hash2curve mapping directly to AffinePoint (#1404)

- Move `hash2curve::osswu` to `primeorder`
- Move `hash2curve::isogeny` to `k256`
- Add `AffineOsswuMap`

Author: daxpedda

.github/workflows/primeorder.yml

@@ -42,6 +42,7 @@ jobs:
           targets: ${{ matrix.target }}
       - run: cargo build --target ${{ matrix.target }} --release --no-default-features
       - run: cargo build --target ${{ matrix.target }} --release --no-default-features --features alloc
+      - run: cargo build --target ${{ matrix.target }} --release --no-default-features --features hash2curve
 
   test:
     runs-on: ubuntu-latest

Cargo.lock

@@ -24,14 +24,10 @@
 
 mod group_digest;
 mod hash2field;
-mod isogeny;
 mod map2curve;
 mod oprf;
-mod osswu;
 
 pub use group_digest::*;
 pub use hash2field::*;
-pub use isogeny::*;
 pub use map2curve::*;
 pub use oprf::*;
-pub use osswu::*;

hash2curve/src/isogeny.rs

@@ -27,6 +27,7 @@ hash2curve = { version = "0.14.0-rc.1", optional = true }
 once_cell = { version = "1.21", optional = true, default-features = false }
 ecdsa-core = { version = "0.17.0-rc.6", package = "ecdsa", optional = true, default-features = false, features = ["der"] }
 hex-literal = { version = "1", optional = true }
+primeorder = { version = "=0.14.0-pre.8", optional = true }
 serdect = { version = "0.4", optional = true, default-features = false }
 sha2 = { version = "0.11.0-rc.2", optional = true, default-features = false }
 signature = { version = "3.0.0-rc.3", optional = true }
@@ -55,7 +56,7 @@ digest = ["ecdsa-core/digest", "ecdsa-core/hazmat"]
 ecdh = ["arithmetic", "elliptic-curve/ecdh"]
 ecdsa = ["arithmetic", "ecdsa-core/signing", "ecdsa-core/verifying", "sha256"]
 expose-field = ["arithmetic"]
-hash2curve = ["arithmetic", "dep:hash2curve"]
+hash2curve = ["arithmetic", "dep:hash2curve", "dep:primeorder", "primeorder/hash2curve"]
 pem = ["ecdsa-core/pem", "elliptic-curve/pem", "pkcs8"]
 pkcs8 = ["ecdsa-core/pkcs8", "elliptic-curve/pkcs8"]
 precomputed-tables = ["arithmetic"]

hash2curve/src/lib.rs

@@ -4,9 +4,8 @@ use elliptic_curve::bigint::{ArrayEncoding, U256};
 use elliptic_curve::consts::{U4, U16, U48};
 use elliptic_curve::ops::Reduce;
 use elliptic_curve::subtle::{Choice, ConditionallySelectable, ConstantTimeEq};
-use hash2curve::{
-    GroupDigest, Isogeny, IsogenyCoefficients, MapToCurve, OsswuMap, OsswuMapParams, Sgn0,
-};
+use hash2curve::{GroupDigest, MapToCurve};
+use primeorder::osswu::{OsswuMap, OsswuMapParams, Sgn0};
 
 use crate::{AffinePoint, ProjectivePoint, Scalar, Secp256k1};
 
@@ -134,7 +133,7 @@ impl MapToCurve for Secp256k1 {
 
     fn map_to_curve(element: FieldElement) -> ProjectivePoint {
         let (rx, ry) = element.osswu();
-        let (qx, qy) = FieldElement::isogeny(rx, ry);
+        let (qx, qy) = isogeny(rx, ry);
 
         AffinePoint {
             x: qx,
@@ -163,96 +162,114 @@ impl Reduce<Array<u8, U48>> for Scalar {
     }
 }
 
-impl Isogeny for FieldElement {
-    type Degree = U4;
-
-    // See section E.1 in
-    // <https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/>
-    const COEFFICIENTS: IsogenyCoefficients<Self> = IsogenyCoefficients {
-        xnum: &[
-            FieldElement::from_bytes_unchecked(&[
-                0x8e, 0x38, 0xe3, 0x8e, 0x38, 0xe3, 0x8e, 0x38, 0xe3, 0x8e, 0x38, 0xe3, 0x8e, 0x38,
-                0xe3, 0x8e, 0x38, 0xe3, 0x8e, 0x38, 0xe3, 0x8e, 0x38, 0xe3, 0x8e, 0x38, 0xe3, 0x8d,
-                0xaa, 0xaa, 0xa8, 0xc7,
-            ]),
-            FieldElement::from_bytes_unchecked(&[
-                0x07, 0xd3, 0xd4, 0xc8, 0x0b, 0xc3, 0x21, 0xd5, 0xb9, 0xf3, 0x15, 0xce, 0xa7, 0xfd,
-                0x44, 0xc5, 0xd5, 0x95, 0xd2, 0xfc, 0x0b, 0xf6, 0x3b, 0x92, 0xdf, 0xff, 0x10, 0x44,
-                0xf1, 0x7c, 0x65, 0x81,
-            ]),
-            FieldElement::from_bytes_unchecked(&[
-                0x53, 0x4c, 0x32, 0x8d, 0x23, 0xf2, 0x34, 0xe6, 0xe2, 0xa4, 0x13, 0xde, 0xca, 0x25,
-                0xca, 0xec, 0xe4, 0x50, 0x61, 0x44, 0x03, 0x7c, 0x40, 0x31, 0x4e, 0xcb, 0xd0, 0xb5,
-                0x3d, 0x9d, 0xd2, 0x62,
-            ]),
-            FieldElement::from_bytes_unchecked(&[
-                0x8e, 0x38, 0xe3, 0x8e, 0x38, 0xe3, 0x8e, 0x38, 0xe3, 0x8e, 0x38, 0xe3, 0x8e, 0x38,
-                0xe3, 0x8e, 0x38, 0xe3, 0x8e, 0x38, 0xe3, 0x8e, 0x38, 0xe3, 0x8e, 0x38, 0xe3, 0x8d,
-                0xaa, 0xaa, 0xa8, 0x8c,
-            ]),
-        ],
-        xden: &[
-            FieldElement::from_bytes_unchecked(&[
-                0xd3, 0x57, 0x71, 0x19, 0x3d, 0x94, 0x91, 0x8a, 0x9c, 0xa3, 0x4c, 0xcb, 0xb7, 0xb6,
-                0x40, 0xdd, 0x86, 0xcd, 0x40, 0x95, 0x42, 0xf8, 0x48, 0x7d, 0x9f, 0xe6, 0xb7, 0x45,
-                0x78, 0x1e, 0xb4, 0x9b,
-            ]),
-            FieldElement::from_bytes_unchecked(&[
-                0xed, 0xad, 0xc6, 0xf6, 0x43, 0x83, 0xdc, 0x1d, 0xf7, 0xc4, 0xb2, 0xd5, 0x1b, 0x54,
-                0x22, 0x54, 0x06, 0xd3, 0x6b, 0x64, 0x1f, 0x5e, 0x41, 0xbb, 0xc5, 0x2a, 0x56, 0x61,
-                0x2a, 0x8c, 0x6d, 0x14,
-            ]),
-            FieldElement::from_bytes_unchecked(&[
-                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-                0x00, 0x00, 0x00, 0x01,
-            ]),
-        ],
-        ynum: &[
-            FieldElement::from_bytes_unchecked(&[
-                0x4b, 0xda, 0x12, 0xf6, 0x84, 0xbd, 0xa1, 0x2f, 0x68, 0x4b, 0xda, 0x12, 0xf6, 0x84,
-                0xbd, 0xa1, 0x2f, 0x68, 0x4b, 0xda, 0x12, 0xf6, 0x84, 0xbd, 0xa1, 0x2f, 0x68, 0x4b,
-                0x8e, 0x38, 0xe2, 0x3c,
-            ]),
-            FieldElement::from_bytes_unchecked(&[
-                0xc7, 0x5e, 0x0c, 0x32, 0xd5, 0xcb, 0x7c, 0x0f, 0xa9, 0xd0, 0xa5, 0x4b, 0x12, 0xa0,
-                0xa6, 0xd5, 0x64, 0x7a, 0xb0, 0x46, 0xd6, 0x86, 0xda, 0x6f, 0xdf, 0xfc, 0x90, 0xfc,
-                0x20, 0x1d, 0x71, 0xa3,
-            ]),
-            FieldElement::from_bytes_unchecked(&[
-                0x29, 0xa6, 0x19, 0x46, 0x91, 0xf9, 0x1a, 0x73, 0x71, 0x52, 0x09, 0xef, 0x65, 0x12,
-                0xe5, 0x76, 0x72, 0x28, 0x30, 0xa2, 0x01, 0xbe, 0x20, 0x18, 0xa7, 0x65, 0xe8, 0x5a,
-                0x9e, 0xce, 0xe9, 0x31,
-            ]),
-            FieldElement::from_bytes_unchecked(&[
-                0x2f, 0x68, 0x4b, 0xda, 0x12, 0xf6, 0x84, 0xbd, 0xa1, 0x2f, 0x68, 0x4b, 0xda, 0x12,
-                0xf6, 0x84, 0xbd, 0xa1, 0x2f, 0x68, 0x4b, 0xda, 0x12, 0xf6, 0x84, 0xbd, 0xa1, 0x2f,
-                0x38, 0xe3, 0x8d, 0x84,
-            ]),
-        ],
-        yden: &[
-            FieldElement::from_bytes_unchecked(&[
-                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
-                0xff, 0xff, 0xf9, 0x3b,
-            ]),
-            FieldElement::from_bytes_unchecked(&[
-                0x7a, 0x06, 0x53, 0x4b, 0xb8, 0xbd, 0xb4, 0x9f, 0xd5, 0xe9, 0xe6, 0x63, 0x27, 0x22,
-                0xc2, 0x98, 0x94, 0x67, 0xc1, 0xbf, 0xc8, 0xe8, 0xd9, 0x78, 0xdf, 0xb4, 0x25, 0xd2,
-                0x68, 0x5c, 0x25, 0x73,
-            ]),
-            FieldElement::from_bytes_unchecked(&[
-                0x64, 0x84, 0xaa, 0x71, 0x65, 0x45, 0xca, 0x2c, 0xf3, 0xa7, 0x0c, 0x3f, 0xa8, 0xfe,
-                0x33, 0x7e, 0x0a, 0x3d, 0x21, 0x16, 0x2f, 0x0d, 0x62, 0x99, 0xa7, 0xbf, 0x81, 0x92,
-                0xbf, 0xd2, 0xa7, 0x6f,
-            ]),
-            FieldElement::from_bytes_unchecked(&[
-                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-                0x00, 0x00, 0x00, 0x01,
-            ]),
-        ],
-    };
+// See section E.1 in
+// <https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/>
+fn isogeny(x: FieldElement, y: FieldElement) -> (FieldElement, FieldElement) {
+    const XNUM: [FieldElement; 4] = [
+        FieldElement::from_bytes_unchecked(&[
+            0x8e, 0x38, 0xe3, 0x8e, 0x38, 0xe3, 0x8e, 0x38, 0xe3, 0x8e, 0x38, 0xe3, 0x8e, 0x38,
+            0xe3, 0x8e, 0x38, 0xe3, 0x8e, 0x38, 0xe3, 0x8e, 0x38, 0xe3, 0x8e, 0x38, 0xe3, 0x8d,
+            0xaa, 0xaa, 0xa8, 0xc7,
+        ]),
+        FieldElement::from_bytes_unchecked(&[
+            0x07, 0xd3, 0xd4, 0xc8, 0x0b, 0xc3, 0x21, 0xd5, 0xb9, 0xf3, 0x15, 0xce, 0xa7, 0xfd,
+            0x44, 0xc5, 0xd5, 0x95, 0xd2, 0xfc, 0x0b, 0xf6, 0x3b, 0x92, 0xdf, 0xff, 0x10, 0x44,
+            0xf1, 0x7c, 0x65, 0x81,
+        ]),
+        FieldElement::from_bytes_unchecked(&[
+            0x53, 0x4c, 0x32, 0x8d, 0x23, 0xf2, 0x34, 0xe6, 0xe2, 0xa4, 0x13, 0xde, 0xca, 0x25,
+            0xca, 0xec, 0xe4, 0x50, 0x61, 0x44, 0x03, 0x7c, 0x40, 0x31, 0x4e, 0xcb, 0xd0, 0xb5,
+            0x3d, 0x9d, 0xd2, 0x62,
+        ]),
+        FieldElement::from_bytes_unchecked(&[
+            0x8e, 0x38, 0xe3, 0x8e, 0x38, 0xe3, 0x8e, 0x38, 0xe3, 0x8e, 0x38, 0xe3, 0x8e, 0x38,
+            0xe3, 0x8e, 0x38, 0xe3, 0x8e, 0x38, 0xe3, 0x8e, 0x38, 0xe3, 0x8e, 0x38, 0xe3, 0x8d,
+            0xaa, 0xaa, 0xa8, 0x8c,
+        ]),
+    ];
+    const XDEN: [FieldElement; 3] = [
+        FieldElement::from_bytes_unchecked(&[
+            0xd3, 0x57, 0x71, 0x19, 0x3d, 0x94, 0x91, 0x8a, 0x9c, 0xa3, 0x4c, 0xcb, 0xb7, 0xb6,
+            0x40, 0xdd, 0x86, 0xcd, 0x40, 0x95, 0x42, 0xf8, 0x48, 0x7d, 0x9f, 0xe6, 0xb7, 0x45,
+            0x78, 0x1e, 0xb4, 0x9b,
+        ]),
+        FieldElement::from_bytes_unchecked(&[
+            0xed, 0xad, 0xc6, 0xf6, 0x43, 0x83, 0xdc, 0x1d, 0xf7, 0xc4, 0xb2, 0xd5, 0x1b, 0x54,
+            0x22, 0x54, 0x06, 0xd3, 0x6b, 0x64, 0x1f, 0x5e, 0x41, 0xbb, 0xc5, 0x2a, 0x56, 0x61,
+            0x2a, 0x8c, 0x6d, 0x14,
+        ]),
+        FieldElement::from_bytes_unchecked(&[
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x01,
+        ]),
+    ];
+    const YNUM: [FieldElement; 4] = [
+        FieldElement::from_bytes_unchecked(&[
+            0x4b, 0xda, 0x12, 0xf6, 0x84, 0xbd, 0xa1, 0x2f, 0x68, 0x4b, 0xda, 0x12, 0xf6, 0x84,
+            0xbd, 0xa1, 0x2f, 0x68, 0x4b, 0xda, 0x12, 0xf6, 0x84, 0xbd, 0xa1, 0x2f, 0x68, 0x4b,
+            0x8e, 0x38, 0xe2, 0x3c,
+        ]),
+        FieldElement::from_bytes_unchecked(&[
+            0xc7, 0x5e, 0x0c, 0x32, 0xd5, 0xcb, 0x7c, 0x0f, 0xa9, 0xd0, 0xa5, 0x4b, 0x12, 0xa0,
+            0xa6, 0xd5, 0x64, 0x7a, 0xb0, 0x46, 0xd6, 0x86, 0xda, 0x6f, 0xdf, 0xfc, 0x90, 0xfc,
+            0x20, 0x1d, 0x71, 0xa3,
+        ]),
+        FieldElement::from_bytes_unchecked(&[
+            0x29, 0xa6, 0x19, 0x46, 0x91, 0xf9, 0x1a, 0x73, 0x71, 0x52, 0x09, 0xef, 0x65, 0x12,
+            0xe5, 0x76, 0x72, 0x28, 0x30, 0xa2, 0x01, 0xbe, 0x20, 0x18, 0xa7, 0x65, 0xe8, 0x5a,
+            0x9e, 0xce, 0xe9, 0x31,
+        ]),
+        FieldElement::from_bytes_unchecked(&[
+            0x2f, 0x68, 0x4b, 0xda, 0x12, 0xf6, 0x84, 0xbd, 0xa1, 0x2f, 0x68, 0x4b, 0xda, 0x12,
+            0xf6, 0x84, 0xbd, 0xa1, 0x2f, 0x68, 0x4b, 0xda, 0x12, 0xf6, 0x84, 0xbd, 0xa1, 0x2f,
+            0x38, 0xe3, 0x8d, 0x84,
+        ]),
+    ];
+    const YDEN: [FieldElement; 4] = [
+        FieldElement::from_bytes_unchecked(&[
+            0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+            0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
+            0xff, 0xff, 0xf9, 0x3b,
+        ]),
+        FieldElement::from_bytes_unchecked(&[
+            0x7a, 0x06, 0x53, 0x4b, 0xb8, 0xbd, 0xb4, 0x9f, 0xd5, 0xe9, 0xe6, 0x63, 0x27, 0x22,
+            0xc2, 0x98, 0x94, 0x67, 0xc1, 0xbf, 0xc8, 0xe8, 0xd9, 0x78, 0xdf, 0xb4, 0x25, 0xd2,
+            0x68, 0x5c, 0x25, 0x73,
+        ]),
+        FieldElement::from_bytes_unchecked(&[
+            0x64, 0x84, 0xaa, 0x71, 0x65, 0x45, 0xca, 0x2c, 0xf3, 0xa7, 0x0c, 0x3f, 0xa8, 0xfe,
+            0x33, 0x7e, 0x0a, 0x3d, 0x21, 0x16, 0x2f, 0x0d, 0x62, 0x99, 0xa7, 0xbf, 0x81, 0x92,
+            0xbf, 0xd2, 0xa7, 0x6f,
+        ]),
+        FieldElement::from_bytes_unchecked(&[
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x01,
+        ]),
+    ];
+
+    let mut xs = Array::<FieldElement, U4>::default();
+    xs[0] = FieldElement::ONE;
+    xs[1] = x;
+    xs[2] = x.square();
+    for i in 3..4 {
+        xs[i] = xs[i - 1] * x;
+    }
+    let x_num = compute_iso(&xs, &XNUM);
+    let x_den = compute_iso(&xs, &XDEN).invert().unwrap();
+    let y_num = compute_iso(&xs, &YNUM) * y;
+    let y_den = compute_iso(&xs, &YDEN).invert().unwrap();
+
+    (x_num * x_den, y_num * y_den)
+}
+
+fn compute_iso(xxs: &[FieldElement], k: &[FieldElement]) -> FieldElement {
+    let mut xx = FieldElement::ZERO;
+    for (xi, ki) in xxs.iter().zip(k.iter()) {
+        xx += *xi * ki;
+    }
+    xx
 }
 
 #[cfg(test)]

k256/Cargo.toml

@@ -50,7 +50,7 @@ digest = ["ecdsa-core/digest", "ecdsa-core/hazmat"]
 ecdh = ["arithmetic", "elliptic-curve/ecdh"]
 ecdsa = ["arithmetic", "ecdsa-core/signing", "ecdsa-core/verifying", "sha256"]
 expose-field = ["arithmetic"]
-hash2curve = ["arithmetic", "dep:hash2curve"]
+hash2curve = ["arithmetic", "dep:hash2curve", "primeorder/hash2curve"]
 oprf = ["hash2curve", "sha2"]
 pem = ["elliptic-curve/pem", "ecdsa-core/pem", "pkcs8"]
 pkcs8 = ["ecdsa-core?/pkcs8", "elliptic-curve/pkcs8"]

k256/src/arithmetic/hash2curve.rs

@@ -5,10 +5,10 @@ use elliptic_curve::{
     bigint::{ArrayEncoding, U256},
     consts::{U16, U48},
     ops::Reduce,
-    point::DecompressPoint,
     subtle::Choice,
 };
-use hash2curve::{GroupDigest, MapToCurve, OsswuMap, OsswuMapParams, Sgn0};
+use hash2curve::{GroupDigest, MapToCurve};
+use primeorder::osswu::{AffineOsswuMap, OsswuMap, OsswuMapParams, Sgn0};
 
 impl GroupDigest for NistP256 {
     type SecurityLevel = U16;
@@ -63,12 +63,7 @@ impl MapToCurve for NistP256 {
     type ScalarLength = U48;
 
     fn map_to_curve(element: Self::FieldElement) -> ProjectivePoint {
-        let (qx, qy) = element.osswu();
-
-        // TODO(tarcieri): assert that `qy` is correct? less circuitous conversion?
-        AffinePoint::decompress(&qx.to_bytes(), qy.is_odd())
-            .unwrap()
-            .into()
+        AffinePoint::osswu(&element).into()
     }
 }
 
@@ -101,9 +96,10 @@ mod tests {
         consts::U48,
         sec1::{self, ToEncodedPoint},
     };
-    use hash2curve::{self, ExpandMsgXmd, GroupDigest, MapToCurve, OsswuMap};
+    use hash2curve::{self, ExpandMsgXmd, GroupDigest, MapToCurve};
     use hex_literal::hex;
     use primefield::bigint::Reduce;
+    use primeorder::osswu::OsswuMap;
     use proptest::{num::u64::ANY, prelude::ProptestConfig, proptest};
     use sha2::Sha256;
 

p256/Cargo.toml

@@ -54,7 +54,7 @@ digest = ["ecdsa-core/digest", "ecdsa-core/hazmat"]
 ecdh = ["arithmetic", "elliptic-curve/ecdh"]
 ecdsa = ["arithmetic", "ecdsa-core/signing", "ecdsa-core/verifying", "sha384"]
 expose-field = ["arithmetic"]
-hash2curve = ["arithmetic", "dep:hash2curve"]
+hash2curve = ["arithmetic", "dep:hash2curve", "primeorder/hash2curve"]
 oprf = ["hash2curve", "sha2"]
 pem = ["elliptic-curve/pem", "ecdsa-core/pem", "pkcs8"]
 pkcs8 = ["ecdsa-core/pkcs8", "elliptic-curve/pkcs8"]