Add hash2curve to ProjectiveMontgomeryXpoint

daxpedda · daxpedda · commit c819f1ea5fa1 · 2025-09-13T15:27:27.000+02:00
diff --git a/ed448-goldilocks/benches/bench.rs b/ed448-goldilocks/benches/bench.rs
@@ -1,7 +1,7 @@
 use criterion::{BatchSize, Criterion, criterion_group, criterion_main};
 use ed448_goldilocks::{
     Decaf448, DecafPoint, DecafScalar, EdwardsPoint, EdwardsScalar, MontgomeryScalar,
-    MontgomeryXpoint,
+    MontgomeryXpoint, ProjectiveMontgomeryXpoint,
 };
 use elliptic_curve::group::GroupEncoding;
 use elliptic_curve::{Field, Group};
@@ -146,6 +146,18 @@ pub fn x448(c: &mut Criterion) {
         )
     });
 
+    group.bench_function("encode_to_curve", |b| {
+        b.iter_batched(
+            || {
+                let mut msg = [0; 64];
+                OsRng.try_fill_bytes(&mut msg).unwrap();
+                msg
+            },
+            |msg| ProjectiveMontgomeryXpoint::encode_with_defaults(&msg, b"test DST"),
+            BatchSize::SmallInput,
+        )
+    });
+
     group.finish();
 }
 
diff --git a/ed448-goldilocks/src/field/element.rs b/ed448-goldilocks/src/field/element.rs
@@ -467,6 +467,25 @@ impl FieldElement {
         MontgomeryPoint::new(x, y)
     }
 
+    // See https://www.rfc-editor.org/rfc/rfc9380.html#name-curve448-q-3-mod-4-k-1.
+    // Without y-coordinate.
+    pub(crate) fn map_to_curve_elligator2_curve448_x(&self) -> FieldElement {
+        let mut t1 = self.square(); // 1.   t1 = u^2
+        t1 *= Self::Z; // 2.   t1 = Z * t1              // Z * u^2
+        let e1 = t1.ct_eq(&Self::MINUS_ONE); // 3.   e1 = t1 == -1            // exceptional case: Z * u^2 == -1
+        t1.conditional_assign(&Self::ZERO, e1); // 4.   t1 = CMOV(t1, 0, e1)     // if t1 == -1, set t1 = 0
+        let mut x1 = t1 + Self::ONE; // 5.   x1 = t1 + 1
+        x1 = x1.invert(); // 6.   x1 = inv0(x1)
+        x1 *= -Self::J; // 7.   x1 = -A * x1             // x1 = -A / (1 + Z * u^2)
+        let mut gx1 = x1 + Self::J; // 8.  gx1 = x1 + A
+        gx1 *= x1; // 9.  gx1 = gx1 * x1
+        gx1 += Self::ONE; // 10. gx1 = gx1 + B
+        gx1 *= x1; // 11. gx1 = gx1 * x1            // gx1 = x1^3 + A * x1^2 + B * x1
+        let x2 = -x1 - Self::J; // 12.  x2 = -x1 - A
+        let e2 = gx1.is_square(); // 14.  e2 = is_square(gx1)
+        Self::conditional_select(&x2, &x1, e2) // 15.   x = CMOV(x2, x1, e2)    // If is_square(gx1), x = x1, else x = x2
+    }
+
     // See https://www.shiftleft.org/papers/decaf/decaf.pdf#section.A.3.
     // Implementation copied from <https://sourceforge.net/p/ed448goldilocks/code/ci/e5cc6240690d3ffdfcbdb1e4e851954b789cd5d9/tree/src/per_curve/elligator.tmpl.c#l28>.
     pub(crate) fn map_to_curve_decaf448(&self) -> TwistedExtendedPoint {
diff --git a/ed448-goldilocks/src/montgomery/x.rs b/ed448-goldilocks/src/montgomery/x.rs
@@ -1,10 +1,15 @@
 // use crate::constants::A_PLUS_TWO_OVER_FOUR;
 use super::{MontgomeryPoint, MontgomeryScalar, ProjectiveMontgomeryPoint};
-use crate::AffinePoint;
 use crate::field::{ConstMontyType, FieldElement};
+use crate::{AffinePoint, Curve448};
 use core::fmt;
 use core::ops::Mul;
+use elliptic_curve::array::Array;
 use elliptic_curve::bigint::U448;
+use elliptic_curve::consts::{U28, U84};
+use elliptic_curve::ops::Reduce;
+use hash2curve::{ExpandMsg, ExpandMsgXof, ExpandMsgXofError, Expander, MapToCurve};
+use sha3::Shake256;
 use subtle::{Choice, ConditionallyNegatable, ConditionallySelectable, ConstantTimeEq};
 
 impl MontgomeryXpoint {
@@ -290,6 +295,71 @@ impl ProjectiveMontgomeryXpoint {
         Self { U, W }
     }
 
+    /// Hash a message to a point on the curve
+    ///
+    /// Hash using the default `expand_message` and hash function.
+    /// For more control see [`Self::hash()`].
+    pub fn hash_with_defaults(msg: &[u8], dst: &[u8]) -> Result<Self, ExpandMsgXofError> {
+        Self::hash::<ExpandMsgXof<Shake256>>(&[msg], &[dst])
+    }
+
+    /// Hash a message to a point on the curve
+    ///
+    /// Implements hash to curve according
+    /// see <https://datatracker.ietf.org/doc/rfc9380/>
+    pub fn hash<X>(msg: &[&[u8]], dst: &[&[u8]]) -> Result<Self, X::Error>
+    where
+        X: ExpandMsg<U28>,
+    {
+        let mut expander =
+            X::expand_message(msg, dst, (84 * 2).try_into().expect("must not be zero"))?;
+        let mut data = Array::<u8, U84>::default();
+        expander
+            .fill_bytes(&mut data)
+            .expect("`data` must match length");
+        let u0 = FieldElement::reduce(&data);
+        expander
+            .fill_bytes(&mut data)
+            .expect("`data` must match length");
+        let u1 = FieldElement::reduce(&data);
+
+        let q0 = Curve448::map_to_curve(u0);
+        let q1 = Curve448::map_to_curve(u1);
+
+        Ok(Self::from(q0 + q1).double().double())
+    }
+
+    /// Encode a message to a point on the curve
+    ///
+    /// Encode using the default `expand_message` and hash function.
+    /// For more control see [`Self::encode()`].
+    pub fn encode_with_defaults(msg: &[u8], dst: &[u8]) -> Result<Self, ExpandMsgXofError> {
+        Self::encode::<ExpandMsgXof<Shake256>>(&[msg], &[dst])
+    }
+
+    /// Encode a message to a point on the curve
+    ///
+    /// Implements encode to curve according
+    /// see <https://datatracker.ietf.org/doc/rfc9380/>
+    pub fn encode<X>(msg: &[&[u8]], dst: &[&[u8]]) -> Result<Self, X::Error>
+    where
+        X: ExpandMsg<U28>,
+    {
+        let mut expander = X::expand_message(msg, dst, 84.try_into().expect("should never fail"))?;
+        let mut data = Array::<u8, U84>::default();
+        expander
+            .fill_bytes(&mut data)
+            .expect("`data` must match length");
+        let u = FieldElement::reduce(&data);
+
+        Ok(Self {
+            U: u.map_to_curve_elligator2_curve448_x(),
+            W: FieldElement::ONE,
+        }
+        .double()
+        .double())
+    }
+
     /// Convert the point to affine form
     pub fn to_affine(&self) -> MontgomeryXpoint {
         let x = self.U * self.W.invert();
@@ -320,6 +390,8 @@ mod tests {
     use super::*;
     use crate::EdwardsPoint;
     use elliptic_curve::CurveGroup;
+    use hex_literal::hex;
+    use sha3::Shake256;
 
     #[test]
     fn test_montgomery_edwards() {
@@ -351,4 +423,56 @@ mod tests {
 
         assert_eq!(x_identity.to_extended(Choice::from(1)), identity);
     }
+
+    #[test]
+    fn hash_with_test_vectors() {
+        const DST: &[u8] = b"QUUX-V01-CS02-with-curve448_XOF:SHAKE256_ELL2_RO_";
+        const MSGS: &[(&[u8], [u8; 56], [u8; 56])] = &[
+            (b"", hex!("5ea5ff623d27c75e73717514134e73e419f831a875ca9e82915fdfc7069d0a9f8b532cfb32b1d8dd04ddeedbe3fa1d0d681c01e825d6a9ea"), hex!("afadd8de789f8f8e3516efbbe313a7eba364c939ecba00dabf4ced5c563b18e70a284c17d8f46b564c4e6ce11784a3825d941116622128c1")),
+            (b"abc", hex!("9b2f7ce34878d7cebf34c582db14958308ea09366d1ec71f646411d3de0ae564d082b06f40cd30dfc08d9fb7cb21df390cf207806ad9d0e4"), hex!("138a0eef0a4993ea696152ed7db61f7ddb4e8100573591e7466d61c0c568ecaec939e36a84d276f34c402526d8989a96e99760c4869ed633")),
+            (b"abcdef0123456789", hex!("f54ecd14b85a50eeeee0618452df3a75be7bfba11da5118774ae4ea55ac204e153f77285d780c4acee6c96abe3577a0c0b00be6e790cf194"), hex!("935247a64bf78c107069943c7e3ecc52acb27ce4a3230407c8357341685ea2152e8c3da93f8cd77da1bddb5bb759c6e7ae7d516dced42850")),
+            (b"q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq", hex!("5bd67c4f88adf6beb10f7e0d0054659776a55c97b809ec8b3101729e104fd0f684e103792f267fd87cc4afc25a073956ef4f268fb02824d5"), hex!("da1f5cb16a352719e4cb064cf47ba72aeba7752d03e8ca2c56229f419b4ef378785a5af1a53dd7ab4d467c1f92f7b139b3752faf29c96432")),
+            (b"a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", hex!("ea441c10b3636ecedd5c0dfcae96384cc40de8390a0ab648765b4508da12c586d55dc981275776507ebca0e4d1bcaa302bb69dcfa31b3451"), hex!("fee0192d49bcc0c28d954763c2cbe739b9265c4bebe3883803c64971220cfda60b9ac99ad986cd908c0534b260b5cfca46f6c2b0f3f21bda")),
+        ];
+
+        for (msg, x, y) in MSGS {
+            let p = ProjectiveMontgomeryXpoint::hash::<ExpandMsgXof<Shake256>>(&[msg], &[DST])
+                .unwrap()
+                .to_affine();
+            let mut xx = [0u8; 56];
+            xx.copy_from_slice(&x[..]);
+            xx.reverse();
+            let mut yy = [0u8; 56];
+            yy.copy_from_slice(&y[..]);
+            yy.reverse();
+            assert_eq!(p.0, xx);
+            assert!(p.y(Choice::from(0)) == yy || p.y(Choice::from(1)) == yy);
+        }
+    }
+
+    #[test]
+    fn encode_with_test_vectors() {
+        const DST: &[u8] = b"QUUX-V01-CS02-with-curve448_XOF:SHAKE256_ELL2_NU_";
+        const MSGS: &[(&[u8], [u8; 56], [u8; 56])] = &[
+            (b"", hex!("b65e8dbb279fd656f926f68d463b13ca7a982b32f5da9c7cc58afcf6199e4729863fb75ca9ae3c95c6887d95a5102637a1c5c40ff0aafadc"), hex!("ea1ea211cf29eca11c057fe8248181591a19f6ac51d45843a65d4bb8b71bc83a64c771ed7686218a278ef1c5d620f3d26b53162188645453")),
+            (b"abc", hex!("51aceca4fa95854bbaba58d8a5e17a86c07acadef32e1188cafda26232131800002cc2f27c7aec454e5e0c615bddffb7df6a5f7f0f14793f"), hex!("c590c9246eb28b08dee816d608ef233ea5d76e305dc458774a1e1bd880387e6734219e2018e4aa50a49486dce0ba8740065da37e6cf5212c")),
+            (b"abcdef0123456789", hex!("c6d65987f146b8d0cb5d2c44e1872ac3af1f458f6a8bd8c232ffe8b9d09496229a5a27f350eb7d97305bcc4e0f38328718352e8e3129ed71"), hex!("4d2f901bf333fdc4135b954f20d59207e9f6a4ecf88ce5af11c892b44f79766ec4ecc9f60d669b95ca8940f39b1b7044140ac2040c1bf659")),
+            (b"q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq", hex!("9b8d008863beb4a02fb9e4efefd2eba867307fb1c7ce01746115d32e1db551bb254e8e3e4532d5c74a83949a69a60519ecc9178083cbe943"), hex!("346a1fca454d1e67c628437c270ec0f0c4256bb774fe6c0e49de7004ff6d9199e2cd99d8f7575a96aafc4dc8db1811ba0a44317581f41371")),
+            (b"a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", hex!("8746dc34799112d1f20acda9d7f722c9abb29b1fb6b7e9e566983843c20bd7c9bfad21b45c5166b808d2f5d44e188f1fdaf29cdee8a72e4c"), hex!("7c1293484c9287c298a1a0600c64347eee8530acf563cd8705e05728274d8cd8101835f8003b6f3b78b5beb28f5be188a3d7bce1ec5a36b1")),
+        ];
+
+        for (msg, x, y) in MSGS {
+            let p = ProjectiveMontgomeryXpoint::encode::<ExpandMsgXof<Shake256>>(&[msg], &[DST])
+                .unwrap()
+                .to_affine();
+            let mut xx = [0u8; 56];
+            xx.copy_from_slice(&x[..]);
+            xx.reverse();
+            let mut yy = [0u8; 56];
+            yy.copy_from_slice(&y[..]);
+            yy.reverse();
+            assert_eq!(p.0, xx);
+            assert!(p.y(Choice::from(0)) == yy || p.y(Choice::from(1)) == yy);
+        }
+    }
 }
