feat: bn254 maptocurve

CHANGELOG.md

@@ -2,10 +2,10 @@
 
 ## Pending
 
-
 - [\#971](https://github.com/arkworks-rs/algebra/pull/971) (`ark-ff`) Make serial_batch_inversion_and_mul public.
 - Consolidated logic into `bitreverse_permutation_in_place` and made it public.
 - Remove redundant type constraints from `Pairing::G1Prepared`.
+- SVDW map-to-curve for Bn254
 - (`ark-serialize`) Add serde-compatible wrapper types `CompressedChecked<T>`, `CompressedUnchecked<T>`, `UncompressedChecked<T>`, `UncompressedUnchecked<T>`.
 
 ### Breaking changes

curves/Cargo.toml

@@ -80,6 +80,8 @@ ark-std = { version = "0.5.0", default-features = false }
 ark-r1cs-std = { version = "0.5.0", default-features = false }
 ark-relations = {version = "0.5.0", default-features = false }
 
+sha2 = { version = "0.10" }
+
 [profile.release]
 opt-level = 3
 lto = "thin"

curves/bn254/Cargo.toml

@@ -24,6 +24,7 @@ ark-algebra-test-templates = { workspace = true }
 ark-algebra-bench-templates = { workspace = true }
 ark-curve-constraint-tests = { path = "../curve-constraint-tests" }
 ark-relations = { workspace = true }
+sha2 = { workspace = true }
 
 [features]
 default = [ "curve" ]

curves/bn254/src/curves/g1.rs

@@ -1,5 +1,6 @@
 use ark_ec::{
     bn,
+    hashing::curve_maps::svdw::SVDWConfig,
     models::{short_weierstrass::SWCurveConfig, CurveConfig},
     scalar_mul::glv::GLVConfig,
     short_weierstrass::{Affine, Projective},
@@ -55,6 +56,19 @@ impl SWCurveConfig for Config {
     }
 }
 
+impl SVDWConfig for Config {
+    const ZETA: Self::BaseField =
+        MontFp!("6350874878119819312338956282401532409788428879151445726012394534686998597021");
+    const C1: Self::BaseField =
+        MontFp!("3515256640640002027109419384348854550457404359307959241360540244102768179501");
+    const C2: Self::BaseField =
+        MontFp!("7768683996859727954953724731427871339453941139073188968338321679979113805781");
+    const C3: Self::BaseField =
+        MontFp!("5174556184976127869173189452163337195348491024958816448391141365979064675186");
+    const C4: Self::BaseField =
+        MontFp!("2609072103093089037936242735953952295622231240021995565748958972744717830193");
+}
+
 impl GLVConfig for Config {
     const ENDO_COEFFS: &'static [Self::BaseField] = &[MontFp!(
         "21888242871839275220042445260109153167277707414472061641714758635765020556616"

curves/bn254/src/curves/g2.rs

@@ -1,5 +1,6 @@
 use ark_ec::AffineRepr;
 use ark_ec::{
+    hashing::curve_maps::svdw::SVDWConfig,
     models::{short_weierstrass::SWCurveConfig, CurveConfig},
     scalar_mul::glv::GLVConfig,
     short_weierstrass::{Affine, Projective},
@@ -62,6 +63,26 @@ impl SWCurveConfig for Config {
     }
 }
 
+impl SVDWConfig for Config {
+    const ZETA: Self::BaseField = Fq2::new(Fq::ZERO, Fq::ONE);
+    const C1: Self::BaseField = Fq2::new(
+        MontFp!("19485874751759354771024239261021720505790618469301721065564631296452457478373"),
+        MontFp!("266929791119991161246907387137283842545076965332900288569378510910307636689"),
+    );
+    const C2: Self::BaseField = Fq2::new(
+        Fq::ZERO,
+        MontFp!("10944121435919637611123202872628637544348155578648911831344518947322613104291"),
+    );
+    const C3: Self::BaseField = Fq2::new(
+        MontFp!("8270257801618377462829664163334948115088143961679076698731296916415895764198"),
+        MontFp!("15403170217607925661891511707918230497750592932893890913125906786266381721360"),
+    );
+    const C4: Self::BaseField = Fq2::new(
+        MontFp!("18685085378399381287283517099609868978155387573303020199856495763721534568303"),
+        MontFp!("355906388159988214995876516183045123393435953777200384759171347880410182252"),
+    );
+}
+
 impl GLVConfig for Config {
     const ENDO_COEFFS: &'static [Self::BaseField] = &[Fq2::new(
         MontFp!("21888242871839275220042445260109153167277707414472061641714758635765020556616"),

curves/bn254/src/curves/tests.rs

@@ -1,5 +1,15 @@
 use ark_algebra_test_templates::*;
+use ark_ec::{
+    hashing::{
+        curve_maps::svdw::{SVDWConfig, SVDWMap},
+        map_to_curve_hasher::MapToCurveBasedHasher,
+        HashToCurve,
+    },
+    short_weierstrass::Projective,
+};
+use ark_ff::field_hashers::DefaultFieldHasher;
 use ark_ff::fields::Field;
+use ark_std::Zero;
 
 use crate::{Bn254, G1Projective, G2Projective};
 
@@ -9,3 +19,37 @@ test_group!(pairing_output; ark_ec::pairing::PairingOutput<Bn254>; msm);
 test_pairing!(pairing; crate::Bn254);
 test_group!(g1_glv; G1Projective; glv);
 test_group!(g2_glv; G2Projective; glv);
+
+/// make a simple hash
+fn svdw_hash_arbitrary_string_to_curve<SVDWCurve: SVDWConfig>() {
+    use sha2::Sha256;
+    let test_svdw_to_curve_hasher = MapToCurveBasedHasher::<
+        Projective<SVDWCurve>,
+        DefaultFieldHasher<Sha256, 128>,
+        SVDWMap<SVDWCurve>,
+    >::new(&[1])
+    .unwrap();
+
+    let hash_result = test_svdw_to_curve_hasher.hash(b"if you stick a Babel fish in your ear you can instantly understand anything said to you in any form of language.").expect("fail to hash the string to curve");
+
+    assert!(
+        hash_result.x != SVDWCurve::BaseField::zero()
+            && hash_result.y != SVDWCurve::BaseField::zero(),
+        "we assume that not both a and b coefficienst are zero for the test curve"
+    );
+
+    assert!(
+        hash_result.is_on_curve(),
+        "hash results into a point off the curve"
+    );
+}
+
+#[test]
+fn svdw_hash_arbitrary_string_to_g1() {
+    svdw_hash_arbitrary_string_to_curve::<crate::g1::Config>();
+}
+
+#[test]
+fn svdw_hash_arbitrary_string_to_g2() {
+    svdw_hash_arbitrary_string_to_curve::<crate::g2::Config>();
+}

ec/src/hashing/curve_maps/curve_map_parameter_helper.sage

@@ -37,3 +37,31 @@ def find_z_ell2(F):
                 continue
             return Z_cand
         ctr += 1
+
+# Arguments:
+# - F, a field object, e.g., F = GF(2^521 - 1)
+# - A and B, the coefficients of the curve y^2 = x^3 + A * x + B
+def find_z_svdw(F, A, B, init_ctr=1):
+    g = lambda x: F(x)^3 + F(A) * F(x) + F(B)
+    h = lambda Z: -(F(3) * Z^2 + F(4) * A) / (F(4) * g(Z))
+    # NOTE: if init_ctr=1 fails to find Z, try setting it to F.gen()
+    ctr = init_ctr
+    while True:
+        for Z_cand in (F(ctr), F(-ctr)):
+            # Criterion 1:
+            #   g(Z) != 0 in F.
+            if g(Z_cand) == F(0):
+                continue
+            # Criterion 2:
+            #   -(3 * Z^2 + 4 * A) / (4 * g(Z)) != 0 in F.
+            if h(Z_cand) == F(0):
+                continue
+            # Criterion 3:
+            #   -(3 * Z^2 + 4 * A) / (4 * g(Z)) is square in F.
+            if not is_square(h(Z_cand)):
+                continue
+            # Criterion 4:
+            #   At least one of g(Z) and g(-Z / 2) is square in F.
+            if is_square(g(Z_cand)) or is_square(g(-Z_cand / F(2))):
+                return Z_cand
+        ctr += 1

ec/src/hashing/curve_maps/mod.rs

@@ -1,5 +1,6 @@
 use ark_ff::{BigInteger, Field, PrimeField, Zero};
 pub mod elligator2;
+pub mod svdw;
 pub mod swu;
 pub mod wb;