-
Notifications
You must be signed in to change notification settings - Fork 283
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implementation of new (draft) hash-to-G2 #898
Conversation
1b5fdda
to
598dc8a
Compare
a4e9cb1
to
9229da0
Compare
1694bf9
to
ea6ed07
Compare
abc1358
to
273265e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work is done here! 👍
It might worth to decompose Helper
class to increase readability. For instance, HKDF
primitives could be extracted and raising to a power of (P ^ 2 - 9) / 16
could, also, be placed separately.
273265e
to
97c7c4a
Compare
Have re-organised things a little after @mkalinin's comment. There is now an |
87bfbf5
to
c64b028
Compare
Nice, clean, with lots of comments. LGTM. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM :D
* purposes of hashing to G2 within Ethereum I believe that this is of no consequence, since all the | ||
* input information is publicly known. | ||
*/ | ||
public class hashToCurve { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
public class hashToCurve { | |
public class HashToCurve { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
JacobianPoint p = iso3(q0.add(q1)); | ||
|
||
if (!onCurveG2(p)) { | ||
throw new RuntimeException("hashToCurve failed for unknown reasons."); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this a sanity-check type exception - i.e. we don't expect this to ever get thrown? If so, might be worth adding a comment or updating the message to indicate there's a bug.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
assert onCurveG2(p)
, probably?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, making it an assert is perfect. It's an expensive check that we expect never to fail, so better to avoid it if we can. If it does fail then there's a bug.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
3fa7149
to
670b282
Compare
Spotless is terrible at handling structured commenting. For this reason we have changed from trailing comments to separate line comments, and we use C-style /* ... */ in order to keep Spotless from mangling things further.
Using field points (FP types) rather than BIGs means that Montgomery reduction is used for the modulo operation which leads to a significant speedup.
670b282
to
b5d256d
Compare
PR Description
This is a Java implementation of the new IETF (draft) standard hash-to-curve method for Ethereum 2.0. The underlying library is Milagro AMCL 1.4, though there is lots that I ended up adding to this.
References:
This code is based on the reference implementations in Python and C, and test vectors are taken from there. My implementation is not constant-time, but that should not be a problem for Eth2 use cases (all hashed messages are public information).
Status
A complete implementation of the new hash-to-curve standard as of 31/12/2019
Performance
(Based on an outdated version)
On my Linux VM
Here's a flame graph (it's interactive - click on the bars to zoom in). I'm struggling to see much room for further improvement.
TODO
Nothing more here. Note that a wider BLS refactor is underway: #1080