Implement WB hash2curve for BLS12-377 and BLS12-381 (arkworks-rs#138)

* include the coefficients of bls12-377 G1 and G2 isogenies for wb hash2curve

* replacing the ark-ec dependency to w3f/arkworks-algebra

* added parameters for isogenous curve to bls12-377 g1 curve for swu map

* fix dependency inconsistency problem

* implement WBParams and its isogenous curve for BLS12-377 G1

* implement the SWUParameters for isogenous curve to BLS12-377 g2 curve.

* implement WBParams for BLS12-377 G2 curve

* replacing const generic arrays with const slice in g1 and g2 iso coefficients

* - Implement WB hash to curve for BLS12-381 G1
- Improvement to WB hash to curve code for BLS12-377
- Update sage code for generating isogeny coefficients for arkworks.

* Implement WB hash to curve for BLS12-381 G2

* - fix the bug with base order for field_new for Fq2
- fix the polynomial coeffcient order for bls12-381 g1 and g2 isogenies.
- fix the polynomial coeffcient order for bls12-377 g1.
377-g2 needs to be fixed still.

* fix bls12-377 wb hash to curve isogeny coeffcients

* fixed sage code for generating the isogeny coefficients

* use patch.crates-io hack to resolve dependancy issues on w3f fork

* Rename `Parameters` to `Config` for all fields

* Rename `field_new` to `MontFp`

* Rename `field_new` to `QuadExt` and `CubicExt`

* Refactor bls12_381 crate based on update-ff branch. Close arkworks-rs#9

* adapt bls12 wb hashing to new changes in algebra

* update bls12-381 dependancies and g1, g2 definition to pass tests

* adapt bls12-377 hash to curve to algebar updates

* depend on upstream for pull request

* cargo fmt

* - move the isogeny finder script from sage to script folder
- delete auxiliary isogeny coeff file

* add unit tests for wb hashing to bls12-377 g1 and g2

* - Use IsogenyMap struct to specify WB Isogeny for bls12-381 and bls12-377
- Do not use auxiliary constants to define generators of g2_swu_iso curve.
- Update change log

* Bump the Algebra dependencies of bls12_381 and bls12_377 to 0.4.0-alpha.4 so they could use the IsogenyMap struct.

* Add h2c tests for BLS12-381 curve

* Drop alpha sub-version in dependancies because it takes the lastest sub version

* Parameters → Config for bls12-377/381 curves

* do cargo fmt

* do SwuIsoParameters → SwuIsoConfig for bls12-377/381

* Adapt to new macro

* Fix macro invocation

should be semicolon not comma

* curves master should use algebra/r1cs default branch

* Add h2c test invocation for bls12-377 curve

no actual test vectors yet

* add faster cofactor clearing and tests for g1

* add faster cofactor clearing and tests for g2

parameters of endomorphisms are wrong for now

* add test vectors for bls12-377

* add h_eff to g2 tests for correctness


test

* improve cofactor tests g2

* add a test for psi(psi(P)) == psi2(P)

* fix bls12-377 psi & psi2 computation parameters

* rename const to DOUBLE_P_POWER_ENDOMORPHISM_COEFF_0 and make private

* fix clippy warnings in changed code

* use the same zeta as test suites

* update code comments, make methods private

* update changelog

Co-authored-by: Pratyush Mishra <[email protected]>
Co-authored-by: mmagician <[email protected]>

CHANGELOG.md

@@ -23,6 +23,7 @@
 - [\#103](https://github.com/arkworks-rs/curves/pull/103) Faster cofactor clearing for BLS12-381.
 - [\#107](https://github.com/arkworks-rs/curves/pull/107/) Use 2-NAF of `ATE_LOOP_COUNT` to speed up the Miller loop in MNT curves.
 - [\#141](https://github.com/arkworks-rs/curves/pull/103) Faster cofactor clearing for BLS12-377.
+- [\#138](https://github.com/arkworks-rs/curves/pull/138) Implement WB Hash-to-Curve for bls12-381 and bls12-377
 
 ### Bug fixes
 

bls12_377/Cargo.toml

@@ -24,6 +24,7 @@ ark-serialize = { version = "0.4.0-alpha", default-features = false }
 ark-algebra-test-templates = { version = "0.4.0-alpha", default-features = false }
 ark-algebra-bench-templates = { version = "0.4.0-alpha", default-features = false }
 ark-curve-constraint-tests = { path = "../curve-constraint-tests", default-features = false }
+sha2 = { version = "0.10", default-features = false }
 
 [features]
 default = [ "curve" ]

bls12_377/src/curves/g1.rs

@@ -1,5 +1,7 @@
 use ark_ec::{
+    bls12,
     bls12::Bls12Config,
+    hashing::curve_maps::wb::{IsogenyMap, WBConfig},
     models::{
         short_weierstrass::{Affine as SWAffine, SWCurveConfig},
         twisted_edwards::{
@@ -11,8 +13,12 @@ use ark_ec::{
 use ark_ff::{Field, MontFp, PrimeField, Zero};
 use ark_std::{ops::Neg, One};
 
+use super::g1_swu_iso::{SwuIsoConfig, ISOGENY_MAP_TO_G1};
 use crate::{Fq, Fr};
 
+pub type G1Affine = bls12::G1Affine<crate::Config>;
+pub type G1Projective = bls12::G1Projective<crate::Config>;
+
 #[derive(Clone, Default, PartialEq, Eq)]
 pub struct Config;
 
@@ -175,6 +181,12 @@ pub const G1_GENERATOR_X: Fq = MontFp!("8193799937315096423993825557346594823998
 /// 241266749859715473739788878240585681733927191168601896383759122102112907357779751001206799952863815012735208165030
 pub const G1_GENERATOR_Y: Fq = MontFp!("241266749859715473739788878240585681733927191168601896383759122102112907357779751001206799952863815012735208165030");
 
+impl WBConfig for Config {
+    type IsogenousCurve = SwuIsoConfig;
+
+    const ISOGENY_MAP: IsogenyMap<'static, Self::IsogenousCurve, Self> = ISOGENY_MAP_TO_G1;
+}
+
 // The generator for twisted Edward form is the same SW generator converted into
 // the normalized TE form (TE2).
 //``` sage

bls12_377/src/curves/g1_swu_iso.rs

@@ -0,0 +1,107 @@
+use ark_ec::{
+    hashing::curve_maps::{swu::SWUConfig, wb::IsogenyMap},
+    models::{
+        short_weierstrass::{Affine, SWCurveConfig},
+        CurveConfig,
+    },
+};
+
+use ark_ff::MontFp;
+
+use crate::{g1, Fq, Fr};
+
+type G1Affine = Affine<SwuIsoConfig>;
+
+#[derive(Clone, Default, PartialEq, Eq)]
+pub struct SwuIsoConfig;
+
+impl CurveConfig for SwuIsoConfig {
+    type BaseField = Fq;
+    type ScalarField = Fr;
+
+    /// COFACTOR = (x - 1)^2 / 3  = iso_G1.domain().order() /
+    /// 8444461749428370424248824938781546531375899335154063827935233455917409239041
+    //  30631250834960419227450344600217059328
+    const COFACTOR: &'static [u64] = &[0x0, 0x170b5d4430000000];
+
+    /// COFACTOR_INV = COFACTOR^{-1} mod r
+    /// = 5285428838741532253824584287042945485047145357130994810877
+    const COFACTOR_INV: Fr = MontFp!("5285428838741532253824584287042945485047145357130994810877");
+}
+
+// sage: iso_G1
+// Isogeny of degree 2 from Elliptic Curve defined by y^2 = x^3 +
+// 258664426012969092796408009721202742408018065645352501567204841856062976176281513834280849065051431927238430294002*
+// x + 22 over Finite Field of size
+// 258664426012969094010652733694893533536393512754914660539884262666720468348340822774968888139573360124440321458177
+// to Elliptic Curve defined by y^2 = x^3 + 1 over Finite Field of size
+// 258664426012969094010652733694893533536393512754914660539884262666720468348340822774968888139573360124440321458177
+
+impl SWCurveConfig for SwuIsoConfig {
+    /// COEFF_A
+    const COEFF_A: Fq = MontFp!("258664426012969092796408009721202742408018065645352501567204841856062976176281513834280849065051431927238430294002");
+
+    /// COEFF_B
+    const COEFF_B: Fq = MontFp!("22");
+
+    /// AFFINE_GENERATOR_COEFFS = (G1_GENERATOR_X, G1_GENERATOR_Y)
+    const GENERATOR: G1Affine = G1Affine::new_unchecked(G1_GENERATOR_X, G1_GENERATOR_Y);
+}
+
+// sage: G1_gen  = iso_G1.domain().random_point()
+// sage: G1_gen = 30631250834960419227450344600217059328* G1_gen
+// sage: G1_gen.order() ==
+// 8444461749428370424248824938781546531375899335154063827935233455917409239041
+// True
+// sage: G1_gen
+// (183898640136580512316530045470998831691790391453237259434516336279447756609241220664846162561503820562316877867830 : 69018534046895515891776145953191511526693172354818719412306559690461416836925400134233128432719372819569406562974 : 1)
+/// G1_GENERATOR_X =
+/// 183898640136580512316530045470998831691790391453237259434516336279447756609241220664846162561503820562316877867830
+pub const G1_GENERATOR_X: Fq = MontFp!("183898640136580512316530045470998831691790391453237259434516336279447756609241220664846162561503820562316877867830");
+
+/// G1_GENERATOR_Y =
+/// 69018534046895515891776145953191511526693172354818719412306559690461416836925400134233128432719372819569406562974
+pub const G1_GENERATOR_Y: Fq = MontFp!("69018534046895515891776145953191511526693172354818719412306559690461416836925400134233128432719372819569406562974");
+
+impl SWUConfig for SwuIsoConfig {
+    const ZETA: Fq = MontFp!("-11"); // arbitatry primitive root of unity (element)
+}
+
+pub const ISOGENY_MAP_TO_G1 : IsogenyMap<'_, SwuIsoConfig, g1::Config, > = IsogenyMap {
+    x_map_numerator : &[
+        MontFp!("193998319509726820447277314072485610595876362210707887456279225959507476652652651634192264150953923683470146535424"), 
+        MontFp!("40474824132456359704279181570318738632422647360355249739068643631356267969150730939906729705473"), 
+        MontFp!("193998319509726820507989550271170150152295134566185995404913197000040351261255617081226666104680020093330241093633"),
+    ],
+
+    x_map_denominator : &[
+        MontFp!("161899296529825438817116726281274954529690589441420998956274574525425071876602923759626918821892"), 
+        MontFp!("1"),
+    ],
+
+    y_map_numerator : &[
+        MontFp!("193998319509726820507989550271170150152295134566185995404913197000040351261255617081226666104680020093330241093631"), 
+        MontFp!("32333053251621136903112182208573040583096119983059602439070460434672245065050016464457115901761911040205276577794"), 
+        MontFp!("129332213006484547066038603046131306324615528732935438218576102373893108782773376834518846023512776472080255287298"), 
+        MontFp!("226331372761347957259321141983031841844344323660550327972398729833380409804798219928097777122126690108885281275905"),
+    ],
+
+    y_map_denominator : &[
+        MontFp!("258664426012969094010652733694893533536393512754914660539884262666720468348340822774968888139573360124440321458169"), 
+        MontFp!("971395779178952632902700357687649727178143536648525993737647447152550431259617542557761512931340"), 
+        MontFp!("485697889589476316451350178843824863589071768324262996868823723576275215629808771278880756465676"), 
+        MontFp!("1"),
+    ],
+};
+
+#[cfg(test)]
+mod test {
+    use super::*;
+
+    #[test]
+    fn test_gen() {
+        let gen: G1Affine = SwuIsoConfig::GENERATOR;
+        assert!(gen.is_on_curve());
+        assert!(gen.is_in_correct_subgroup_assuming_on_curve());
+    }
+}

bls12_377/src/curves/g2.rs

@@ -1,15 +1,22 @@
 use ark_ec::{
+    bls12,
     bls12::Bls12Config,
-    models::{short_weierstrass::SWCurveConfig, CurveConfig},
-    short_weierstrass::{Affine, Projective},
+    hashing::curve_maps::wb::{IsogenyMap, WBConfig},
+    models::CurveConfig,
+    short_weierstrass::{Affine, Projective, SWCurveConfig},
     AffineRepr, CurveGroup, Group,
 };
+
 use ark_ff::{Field, MontFp, Zero};
 use ark_std::ops::Neg;
 
 use crate::*;
 
-pub type G2Affine = Affine<Config>;
+use super::g2_swu_iso::{SwuIsoConfig, ISOGENY_MAP_TO_G2};
+
+pub type G2Affine = bls12::G2Affine<crate::Config>;
+pub type G2Projective = bls12::G2Projective<crate::Config>;
+
 #[derive(Clone, Default, PartialEq, Eq)]
 pub struct Config;
 
@@ -169,6 +176,12 @@ fn double_p_power_endomorphism(p: &Projective<Config>) -> Projective<Config> {
     res
 }
 
+impl WBConfig for Config {
+    type IsogenousCurve = SwuIsoConfig;
+
+    const ISOGENY_MAP: IsogenyMap<'static, Self::IsogenousCurve, Self> = ISOGENY_MAP_TO_G2;
+}
+
 #[cfg(test)]
 mod test {