pub fn biased_hash_to_point(bytes: [u8; 32]) -> EdwardsPointExpand description
Monero’s hash_to_ec function.
This achieves parity with https://github.com/monero-project/monero
/blob/389e3ba1df4a6df4c8f9d116aa239d4c00f5bc78/src/crypto/crypto.cpp#L611, inlining the
ge_fromfe_frombytes_vartime function (https://github.com/monero-project/monero
/blob/389e3ba1df4a6df4c8f9d116aa239d4c00f5bc78/src/crypto/crypto-ops.c#L2309). This
implementation runs in constant time.
According to the original authors (https://web.archive.org/web/20201028121818/https://cryptonote.org/whitepaper.pdf), this would implement https://arxiv.org/abs/0706.1448. Shen Noether also describes the algorithm (https://web.getmonero.org/resources/research-lab/pubs/ge_fromfe.pdf), yet without reviewing its security and in a very straight-forward fashion.
In reality, this implements Elligator 2 as detailed in “Elligator: Elliptic-curve points indistinguishable from uniform random strings” (https://eprint.iacr.org/2013/325). Specifically, Section 5.5 details the application of Elligator 2 to Curve25519, after which the result is mapped to Ed25519.
As this only applies Elligator 2 once, it’s limited to a subset of points where a certain
derivative of their u coordinates (in Montgomery form) are quadratic residues. It’s biased
accordingly.