monero_generators/
hash_to_point.rs

1use subtle::ConditionallySelectable;
2
3use curve25519_dalek::edwards::{CompressedEdwardsY, EdwardsPoint};
4
5use group::ff::{Field, PrimeField};
6use dalek_ff_group::FieldElement;
7
8use monero_io::decompress_point;
9
10use crate::keccak256;
11
12/// Monero's `hash_to_ec` function.
13pub fn hash_to_point(bytes: [u8; 32]) -> EdwardsPoint {
14  #[allow(non_snake_case)]
15  let A = FieldElement::from(486662u64);
16
17  let v = FieldElement::from_square(keccak256(&bytes)).double();
18  let w = v + FieldElement::ONE;
19  let x = w.square() + (-A.square() * v);
20
21  // This isn't the complete X, yet its initial value
22  // We don't calculate the full X, and instead solely calculate Y, letting dalek reconstruct X
23  // While inefficient, it solves API boundaries and reduces the amount of work done here
24  #[allow(non_snake_case)]
25  let X = {
26    let u = w;
27    let v = x;
28    let v3 = v * v * v;
29    let uv3 = u * v3;
30    let v7 = v3 * v3 * v;
31    let uv7 = u * v7;
32    uv3 * uv7.pow((-FieldElement::from(5u8)) * FieldElement::from(8u8).invert().unwrap())
33  };
34  let x = X.square() * x;
35
36  let y = w - x;
37  let non_zero_0 = !y.is_zero();
38  let y_if_non_zero_0 = w + x;
39  let sign = non_zero_0 & (!y_if_non_zero_0.is_zero());
40
41  let mut z = -A;
42  z *= FieldElement::conditional_select(&v, &FieldElement::from(1u8), sign);
43  #[allow(non_snake_case)]
44  let Z = z + w;
45  #[allow(non_snake_case)]
46  let mut Y = z - w;
47
48  Y *= Z.invert().unwrap();
49  let mut bytes = Y.to_repr();
50  bytes[31] |= sign.unwrap_u8() << 7;
51
52  decompress_point(CompressedEdwardsY(bytes)).unwrap().mul_by_cofactor()
53}
monero_generators/hash_to_point.rs

monero_generators/
hash_to_point.rs
