1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105
mod expander;
use crate::{Field, PrimeField};
use ark_std::vec::Vec;
use digest::DynDigest;
use expander::Expander;
use self::expander::ExpanderXmd;
/// Trait for hashing messages to field elements.
pub trait HashToField<F: Field>: Sized {
/// Initialises a new hash-to-field helper struct.
///
/// # Arguments
///
/// * `domain` - bytes that get concatenated with the `msg` during hashing, in order to separate potentially interfering instantiations of the hasher.
fn new(domain: &[u8]) -> Self;
/// Hash an arbitrary `msg` to #`count` elements from field `F`.
fn hash_to_field(&self, msg: &[u8], count: usize) -> Vec<F>;
}
/// This field hasher constructs a Hash-To-Field based on a fixed-output hash function,
/// like SHA2, SHA3 or Blake2.
/// The implementation aims to follow the specification in [Hashing to Elliptic Curves (draft)](https://tools.ietf.org/pdf/draft-irtf-cfrg-hash-to-curve-13.pdf).
///
/// # Examples
///
/// ```
/// use ark_ff::fields::field_hashers::{DefaultFieldHasher, HashToField};
/// use ark_test_curves::bls12_381::Fq;
/// use sha2::Sha256;
///
/// let hasher = <DefaultFieldHasher<Sha256> as HashToField<Fq>>::new(&[1, 2, 3]);
/// let field_elements: Vec<Fq> = hasher.hash_to_field(b"Hello, World!", 2);
///
/// assert_eq!(field_elements.len(), 2);
/// ```
pub struct DefaultFieldHasher<H: Default + DynDigest + Clone, const SEC_PARAM: usize = 128> {
expander: ExpanderXmd<H>,
len_per_base_elem: usize,
}
impl<F: Field, H: Default + DynDigest + Clone, const SEC_PARAM: usize> HashToField<F>
for DefaultFieldHasher<H, SEC_PARAM>
{
fn new(dst: &[u8]) -> Self {
// The final output of `hash_to_field` will be an array of field
// elements from F::BaseField, each of size `len_per_elem`.
let len_per_base_elem = get_len_per_elem::<F, SEC_PARAM>();
let expander = ExpanderXmd {
hasher: H::default(),
dst: dst.to_vec(),
block_size: len_per_base_elem,
};
DefaultFieldHasher {
expander,
len_per_base_elem,
}
}
fn hash_to_field(&self, message: &[u8], count: usize) -> Vec<F> {
let m = F::extension_degree() as usize;
// The user imposes a `count` of elements of F_p^m to output per input msg,
// each field element comprising `m` BasePrimeField elements.
let len_in_bytes = count * m * self.len_per_base_elem;
let uniform_bytes = self.expander.expand(message, len_in_bytes);
let mut output = Vec::with_capacity(count);
let mut base_prime_field_elems = Vec::with_capacity(m);
for i in 0..count {
base_prime_field_elems.clear();
for j in 0..m {
let elm_offset = self.len_per_base_elem * (j + i * m);
let val = F::BasePrimeField::from_be_bytes_mod_order(
&uniform_bytes[elm_offset..][..self.len_per_base_elem],
);
base_prime_field_elems.push(val);
}
let f = F::from_base_prime_field_elems(&base_prime_field_elems).unwrap();
output.push(f);
}
output
}
}
/// This function computes the length in bytes that a hash function should output
/// for hashing an element of type `Field`.
/// See section 5.1 and 5.3 of the
/// [IETF hash standardization draft](https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/14/)
fn get_len_per_elem<F: Field, const SEC_PARAM: usize>() -> usize {
// ceil(log(p))
let base_field_size_in_bits = F::BasePrimeField::MODULUS_BIT_SIZE as usize;
// ceil(log(p)) + security_parameter
let base_field_size_with_security_padding_in_bits = base_field_size_in_bits + SEC_PARAM;
// ceil( (ceil(log(p)) + security_parameter) / 8)
let bytes_per_base_field_elem =
((base_field_size_with_security_padding_in_bits + 7) / 8) as u64;
bytes_per_base_field_elem as usize
}