Skip to content

Hash-to-curve should probably be unconstrained? #37

New issue
New issue
Open
Open
Hash-to-curve should probably be unconstrained?#37
Assignees
kashbrti
@iAmMichaelConnor

Description

@iAmMichaelConnor
iAmMichaelConnor
opened on Feb 20, 2025

The hash-to-curve impl is a potential footgun:

  • In unconstrained-land, it iterates until it finds a point on the curve.
  • In constrainted-land, it is given a hint of data from the successful iteration, and that hint is then constrained to derive the result.

But it is not constraining that the hint is the first: i.e. it's not constraining that the result of hash-to-curve is actually the first successful iteration. This means that hash-to-curve is not constrained to be deterministic; it can give different results for the same input, depending on what the hint is.

This is why people gravitate towards constant-time hash-to-curve algorithms in constrained-land.

cc @kashbrti am I correct?

noir_bigcurve/src/utils/hash_to_curve.nr

Line 64 in c36268d

pub fn hash_to_curve<Fq, let SeedBytes: u32>(seed: [u8; SeedBytes], a: Fq, b: Fq) -> (Fq, Fq)

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

Noir Libraries

  • Status

    👀 To Triage

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions