Add hash to scalar primitive

Author: survived

docs/hash_to_scalar.md

@@ -0,0 +1,11 @@
+Hashes the input and outputs scalar
+
+Input can be any structured data that implements [`Digestable`](udigest::Digestable)
+trait (see [udigest] crate).
+
+## How it works
+It works by instantiating [`HashRng`](rand_hash::HashRng) CSPRNG seeded from provided data.
+Then it's used to derive the scalar.
+
+## Security considerations
+It's not constant time. It doesn't follow any existing standards for hash to scalar primitive.

generic-ec-zkp/Cargo.toml

@@ -13,7 +13,7 @@ keywords = ["elliptic-curves", "zk-proof"]
 
 [dependencies]
 generic-ec = { version = "0.3", path = "../generic-ec", default-features = false }
-udigest = { version = "0.1", features = ["derive"], optional = true }
+udigest = { version = "0.2.0-rc1", features = ["derive"], optional = true }
 
 subtle = { version = "2.4", default-features = false }
 rand_core = { version = "0.6", default-features = false }

generic-ec/Cargo.toml

@@ -15,7 +15,7 @@ keywords = ["elliptic-curves"]
 [dependencies]
 generic-ec-core = { version = "0.2", path = "../generic-ec-core" }
 generic-ec-curves = { version = "0.2", path = "../generic-ec-curves", optional = true }
-udigest = { version = "0.1", features = ["derive"], optional = true }
+udigest = { version = "0.2.0-rc1", features = ["derive"], optional = true }
 
 subtle = { version = "2.4", default-features = false }
 rand_core = { version = "0.6", default-features = false }
@@ -27,13 +27,17 @@ hex = { version = "0.4", default-features = false, optional = true }
 
 phantom-type = { version = "0.4", default-features = false }
 
+digest = { version = "0.10", default-features = false, optional = true }
+rand_hash = { git = "https://github.com/dfns/rand_hash", branch = "first-version", optional = true }
+
 # We use this dependency when both `curve-ed25519` and `alloc` features are enabled,
 # to provide `generic_ec::multiscalar::Dalek`
 curve25519-dalek = { version = "4", default-features = false, optional = true }
 
 [dev-dependencies]
 rand = "0.8"
 rand_dev = "0.1"
+sha2 = "0.10"
 serde_json = "1"
 serde_test = "1"
 
@@ -53,6 +57,8 @@ curve-stark = ["curves", "generic-ec-curves/stark"]
 curve-ed25519 = ["curves", "generic-ec-curves/ed25519", "curve25519-dalek"]
 all-curves = ["curve-secp256k1", "curve-secp256r1", "curve-stark", "curve-ed25519"]
 
+hash-to-scalar = ["dep:rand_hash", "dep:digest", "udigest"]
+
 [package.metadata.docs.rs]
 all-features = true
 rustdoc-args = ["--cfg", "docsrs", "--html-in-header", "katex-header.html"]

generic-ec/docs

@@ -0,0 +1 @@
+../docs

generic-ec/src/non_zero/mod.rs

@@ -61,6 +61,34 @@ impl<E: Curve> NonZero<Scalar<E>> {
         }
     }
 
+    #[doc = include_str!("../../docs/hash_to_scalar.md")]
+    ///
+    /// ## Example
+    /// ```rust
+    /// use generic_ec::{Scalar, NonZero, curves::Secp256k1};
+    /// use sha2::Sha256;
+    ///
+    /// #[derive(udigest::Digestable)]
+    /// struct Data<'a> {
+    ///     nonce: &'a [u8],
+    ///     param_a: &'a str,
+    ///     param_b: u128,
+    ///     // ...
+    /// }
+    ///
+    /// let scalar = NonZero::<Scalar<Secp256k1>>::from_hash::<Sha256>(&Data {
+    ///     nonce: b"some data",
+    ///     param_a: "some other data",
+    ///     param_b: 12345,
+    ///     // ...
+    /// });
+    /// ```
+    #[cfg(feature = "hash-to-scalar")]
+    pub fn from_hash<D: digest::Digest>(data: &impl udigest::Digestable) -> Self {
+        let mut rng = rand_hash::HashRng::<D, _>::from_seed(data);
+        Self::random(&mut rng)
+    }
+
     /// Constructs $S = 1$
     pub fn one() -> Self {
         // Correctness: constructed scalar = 1, so it's non-zero

generic-ec/src/scalar.rs

@@ -170,6 +170,34 @@ impl<E: Curve> Scalar<E> {
         NonZero::<Scalar<E>>::random(rng).into()
     }
 
+    #[doc = include_str!("../docs/hash_to_scalar.md")]
+    ///
+    /// ## Example
+    /// ```rust
+    /// use generic_ec::{Scalar, curves::Secp256k1};
+    /// use sha2::Sha256;
+    ///
+    /// #[derive(udigest::Digestable)]
+    /// struct Data<'a> {
+    ///     nonce: &'a [u8],
+    ///     param_a: &'a str,
+    ///     param_b: u128,
+    ///     // ...
+    /// }
+    ///
+    /// let scalar = Scalar::<Secp256k1>::from_hash::<Sha256>(&Data {
+    ///     nonce: b"some data",
+    ///     param_a: "some other data",
+    ///     param_b: 12345,
+    ///     // ...
+    /// });
+    /// ```
+    #[cfg(feature = "hash-to-scalar")]
+    pub fn from_hash<D: digest::Digest>(data: &impl udigest::Digestable) -> Self {
+        let mut rng = rand_hash::HashRng::<D, _>::from_seed(data);
+        Self::random(&mut rng)
+    }
+
     /// Returns size of bytes buffer that can fit serialized scalar
     pub fn serialized_len() -> usize {
         E::ScalarArray::zeroes().as_ref().len()

generic-ec/src/secret_scalar/mod.rs

@@ -33,6 +33,34 @@ impl<E: Curve> SecretScalar<E> {
         Self::new(&mut scalar)
     }
 
+    #[doc = include_str!("../../docs/hash_to_scalar.md")]
+    ///
+    /// ## Example
+    /// ```rust
+    /// use generic_ec::{SecretScalar, curves::Secp256k1};
+    /// use sha2::Sha256;
+    ///
+    /// #[derive(udigest::Digestable)]
+    /// struct Data<'a> {
+    ///     nonce: &'a [u8],
+    ///     param_a: &'a str,
+    ///     param_b: u128,
+    ///     // ...
+    /// }
+    ///
+    /// let scalar = SecretScalar::<Secp256k1>::from_hash::<Sha256>(&Data {
+    ///     nonce: b"some data",
+    ///     param_a: "some other data",
+    ///     param_b: 12345,
+    ///     // ...
+    /// });
+    /// ```
+    #[cfg(feature = "hash-to-scalar")]
+    pub fn from_hash<D: digest::Digest>(data: &impl udigest::Digestable) -> Self {
+        let mut rng = rand_hash::HashRng::<D, _>::from_seed(data);
+        Self::random(&mut rng)
+    }
+
     /// Decodes scalar from its bytes representation in big-endian order
     pub fn from_be_bytes(bytes: &[u8]) -> Result<Self, InvalidScalar> {
         let mut scalar = Scalar::from_be_bytes(bytes)?;