Ah. Also RELIC implements hashing to the curve, but probably not the way you want. For prime-order curves they use hunt-and-pack, which works but isn’t constant time. For Edwards curves they use g^hash, which is going to outright break most protocols that use this primitive. I’m filing a bug against that.
— Mike > On Jun 18, 2015, at 11:45 AM, Michael Hamburg <[email protected]> wrote: > > Hi Frank, > > My library supports hashing to the curve, as do Snowshoe [*] and Libelligator > [+], and not much else that I’m aware of. Especially if you want it to be > constant time and/or fast. I’d bet that some of the other fancy libraries > like PBC and MIRACL have it though. > > I somehow misread your original message as “hashing points”. > > Cheers, > — Mike > > [*] https://github.com/catid/snowshoe <https://github.com/catid/snowshoe> by > Christopher A Taylor > > It’s pretty fast and uses a 254-bit field. It doesn’t export point > operations, but since it’s an Edwards curve it should be reasonably safe to > use the internal APIs. > > [+] https://github.com/Yawning/libelligator > <https://github.com/Yawning/libelligator> > > I found this by Googling. It looks to be based on Donna. > >> On Jun 18, 2015, at 11:01 AM, Frank Wang <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi Mike, >> >> Well, I want a way to translate a n-bit message to a point on the curve. My >> understanding is that it's easiest to hash it to the curve, but I could just >> be confused. >> >> Does your library not support hashing to the curve? >> >> Frank >> >> On Thu, Jun 18, 2015 at 1:50 PM, Mike Hamburg <[email protected] >> <mailto:[email protected]>> wrote: >> Wait, do you want to hash messages to the curve, or just be able to hash >> curve points? The former is kind of a niche feature, though you could >> implement it yourself if the library doesn't support it. >> >> Sent from my phone. Please excuse brevity and typos. >> >> On Jun 18, 2015, at 10:38, Frank Wang <[email protected] >> <mailto:[email protected]>> wrote: >> >>> Hi Thomas, >>> >>> Yes. Sorry, my goal right now is that I have a key revocation scheme that I >>> want to implement, involving elliptic curve addition, subtraction, and >>> scalar multiplication (as well as hashing messages to the curve). I would >>> like reasonable performance (so C does seem good) because I'm benchmarking >>> it against AES. However, I'm willing to trade off some performance for ease >>> of use. >>> >>> TweetNacl seems to be designed primarily for ECDH and EC signatures rather >>> than a general purpose elliptic curve library. I'm exploring alternatives. >>> >>> Frank >>> >>> On Thu, Jun 18, 2015 at 1:34 PM, Thomas DuBuisson >>> <[email protected] <mailto:[email protected]>> wrote: >>> Frank, >>> A lot of recommendations are pouring in about C and Java libraries, on >>> top of which I'm tempted to recommend my own in Cryptol or one of the >>> Sage version out there, but none of us have heard about your actual >>> goal and needs. Could you say more about how this code will be used >>> and what you hope to achieve? >>> >>> Thomas >>> >>> On Wed, Jun 17, 2015 at 2:16 PM, Frank Wang <[email protected] >>> <mailto:[email protected]>> wrote: >>> > Hi, >>> > >>> > I am working on a research project at MIT, and I need to use elliptic >>> > curves >>> > (or a group where DDH is hard, but elliptic curves seem like the best way >>> > to >>> > go) to implement a cryptographic scheme. I've been trying to search for >>> > general Curve25519 and Ed25519 libraries where I can just do add and >>> > scalar >>> > multiply as well as hash messages to points. The best library I've come >>> > across so far is tweetnacl, which has the add and scalar multiply >>> > operation >>> > for Ed25519, but it's a bit difficult to use, and I end up modifying the >>> > library to do subtraction of points. >>> > >>> > I have yet to find a good library that allows me to just do operations on >>> > Ed25519 or Curve25519. Does such a library exist? If not, any tips on >>> > what I >>> > should do? Should I just use another curve library that is better >>> > supported? >>> > If so, any suggestions? >>> > >>> > Thanks, >>> > Frank >>> > >>> > _______________________________________________ >>> > Curves mailing list >>> > [email protected] <mailto:[email protected]> >>> > https://moderncrypto.org/mailman/listinfo/curves >>> > <https://moderncrypto.org/mailman/listinfo/curves> >>> > >>> >>> _______________________________________________ >>> Curves mailing list >>> [email protected] <mailto:[email protected]> >>> https://moderncrypto.org/mailman/listinfo/curves >>> <https://moderncrypto.org/mailman/listinfo/curves> >> > > _______________________________________________ > Curves mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/curves
_______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
