ECVRF Auxiliary Functions
In this section, we describe the construction of \(HashToCurve\) and \(HashPoint\) in the Internet-Draft of irtf. More details can be found in irtf-vrf15.
\(\mathsf{EncodeToCurve}(X,pk)\): Given two group elements \(X, pk \in \mathbb{G}\), the function output a hash value in \(\mathbb{Z}_p\) as follows:
-
Let \(ctr=0\).
-
Let \(suite-string\)="0x01".
-
Let \(seperator-front\)="0x01".
-
Let \(seperator-back\)="0x00".
-
Compute \(pkstr=\mathsf{PointToString}(pk)\).
-
Define \(H\) to be "INVALID".
-
While \(H\) is "INVALID" or \(H\) is the identity element of the group:
-
Compute \(ctrstr=\mathsf{IntToString}(ctr)\).
-
Compute \(hstr=\mathsf{keccak}\)\(( suite-string || seperator-front || pkstr || X || ctrstr || seperator-back)\).
-
Compute \(H\)=\(\mathsf{StringToPoint}(hstr)\).
-
Increment \(ctr\) by \(1\).
-
-
Output \(H\).
\(\mathsf{ChallengeGeneration}(P_1,P_2,...,P_n)\): Given n elements in \(\mathbb{G}\), the hash value is computed as follows:
-
Let \(suite-string\)="0x01".
-
Let \(seperator-front\)="0x02".
-
Initialize \(str=suite-string || seperator-front\).
-
For \(i=1,2,...,n\):
- Update \(str= str || \mathsf{PointToString}(P_i)\).
-
Let \(separator-back\)="0x00".
-
Update \(str=str || separator-back\).
-
Update \(str=\mathsf{keccak}(str)\).
-
Compute \(c=\mathsf{StringToInt}(str)\).
-
Output \(c\).
The function \(\mathsf{PointToString}\) converts a point of an elliptic curve to a string. Many programming supports this function. For example, in python, we can use \(str(G)\) to return the string representation of a point\(G\).
The function \(\mathsf{StringToPoint}\) converts a string to a point of an elliptic curve. It is specified in section 2.3.4 of [SECG1].