ECVRF Auxiliary Functions
In this section, we describe the construction of \(HashToCurve\) and \(HashPoint\) in the Internet-Draft of irtf. More details can be found in irtf-vrf15.
\(\mathsf{EncodeToCurve}(X,pk)\): Given two group elements \(X, pk \in \mathbb{G}\), the function output a hash value in \(\mathbb{Z}_p\) as follow:
-
Let \(ctr=0\)
-
Let \(suite-string\)="0x01"
-
Let \(seperator-front\)="0x01"
-
Let \(seperator-back\)="0x00"
-
Compute \(pkstr=\mathsf{PointToString}(pk)\)
-
Define \(H\) to be "INVALID"
-
While \(H\) is "INVALID" or \(H\) is the identity element of the group:
-
Compute \(ctrstr=\mathsf{IntToString}(ctr)\)
-
Compute \(hstr=\mathsf{keccak}\)\(( suite-string || seperator-front || pkstr || X || ctrstr || seperator-back)\)
-
Compute \(H\)=\(\mathsf{StringToPoint}(hstr)\)
-
Increment \(ctr\) by \(1\)
-
-
Output \(H\).
\(\mathsf{ChallengeGeneration}(P_1,P_2,...,P_n)\): Given n elements in \(\mathbb{G}\), the hash value is computed as follow:
-
Let \(suite-string\)="0x01"
-
Let \(seperator-front\)="0x02"
-
Initialize \(str=suite-string || seperator-front\)
-
For \(i=1,2,...,n\):
- Update \(str= str || \mathsf{PointToString}(P_i)\)
-
Let \(separator-back\)="0x00"
-
Update \(str=str || separator-back\)
-
Update \(str=\mathsf{keccak}(str)\)
-
Compute \(c=\mathsf{StringToInt}(str)\)
-
Output \(c\)
The function \(\mathsf{PointToString}\) converts a point of an elliptic curve to a string. Many programming supports this function. For example, in python, we can use \(str(G)\) to return the string representation of a point\(G\).
The function \(\mathsf{StringToPoint}\) converts a string to a point of an elliptic curve. It is specified in section 2.3.4 of [SECG1]