<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Ah. Also RELIC implements hashing to the curve, but probably not the way you want. For prime-order curves they use hunt-and-pack, which works but isn’t constant time. For Edwards curves they use g^hash, which is going to outright break most protocols that use this primitive. I’m filing a bug against that.</div><div class=""><br class=""></div><div class="">— Mike</div><br class=""><div><blockquote type="cite" class=""><div class="">On Jun 18, 2015, at 11:45 AM, Michael Hamburg <<a href="mailto:mike@shiftleft.org" class="">mike@shiftleft.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Hi Frank,</div><div class=""><br class=""></div><div class="">My library supports hashing to the curve, as do Snowshoe [*] and Libelligator [+], and not much else that I’m aware of. Especially if you want it to be constant time and/or fast. I’d bet that some of the other fancy libraries like PBC and MIRACL have it though.</div><div class=""><br class=""></div><div class="">I somehow misread your original message as “hashing points”.</div><div class=""><br class=""></div><div class="">Cheers,</div><div class="">— Mike</div><div class=""><br class=""></div><div class="">[*] <a href="https://github.com/catid/snowshoe" class="">https://github.com/catid/snowshoe</a> by Christopher A Taylor</div><div class=""><br class=""></div><div class="">It’s pretty fast and uses a 254-bit field. It doesn’t export point operations, but since it’s an Edwards curve it should be reasonably safe to use the internal APIs.</div><div class=""><br class=""></div><div class="">[+] <a href="https://github.com/Yawning/libelligator" class="">https://github.com/Yawning/libelligator</a></div><div class=""><br class=""></div><div class="">I found this by Googling. It looks to be based on Donna.</div><br class=""><div class=""><blockquote type="cite" class=""><div class="">On Jun 18, 2015, at 11:01 AM, Frank Wang <<a href="mailto:frankw@mit.edu" class="">frankw@mit.edu</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Hi Mike, <div class=""><br class=""></div><div class="">Well, I want a way to translate a n-bit message to a point on the curve. My understanding is that it's easiest to hash it to the curve, but I could just be confused. </div><div class=""><br class=""></div><div class="">Does your library not support hashing to the curve?</div><div class=""><br class=""></div><div class="">Frank</div></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Thu, Jun 18, 2015 at 1:50 PM, Mike Hamburg <span dir="ltr" class=""><<a href="mailto:mike@shiftleft.org" target="_blank" class="">mike@shiftleft.org</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto" class=""><div class=""><span class=""></span></div><div class=""><div class="">Wait, do you want to hash messages to the curve, or just be able to hash curve points? The former is kind of a niche feature, though you could implement it yourself if the library doesn't support it. <br class=""><br class="">Sent from my phone. Please excuse brevity and typos.<div class=""><div class="h5"><div class=""><br class="">On Jun 18, 2015, at 10:38, Frank Wang <<a href="mailto:frankw@mit.edu" target="_blank" class="">frankw@mit.edu</a>> wrote:<br class=""><br class=""></div><blockquote type="cite" class=""><div class=""><div dir="ltr" class="">Hi Thomas,<div class=""><br class="">Yes. Sorry, my goal right now is that I have a key revocation scheme that I want to implement, involving elliptic curve addition, subtraction, and scalar multiplication (as well as hashing messages to the curve). I would like reasonable performance (so C does seem good) because I'm benchmarking it against AES. However, I'm willing to trade off some performance for ease of use.</div><div class=""><br class=""></div><div class="">TweetNacl seems to be designed primarily for ECDH and EC signatures rather than a general purpose elliptic curve library. I'm exploring alternatives.</div><div class=""><br class=""></div><div class="">Frank</div></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Thu, Jun 18, 2015 at 1:34 PM, Thomas DuBuisson <span dir="ltr" class=""><<a href="mailto:thomas.dubuisson@gmail.com" target="_blank" class="">thomas.dubuisson@gmail.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Frank,<br class="">
A lot of recommendations are pouring in about C and Java libraries, on<br class="">
top of which I'm tempted to recommend my own in Cryptol or one of the<br class="">
Sage version out there, but none of us have heard about your actual<br class="">
goal and needs. Could you say more about how this code will be used<br class="">
and what you hope to achieve?<br class="">
<span class=""><font color="#888888" class=""><br class="">
Thomas<br class="">
</font></span><span class=""><br class="">
On Wed, Jun 17, 2015 at 2:16 PM, Frank Wang <<a href="mailto:frankw@mit.edu" target="_blank" class="">frankw@mit.edu</a>> wrote:<br class="">
</span><div class=""><div class="">> Hi,<br class="">
><br class="">
> I am working on a research project at MIT, and I need to use elliptic curves<br class="">
> (or a group where DDH is hard, but elliptic curves seem like the best way to<br class="">
> go) to implement a cryptographic scheme. I've been trying to search for<br class="">
> general Curve25519 and Ed25519 libraries where I can just do add and scalar<br class="">
> multiply as well as hash messages to points. The best library I've come<br class="">
> across so far is tweetnacl, which has the add and scalar multiply operation<br class="">
> for Ed25519, but it's a bit difficult to use, and I end up modifying the<br class="">
> library to do subtraction of points.<br class="">
><br class="">
> I have yet to find a good library that allows me to just do operations on<br class="">
> Ed25519 or Curve25519. Does such a library exist? If not, any tips on what I<br class="">
> should do? Should I just use another curve library that is better supported?<br class="">
> If so, any suggestions?<br class="">
><br class="">
> Thanks,<br class="">
> Frank<br class="">
><br class="">
</div></div><div class=""><div class="">> _______________________________________________<br class="">
> Curves mailing list<br class="">
> <a href="mailto:Curves@moderncrypto.org" target="_blank" class="">Curves@moderncrypto.org</a><br class="">
> <a href="https://moderncrypto.org/mailman/listinfo/curves" rel="noreferrer" target="_blank" class="">https://moderncrypto.org/mailman/listinfo/curves</a><br class="">
><br class="">
</div></div></blockquote></div><br class=""></div>
</div></blockquote><blockquote type="cite" class=""><div class=""><span class="">_______________________________________________</span><br class=""><span class="">Curves mailing list</span><br class=""><span class=""><a href="mailto:Curves@moderncrypto.org" target="_blank" class="">Curves@moderncrypto.org</a></span><br class=""><span class=""><a href="https://moderncrypto.org/mailman/listinfo/curves" target="_blank" class="">https://moderncrypto.org/mailman/listinfo/curves</a></span><br class=""></div></blockquote></div></div></div></div></div></blockquote></div><br class=""></div>
</div></blockquote></div><br class=""></div>_______________________________________________<br class="">Curves mailing list<br class=""><a href="mailto:Curves@moderncrypto.org" class="">Curves@moderncrypto.org</a><br class="">https://moderncrypto.org/mailman/listinfo/curves<br class=""></div></blockquote></div><br class=""></body></html>