crypto: add FCMP++ generators T, U, & V

jeffro256 · jeffro256 · commit 0d711b54c364 · 2025-11-22T10:20:13.000-06:00
Source in FCMP++ repo: https://github.com/monero-oxide/monero-oxide/blob/c1ed999f2c5f0064356cefb3b9116baa970f4165/monero-oxide/generators/src/lib.rs#L55-L65
diff --git a/src/crypto/crypto.cpp b/src/crypto/crypto.cpp
@@ -42,6 +42,7 @@
 #include "warnings.h"
 #include "crypto.h"
 #include "hash.h"
+#include "blake2b.h"
 
 #include "cryptonote_config.h"
 
@@ -608,7 +609,7 @@ namespace crypto {
     return sc_isnonzero(&c2) == 0;
   }
 
-  static void hash_to_ec(const public_key &key, ge_p3 &res) {
+  static void biased_hash_to_ec(const public_key &key, ge_p3 &res) {
     hash h;
     ge_p2 point;
     ge_p1p1 point2;
@@ -618,6 +619,39 @@ namespace crypto {
     ge_p1p1_to_p3(&res, &point2);
   }
 
+  void crypto_ops::unbiased_hash_to_ec(const unsigned char *preimage, const size_t length, ec_point &res) {
+    uint8_t hash[64];
+    blake2b(std::addressof(hash), 64, preimage, length, NULL, 0);
+
+    ge_p2 first;
+    ge_fromfe_frombytes_vartime(&first, reinterpret_cast<const unsigned char *>(&hash));
+    ge_p1p1 first_p1p1;
+    ge_mul8(&first_p1p1, &first);
+    ge_p3 first_p3;
+    ge_p1p1_to_p3(&first_p3, &first_p1p1);
+
+    ge_p2 second;
+    ge_fromfe_frombytes_vartime(&second, reinterpret_cast<const unsigned char *>(&hash) + 32);
+    ge_p1p1 second_p1p1;
+    ge_mul8(&second_p1p1, &second);
+    ge_p3 second_p3;
+    ge_p1p1_to_p3(&second_p3, &second_p1p1);
+    ge_cached second_cached;
+    ge_p3_to_cached(&second_cached, &second_p3);
+
+    ge_p1p1 point;
+    ge_add(&point, &first_p3, &second_cached);
+
+    ge_p3 res_ge_p3;
+    ge_p1p1_to_p3(&res_ge_p3, &point);
+    ge_p3_tobytes(&res, &res_ge_p3);
+  }
+
+  // TODO @jeffro256
+  static void hash_to_ec(const public_key &key, ge_p3 &res) {
+    return biased_hash_to_ec(key, res);
+  }
+
   void crypto_ops::generate_key_image(const public_key &pub, const secret_key &sec, key_image &image) {
     ge_p3 point;
     ge_p2 point2;
diff --git a/src/crypto/crypto.h b/src/crypto/crypto.h
@@ -141,6 +141,8 @@ namespace crypto {
       const public_key *const *, std::size_t, const signature *);
     static void derive_view_tag(const key_derivation &, std::size_t, view_tag &);
     friend void derive_view_tag(const key_derivation &, std::size_t, view_tag &);
+    static void unbiased_hash_to_ec(const unsigned char *, const size_t, ec_point &);
+    friend void unbiased_hash_to_ec(const unsigned char *, const size_t, ec_point &);
   };
 
   void generate_random_bytes_thread_safe(size_t N, uint8_t *bytes);
@@ -297,6 +299,10 @@ namespace crypto {
     crypto_ops::derive_view_tag(derivation, output_index, vt);
   }
 
+  inline void unbiased_hash_to_ec(const unsigned char *preimage, const size_t length, ec_point &res) {
+    crypto_ops::unbiased_hash_to_ec(preimage, length, res);
+  }
+
   inline std::ostream &operator <<(std::ostream &o, const crypto::public_key &v) {
     epee::to_hex::formatted(o, epee::as_byte_span(v)); return o;
   }
diff --git a/src/crypto/generators.cpp b/src/crypto/generators.cpp
@@ -39,6 +39,7 @@ extern "C"
 #include <cstddef>
 #include <cstdint>
 #include <mutex>
+#include <string_view>
 
 namespace crypto
 {
@@ -68,14 +69,36 @@ constexpr public_key G = bytes_to<public_key>({ 0x58, 0x66, 0x66, 0x66, 0x66, 0x
 //pedersen commitment generator H: toPoint(cn_fast_hash(G))
 constexpr public_key H = bytes_to<public_key>({ 0x8b, 0x65, 0x59, 0x70, 0x15, 0x37, 0x99, 0xaf, 0x2a, 0xea, 0xdc, 0x9f, 0xf1,
     0xad, 0xd0, 0xea, 0x6c, 0x72, 0x51, 0xd5, 0x41, 0x54, 0xcf, 0xa9, 0x2c, 0x17, 0x3a, 0x0d, 0xd3, 0x9c, 0x1f, 0x94 });
+//FCMP++ generator T: unbiased_hash_to_ec(keccak("Monero Generator T"))
+constexpr public_key T = bytes_to<public_key>({ 97, 183, 54, 206, 147, 182, 42, 61, 55, 120, 171, 32, 77, 168, 93, 59, 76,
+  220, 7, 37, 15, 93, 167, 227, 223, 38, 41, 146, 129, 52, 213, 38 });
+//FCMP++ generator U: unbiased_hash_to_ec(keccak("Monero FCMP++ Generator U"))
+constexpr public_key U = bytes_to<public_key>({ 80, 107, 35, 246, 214, 229, 48, 153, 122, 188, 172, 198, 253, 52, 119, 52,
+  177, 76, 43, 215, 155, 234, 0, 238, 176, 72, 87, 232, 234, 221, 26, 138 });
+//FCMP++ generator V: unbiased_hash_to_ec(keccak("Monero FCMP++ Generator V"))
+constexpr public_key V = bytes_to<public_key>({ 105, 53, 244, 19, 248, 49, 9, 19, 138, 122, 20, 180, 9, 85, 45, 59, 118,
+  216, 143, 202, 129, 187, 89, 39, 233, 161, 225, 48, 205, 254, 41, 249 });
 static ge_p3 G_p3;
 static ge_p3 H_p3;
+static ge_p3 T_p3;
+static ge_p3 U_p3;
+static ge_p3 V_p3;
 static ge_cached G_cached;
 static ge_cached H_cached;
+static ge_cached T_cached;
+static ge_cached U_cached;
+static ge_cached V_cached;
 
 // misc
 static std::once_flag init_gens_once_flag;
 
+//-------------------------------------------------------------------------------------------------------------------
+// hash-to-point: H_p(x) = unbiased_hash_to_ec(x)
+//-------------------------------------------------------------------------------------------------------------------
+static void hash_to_point(const crypto::hash &x, crypto::ec_point &point_out)
+{
+    unbiased_hash_to_ec((const unsigned char*)x.data, sizeof(crypto::hash), point_out);
+}
 //-------------------------------------------------------------------------------------------------------------------
 //-------------------------------------------------------------------------------------------------------------------
 static public_key reproduce_generator_G()
@@ -120,6 +143,39 @@ static public_key reproduce_generator_H()
     return reproduced_H;
 }
 //-------------------------------------------------------------------------------------------------------------------
+//-------------------------------------------------------------------------------------------------------------------
+static public_key reproduce_generator_T()
+{
+    // T = H_p(keccak("Monero Generator T"))
+    const std::string_view T_seed{"Monero Generator T"};
+    public_key reproduced_T;
+    hash_to_point(cn_fast_hash(T_seed.data(), T_seed.size()), reproduced_T);
+
+    return reproduced_T;
+}
+//-------------------------------------------------------------------------------------------------------------------
+//-------------------------------------------------------------------------------------------------------------------
+static public_key reproduce_generator_U()
+{
+    // U = H_p(keccak("Monero FCMP++ Generator U"))
+    const std::string_view U_seed{"Monero FCMP++ Generator U"};
+    public_key reproduced_U;
+    hash_to_point(cn_fast_hash(U_seed.data(), U_seed.size()), reproduced_U);
+
+    return reproduced_U;
+}
+//-------------------------------------------------------------------------------------------------------------------
+//-------------------------------------------------------------------------------------------------------------------
+static public_key reproduce_generator_V()
+{
+    // V = H_p(keccak("Monero FCMP++ Generator V"))
+    const std::string_view V_seed{"Monero FCMP++ Generator V"};
+    public_key reproduced_V;
+    hash_to_point(cn_fast_hash(V_seed.data(), V_seed.size()), reproduced_V);
+
+    return reproduced_V;
+}
+//-------------------------------------------------------------------------------------------------------------------
 // Make generators, but only once
 //-------------------------------------------------------------------------------------------------------------------
 static void init_gens()
@@ -130,21 +186,36 @@ static void init_gens()
         // sanity check the generators
         static_assert(static_cast<unsigned char>(G.data[0]) == 0x58, "compile-time constant sanity check");
         static_assert(static_cast<unsigned char>(H.data[0]) == 0x8b, "compile-time constant sanity check");
+        static_assert(static_cast<unsigned char>(T.data[0]) == 97, "compile-time constant sanity check");
+        static_assert(static_cast<unsigned char>(U.data[0]) == 80, "compile-time constant sanity check");
+        static_assert(static_cast<unsigned char>(V.data[0]) == 105, "compile-time constant sanity check");
 
         // build ge_p3 representations of generators
         const int G_deserialize = ge_frombytes_vartime(&G_p3, to_bytes(G));
         const int H_deserialize = ge_frombytes_vartime(&H_p3, to_bytes(H));
+        const int T_deserialize = ge_frombytes_vartime(&T_p3, to_bytes(T));
+        const int U_deserialize = ge_frombytes_vartime(&U_p3, to_bytes(U));
+        const int V_deserialize = ge_frombytes_vartime(&V_p3, to_bytes(V));
 
         (void)G_deserialize; assert(G_deserialize == 0);
         (void)H_deserialize; assert(H_deserialize == 0);
+        (void)T_deserialize; assert(T_deserialize == 0);
+        (void)U_deserialize; assert(U_deserialize == 0);
+        (void)V_deserialize; assert(V_deserialize == 0);
 
         // get cached versions
         ge_p3_to_cached(&G_cached, &G_p3);
         ge_p3_to_cached(&H_cached, &H_p3);
+        ge_p3_to_cached(&T_cached, &T_p3);
+        ge_p3_to_cached(&U_cached, &U_p3);
+        ge_p3_to_cached(&V_cached, &V_p3);
 
         // in debug mode, check that generators are reproducible
         (void)reproduce_generator_G; assert(reproduce_generator_G() == G);
         (void)reproduce_generator_H; assert(reproduce_generator_H() == H);
+        (void)reproduce_generator_T; assert(reproduce_generator_T() == T);
+        (void)reproduce_generator_U; assert(reproduce_generator_U() == U);
+        (void)reproduce_generator_V; assert(reproduce_generator_V() == V);
 
     });
 }
@@ -159,6 +230,21 @@ public_key get_H()
     return H;
 }
 //-------------------------------------------------------------------------------------------------------------------
+public_key get_T()
+{
+    return T;
+}
+//-------------------------------------------------------------------------------------------------------------------
+public_key get_U()
+{
+    return U;
+}
+//-------------------------------------------------------------------------------------------------------------------
+public_key get_V()
+{
+    return V;
+}
+//-------------------------------------------------------------------------------------------------------------------
 ge_p3 get_G_p3()
 {
     init_gens();
@@ -171,6 +257,24 @@ ge_p3 get_H_p3()
     return H_p3;
 }
 //-------------------------------------------------------------------------------------------------------------------
+ge_p3 get_T_p3()
+{
+    init_gens();
+    return T_p3;
+}
+//-------------------------------------------------------------------------------------------------------------------
+ge_p3 get_U_p3()
+{
+    init_gens();
+    return U_p3;
+}
+//-------------------------------------------------------------------------------------------------------------------
+ge_p3 get_V_p3()
+{
+    init_gens();
+    return V_p3;
+}
+//-------------------------------------------------------------------------------------------------------------------
 ge_cached get_G_cached()
 {
     init_gens();
@@ -183,4 +287,22 @@ ge_cached get_H_cached()
     return H_cached;
 }
 //-------------------------------------------------------------------------------------------------------------------
+ge_cached get_T_cached()
+{
+    init_gens();
+    return T_cached;
+}
+//-------------------------------------------------------------------------------------------------------------------
+ge_cached get_U_cached()
+{
+    init_gens();
+    return U_cached;
+}
+//-------------------------------------------------------------------------------------------------------------------
+ge_cached get_V_cached()
+{
+    init_gens();
+    return V_cached;
+}
+//-------------------------------------------------------------------------------------------------------------------
 } //namespace crypto
diff --git a/src/crypto/generators.h b/src/crypto/generators.h
@@ -39,9 +39,18 @@ namespace crypto
 
 public_key get_G();
 public_key get_H();
+public_key get_T();
+public_key get_U();
+public_key get_V();
 ge_p3 get_G_p3();
 ge_p3 get_H_p3();
+ge_p3 get_T_p3();
+ge_p3 get_U_p3();
+ge_p3 get_V_p3();
 ge_cached get_G_cached();
 ge_cached get_H_cached();
+ge_cached get_T_cached();
+ge_cached get_U_cached();
+ge_cached get_V_cached();
 
 } //namespace crypto
