Allow user to specify the padding point

common/src/test_helpers.rs

@@ -1,5 +1,4 @@
 use ark_ec::{AffineRepr, CurveGroup, Group};
-use ark_ff::PrimeField;
 use ark_std::rand::Rng;
 use ark_std::vec::Vec;
 use ark_std::UniformRand;
@@ -30,20 +29,5 @@ where
     for _ in 1..power {
         point_multiple.double_in_place();
     }
-
     point_multiple.into()
 }
-
-pub fn find_random_point<F: PrimeField, P: AffineRepr<BaseField = F>>() -> P {
-    let mut x: u8 = 0;
-    loop {
-        let p = P::from_random_bytes(&[x]);
-        if let Some(p) = p {
-            let p = p.clear_cofactor();
-            if !p.is_zero() {
-                return p;
-            }
-        }
-        x = x + 1;
-    }
-}

ring/src/lib.rs

@@ -1,10 +1,6 @@
 #![cfg_attr(not(feature = "std"), no_std)]
 
-use ark_ec::{
-    short_weierstrass::{Affine, SWCurveConfig},
-    AffineRepr,
-};
-use ark_ff::{One, PrimeField, Zero};
+use ark_ff::PrimeField;
 use ark_serialize::CanonicalSerialize;
 use ark_std::rand::RngCore;
 use fflonk::pcs::PCS;
@@ -28,42 +24,6 @@ pub type RingProof<F, CS> = Proof<F, CS, RingCommitments<F, <CS as PCS<F>>::C>,
 /// Polynomial Commitment Schemes.
 pub use fflonk::pcs;
 
-/// Find a point not on the prime subgroup.
-///
-/// Calling the method for a prime-order curve results in an infinite loop.
-pub fn find_complement_point<Curve: SWCurveConfig>() -> Affine<Curve> {
-    let mut x = Curve::BaseField::zero();
-    loop {
-        let p = Affine::<Curve>::get_point_from_x_unchecked(x, false);
-        if p.is_some() && !p.unwrap().is_in_correct_subgroup_assuming_on_curve() {
-            return p.unwrap();
-        }
-        x = x + Curve::BaseField::one()
-    }
-}
-
-/// Try and increment hash to curve.
-pub(crate) fn hash_to_curve<F: PrimeField, P: AffineRepr<BaseField = F>>(message: &[u8]) -> P {
-    use blake2::Digest;
-    let mut seed = message.to_vec();
-    let cnt_offset = seed.len();
-    let mut no_tries: usize = 0;
-
-    seed.push(0);
-    loop {
-        let hash: [u8; 64] = blake2::Blake2b::digest(&seed[..]).into();
-        if let Some(point) = P::from_random_bytes(&hash) {
-            let point = point.clear_cofactor();
-            if !point.is_zero() {
-                return point;
-            }
-        }
-        seed[cnt_offset] += 1;
-        no_tries += 1;
-        assert!(no_tries < 256);
-    }
-}
-
 #[derive(Clone)]
 pub struct ArkTranscript(ark_transcript::Transcript);
 
@@ -91,14 +51,13 @@ impl ArkTranscript {
 #[cfg(test)]
 mod tests {
     use ark_bls12_381::Bls12_381;
-    use ark_ec::CurveGroup;
-    use ark_ed_on_bls12_381_bandersnatch::{BandersnatchConfig, EdwardsAffine, Fq, Fr, SWAffine};
-    use ark_ff::MontFp;
+    use ark_ec::{AffineRepr, CurveGroup};
+    use ark_ed_on_bls12_381_bandersnatch::{EdwardsAffine, Fq, Fr, SWAffine};
     use ark_std::rand::Rng;
     use ark_std::{end_timer, start_timer, test_rng, UniformRand};
     use fflonk::pcs::kzg::KZG;
 
-    use common::test_helpers::{find_random_point, random_vec};
+    use common::test_helpers::random_vec;
 
     use crate::piop::FixedColumnsCommitted;
     use crate::ring::{Ring, RingBuilderKey};
@@ -198,8 +157,9 @@ mod tests {
 
         let domain = Domain::new(domain_size, true);
         let h = P::rand(rng);
-        let seed = find_random_point::<Fq, P>();
-        let piop_params = PiopParams::setup(domain, h, seed);
+        let seed = P::rand(rng);
+        let pad = P::rand(rng);
+        let piop_params = PiopParams::setup(domain, h, seed, pad);
 
         (pcs_params, piop_params)
     }
@@ -214,22 +174,6 @@ mod tests {
         _test_lagrangian_commitment::<SWAffine>();
     }
 
-    #[test]
-    fn test_complement_point() {
-        let p = find_complement_point::<BandersnatchConfig>();
-        assert!(p.is_on_curve());
-        assert!(!p.is_in_correct_subgroup_assuming_on_curve());
-        assert_eq!(
-            p,
-            SWAffine::new_unchecked(
-                MontFp!("0"),
-                MontFp!(
-                    "11982629110561008531870698410380659621661946968466267969586599013782997959645"
-                )
-            )
-        )
-    }
-
     #[test]
     fn test_ring_proof_kzg_sw() {
         _test_ring_proof::<KZG<Bls12_381>, SWAffine>(2usize.pow(10), 1);

ring/src/piop/params.rs

@@ -30,8 +30,7 @@ pub struct PiopParams<F: PrimeField, P: AffineRepr<BaseField = F>> {
 }
 
 impl<F: PrimeField, P: AffineRepr<BaseField = F>> PiopParams<F, P> {
-    pub fn setup(domain: Domain<F>, h: P, seed: P) -> Self {
-        let padding_point = crate::hash_to_curve::<F, P>(b"w3f/ring-proof/padding");
+    pub fn setup(domain: Domain<F>, h: P, seed: P, padding_point: P) -> Self {
         let scalar_bitlen = P::ScalarField::MODULUS_BIT_SIZE as usize;
         // 1 accounts for the last cells of the points and bits columns that remain unconstrained
         let keyset_part_size = domain.capacity - scalar_bitlen - 1;
@@ -109,8 +108,9 @@ mod tests {
         let rng = &mut test_rng();
         let h = P::rand(rng);
         let seed = P::rand(rng);
+        let pad = P::rand(rng);
         let domain = Domain::new(1024, false);
-        let params = PiopParams::<Fq, P>::setup(domain, h, seed);
+        let params = PiopParams::<Fq, P>::setup(domain, h, seed, pad);
         let t = Fr::rand(rng);
         let t_bits = params.scalar_part(t);
         let th = cond_sum(&t_bits, &params.power_of_2_multiples_of_h());

ring/src/ring.rs

@@ -272,8 +272,9 @@ mod tests {
         // piop params
         let h = SWAffine::rand(rng);
         let seed = SWAffine::rand(rng);
+        let pad = SWAffine::rand(rng);
         let domain = Domain::new(domain_size, true);
-        let piop_params = PiopParams::setup(domain, h, seed);
+        let piop_params = PiopParams::setup(domain, h, seed, pad);
 
         let mut ring = TestRing::empty(&piop_params, srs, ring_builder_key.g1);
         let (monimial_cx, monimial_cy) = get_monomial_commitment(&pcs_params, &piop_params, &[]);
@@ -312,8 +313,9 @@ mod tests {
         // piop params
         let h = P::rand(rng);
         let seed = P::rand(rng);
+        let pad = P::rand(rng);
         let domain = Domain::new(domain_size, true);
-        let piop_params = PiopParams::setup(domain, h, seed);
+        let piop_params = PiopParams::setup(domain, h, seed, pad);
 
         let ring = TestRing::<P>::empty(&piop_params, srs, ring_builder_key.g1);
         let same_ring = TestRing::with_keys(&piop_params, &[], &ring_builder_key);