From 7dc21f472752e7573826e0796c3f07a6f3432f71 Mon Sep 17 00:00:00 2001
From: Daira Hopwood <daira@jacaranda.org>
Date: Sun, 21 Feb 2021 21:01:19 +0000
Subject: [PATCH] Repair test vectors and add tests for
 map_to_curve_simple_swu.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
---
 src/pasta/pallas.rs | 62 ++++++++++++++++++++++++++++++++++++++++-----
 src/pasta/vesta.rs  | 46 ++++++++++++++++++++++++++++++---
 2 files changed, 98 insertions(+), 10 deletions(-)

diff --git a/src/pasta/pallas.rs b/src/pasta/pallas.rs
index 10750ef7..d38d056c 100644
--- a/src/pasta/pallas.rs
+++ b/src/pasta/pallas.rs
@@ -54,6 +54,14 @@ fn test_iso_map() {
     assert!(
         format!("{:?}", z) == "0x1e049436efa754f5f189aec69c2c3a4a559eca6a12b45c3f2e4a769deeca6187"
     );
+
+    // check that iso_map([2] r) = [2] iso_map(r)
+    let r2 = r.double();
+    assert!(bool::from(r2.is_on_curve()));
+    let p2 =
+        super::hashtocurve::iso_map::<_, Affine, super::IsoEpAffine>(&r2, &Ep::ISOGENY_CONSTANTS);
+    assert!(bool::from(p2.is_on_curve()));
+    assert!(bool::from(p2 == p.double()));
 }
 
 #[test]
@@ -83,29 +91,71 @@ fn test_iso_map_identity() {
     .unwrap();
     let r = (r * -Fq::one()) + r;
     assert!(bool::from(r.is_on_curve()));
+    assert!(bool::from(r.is_zero()));
     let p =
         super::hashtocurve::iso_map::<_, Affine, super::IsoEpAffine>(&r, &Ep::ISOGENY_CONSTANTS);
     assert!(bool::from(p.is_on_curve()));
+    assert!(bool::from(p.is_zero()));
 }
 
 #[test]
-fn test_map_to_curve_pallas() {
+fn test_map_to_curve_simple_swu() {
     use crate::arithmetic::Curve;
+    use crate::pasta::curves::{IsoEp, IsoEpAffine};
+    use crate::pasta::hashtocurve::map_to_curve_simple_swu;
 
-    let hash = Point::hash_to_curve("z.cash:test");
-    let p: Point = hash(b"hello");
+    // The zero input is a special case.
+    let p: IsoEp =
+        map_to_curve_simple_swu::<Fp, EpAffine, IsoEpAffine>(&Fp::zero(), Ep::THETA, Ep::Z);
     let (x, y, z) = p.jacobian_coordinates();
     println!("{:?}", p);
     assert!(
-        format!("{:?}", x) == "0x318cc15f281662b3f26d0175cab97b924870c837879cac647e877be51a85e898"
+        format!("{:?}", x) == "0x28c1a6a534f56c52e25295b339129a8af5f42525dea727f485ca3433519b096e"
     );
     assert!(
-        format!("{:?}", y) == "0x1e91e2fa2a5a6a5bc86ff9564ae9336084470e7119dffcb85ae8c1383a3defd7"
+        format!("{:?}", y) == "0x3bfc658bee6653c63c7d7f0927083fd315d29c270207b7c7084fa1ee6ac5ae8d"
     );
     assert!(
-        format!("{:?}", z) == "0x1e049436efa754f5f189aec69c2c3a4a559eca6a12b45c3f2e4a769deeca6187"
+        format!("{:?}", z) == "0x054b3ba10416dc104157b1318534a19d5d115472da7d746f8a5f250cd8cdef36"
+    );
+
+    let p: IsoEp =
+        map_to_curve_simple_swu::<Fp, EpAffine, IsoEpAffine>(&Fp::one(), Ep::THETA, Ep::Z);
+    let (x, y, z) = p.jacobian_coordinates();
+    println!("{:?}", p);
+    assert!(
+        format!("{:?}", x) == "0x010cba5957e876534af5e967c026a1856d64b071068280837913b9a5a3561505"
+    );
+    assert!(
+        format!("{:?}", y) == "0x062fc61f9cd3118e7d6e65a065ebf46a547514d6b08078e976fa6d515dcc9c81"
+    );
+    assert!(
+        format!("{:?}", z) == "0x3f86cb8c311250c3101c4e523e7793605ccff5623de1753a7c75bc9a29a73688"
+    );
+}
+
+#[test]
+fn test_hash_to_curve() {
+    use crate::arithmetic::Curve;
+
+    // This test vector is chosen so that the first map_to_curve_simple_swu takes the gx1 square
+    // "branch" and the second takes the gx1 non-square "branch" (opposite to the Vesta test vector).
+    let hash = Point::hash_to_curve("z.cash:test");
+    let p: Point = hash(b"world");
+    let (x, y, z) = p.jacobian_coordinates();
+    println!("{:?}", p);
+    assert!(
+        format!("{:?}", x) == "0x2ae2d9bde5a5b4bc1f1e7154f18a407ac826c9d7cd23c3b33efa0f237e99cd35"
+    );
+    assert!(
+        format!("{:?}", y) == "0x3ca16b5bf2e6c41cdf781ead8ba61400becbc16430d026b65b707560b98f8b31"
+    );
+    assert!(
+        format!("{:?}", z) == "0x2502d25cc3b1129d933af3ac34822111bfd070609fdebdfb778dd25cf40f9b82"
     );
     assert!(bool::from(p.is_on_curve()));
+
     let p = (p * -Fq::one()) + p;
     assert!(bool::from(p.is_on_curve()));
+    assert!(bool::from(p.is_zero()));
 }
diff --git a/src/pasta/vesta.rs b/src/pasta/vesta.rs
index a92956d0..be387c26 100644
--- a/src/pasta/vesta.rs
+++ b/src/pasta/vesta.rs
@@ -15,20 +15,58 @@ pub type Point = Eq;
 pub type Affine = EqAffine;
 
 #[test]
-fn test_map_to_curve_vesta() {
+fn test_map_to_curve_simple_swu() {
+    use crate::arithmetic::Curve;
+    use crate::pasta::curves::{IsoEq, IsoEqAffine};
+    use crate::pasta::hashtocurve::map_to_curve_simple_swu;
+
+    // The zero input is a special case.
+    let p: IsoEq =
+        map_to_curve_simple_swu::<Fq, EqAffine, IsoEqAffine>(&Fq::zero(), Eq::THETA, Eq::Z);
+    let (x, y, z) = p.jacobian_coordinates();
+    println!("{:?}", p);
+    assert!(
+        format!("{:?}", x) == "0x2ccc4c6ec2660e5644305bc52527d904d408f92407f599df8f158d50646a2e78"
+    );
+    assert!(
+        format!("{:?}", y) == "0x29a34381321d13d72d50b6b462bb4ea6a9e47393fa28a47227bf35bc0ee7aa59"
+    );
+    assert!(
+        format!("{:?}", z) == "0x0b851e9e579403a76df1100f556e1f226e5656bdf38f3bf8601d8a3a9a15890b"
+    );
+
+    let p: IsoEq =
+        map_to_curve_simple_swu::<Fq, EqAffine, IsoEqAffine>(&Fq::one(), Eq::THETA, Eq::Z);
+    let (x, y, z) = p.jacobian_coordinates();
+    println!("{:?}", p);
+    assert!(
+        format!("{:?}", x) == "0x165f8b71841c5abc3d742ec13fb16f099d596b781e6f5c7d0b6682b1216a8258"
+    );
+    assert!(
+        format!("{:?}", y) == "0x0dadef21de74ed7337a37dd74f126a92e4df73c3a704da501e36eaf59cf03120"
+    );
+    assert!(
+        format!("{:?}", z) == "0x0a3d6f6c1af02bd9274cc0b80129759ce77edeef578d7de968d4a47d39026c82"
+    );
+}
+
+#[test]
+fn test_hash_to_curve() {
     use crate::arithmetic::Curve;
 
+    // This test vector is chosen so that the first map_to_curve_simple_swu takes the gx1 non-square
+    // "branch" and the second takes the gx1 square "branch" (opposite to the Pallas test vector).
     let hash = Point::hash_to_curve("z.cash:test");
     let p: Point = hash(b"hello");
     let (x, y, z) = p.jacobian_coordinates();
     println!("{:?}", p);
     assert!(
-        format!("{:?}", x) == "0x3984612258b3b43b4f6e046f7f796bbd35ffd8908804bcf47b9537d3ec7645c9"
+        format!("{:?}", x) == "0x24c3431db13111fcba2f214a0662ae48e675801988c5705877525750b65f7ad8"
     );
     assert!(
-        format!("{:?}", y) == "0x2573c035293d745a288a65a7a37709ef99bcf31b77cfb3a1126a61e3adeebc4b"
+        format!("{:?}", y) == "0x0df21621bf38070d79193ec5959fc2bb09468e71c0190d0217b0984fc92282f3"
     );
     assert!(
-        format!("{:?}", z) == "0x1cb99da94a634842b09a3ee1e5b462233e1fc23d0b357ec7fb0d1c409be30720"
+        format!("{:?}", z) == "0x3e95ef9cbe5a9978c0d82635b242cf773ecfbc764ae9b936aba64c43f67091c6"
     );
 }