Enable Ristretto255 for OPRFs.

cloudflare · Mar 7, 2022 · 785fc97 · 785fc97
1 parent fede922
commit 785fc97
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 6 deletions.
diff --git a/group/ristretto255.go b/group/ristretto255.go
@@ -98,16 +98,31 @@ func (g ristrettoGroup) HashToElementNonUniform(b, dst []byte) Element {
 }
 
 func (g ristrettoGroup) HashToElement(msg, dst []byte) Element {
+	// Compliaint with draft-irtf-cfrg-hash-to-curve.
+	// Appendix B - Hashing to ristretto255
+	// https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-14#appendix-B
+	// SuiteID: ristretto255_XMD:SHA-512_R255MAP_RO_
+	var buf [32]byte
 	xmd := expander.NewExpanderMD(crypto.SHA512, dst)
-	data := xmd.Expand(msg, 64)
-	e := g.NewElement()
-	e.(*ristrettoElement).p.Derive(data)
-	return e
+	uniformBytes := xmd.Expand(msg, 64)
+	copy(buf[:], uniformBytes[:32])
+	p0 := new(r255.Point).SetElligator(&buf)
+	copy(buf[:], uniformBytes[32:])
+	p1 := new(r255.Point).SetElligator(&buf)
+	p0.Add(p0, p1)
+
+	return &ristrettoElement{*p0}
 }
 
 func (g ristrettoGroup) HashToScalar(msg, dst []byte) Scalar {
+	// Adapted to be compliant with draft-irtf-cfrg-voprf
+	// Section 4.1.1 - OPRF(ristretto255, SHA-512)
+	// https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-voprf-09#section-4.1.1
+	var uniformBytes [64]byte
+	xmd := expander.NewExpanderMD(crypto.SHA512, dst)
+	copy(uniformBytes[:], xmd.Expand(msg, 64))
 	s := g.NewScalar()
-	s.(*ristrettoScalar).s.Derive(msg)
+	s.(*ristrettoScalar).s.SetReduced(&uniformBytes)
 	return s
 }
 

diff --git a/oprf/oprf.go b/oprf/oprf.go
@@ -90,6 +90,8 @@ type Suite interface {
 }
 
 var (
+	// SuiteRistretto255 represents the OPRF with Ristretto255 and SHA-512.
+	SuiteRistretto255 Suite = params{id: 1, group: group.Ristretto255, hash: crypto.SHA512}
 	// SuiteP256 represents the OPRF with P-256 and SHA-256.
 	SuiteP256 Suite = params{id: 3, group: group.P256, hash: crypto.SHA256}
 	// SuiteP384 represents the OPRF with P-384 and SHA-384.
@@ -100,6 +102,8 @@ var (
 
 func GetSuite(id int) (Suite, error) {
 	switch uint16(id) {
+	case SuiteRistretto255.(params).id:
+		return SuiteRistretto255, nil
 	case SuiteP256.(params).id:
 		return SuiteP256, nil
 	case SuiteP384.(params).id:

diff --git a/oprf/oprf_test.go b/oprf/oprf_test.go
@@ -129,6 +129,7 @@ func TestAPI(t *testing.T) {
 	info := []byte("shared info")
 
 	for _, suite := range []Suite{
+		SuiteRistretto255,
 		SuiteP256,
 		SuiteP384,
 		SuiteP521,

diff --git a/oprf/vectors_test.go b/oprf/vectors_test.go
@@ -102,7 +102,6 @@ func readFile(t *testing.T, fileName string) []vector {
 }
 
 func (v *vector) SetUpParties(t *testing.T) (id params, s commonServer, c commonClient) {
-	t.Helper()
 	suite, err := GetSuite(v.ID)
 	test.CheckNoErr(t, err, "suite id")
 	seed := toBytes(t, v.Seed, "seed for key derivation")