Syncing new test vectors and base mode (#58)

* Syncing new test vectors and base mode * Working set of test vectors for VOPRF mode * Adding POPRF * POPRF test vectors in sync
facebook · Feb 13, 2022 · 06139e3 · 06139e3
1 parent 9eee936
commit 06139e3
Show file tree

Hide file tree

Showing 16 changed files with 3,414 additions and 2,237 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -14,7 +14,7 @@ version = "0.3.0"
 [features]
 alloc = []
 danger = []
-default = ["ristretto255-ciphersuite", "ristretto255-u64", "serde"]
+default = ["ristretto255-ciphersuite", "ristretto255-u64", "serde", "std"]
 ristretto255 = ["generic-array/more_lengths"]
 ristretto255-ciphersuite = ["ristretto255", "sha2"]
 ristretto255-fiat-u32 = ["curve25519-dalek/fiat_u32_backend", "ristretto255"]
@@ -26,6 +26,7 @@ serde = ["generic-array/serde", "serde_"]
 std = ["alloc"]
 
 [dependencies]
+hex = "0.4"
 curve25519-dalek = { version = "3", default-features = false, optional = true }
 derive-where = { version = "=1.0.0-rc.2", features = ["zeroize-on-drop"] }
 digest = "0.10"

diff --git a/src/error.rs b/src/error.rs
@@ -17,8 +17,8 @@ pub type Result<T, E = Error> = core::result::Result<T, E>;
 pub enum Error {
     /// Size of input is empty or longer then [`u16::MAX`].
     Input,
-    /// Size of metadata is longer then `u16::MAX - 21`.
-    Metadata,
+    /// Size of info is longer then `u16::MAX - 21`.
+    Info,
     /// Failure to deserialize bytes
     Deserialization,
     /// Batched items are more then [`u16::MAX`] or length don't match.
@@ -29,6 +29,8 @@ pub enum Error {
     Seed,
     /// The protocol has failed and can't be completed.
     Protocol,
+    /// Issue with deriving a keypair
+    DeriveKeyPair,
 }
 
 /// Only used to implement [`Group`](crate::Group).

diff --git a/src/group/elliptic_curve.rs b/src/group/elliptic_curve.rs
@@ -19,9 +19,9 @@ use generic_array::GenericArray;
 use rand_core::{CryptoRng, RngCore};
 
 use super::Group;
-use crate::group::{STR_HASH_TO_GROUP, STR_HASH_TO_SCALAR};
-use crate::voprf::{self, Mode};
-use crate::{CipherSuite, Error, InternalError, Result};
+use crate::group::STR_HASH_TO_GROUP;
+use crate::util::Mode;
+use crate::{util, CipherSuite, Error, InternalError, Result};
 
 impl<C> Group for C
 where
@@ -50,25 +50,22 @@ where
             IsLess<U256> + IsLessOrEqual<<CS::Hash as BlockSizeUser>::BlockSize>,
     {
         let dst =
-            GenericArray::from(STR_HASH_TO_GROUP).concat(voprf::get_context_string::<CS>(mode));
+            GenericArray::from(STR_HASH_TO_GROUP).concat(util::create_context_string::<CS>(mode));
 
         Self::hash_from_bytes::<ExpandMsgXmd<CS::Hash>>(input, &dst)
             .map_err(|_| InternalError::Input)
     }
 
     // Implements the `HashToScalar()` function
-    fn hash_to_scalar<CS: CipherSuite>(
+    fn hash_to_scalar_with_dst<CS: CipherSuite>(
         input: &[&[u8]],
-        mode: Mode,
+        dst: &[u8],
     ) -> Result<Self::Scalar, InternalError>
     where
         <CS::Hash as OutputSizeUser>::OutputSize:
             IsLess<U256> + IsLessOrEqual<<CS::Hash as BlockSizeUser>::BlockSize>,
     {
-        let dst =
-            GenericArray::from(STR_HASH_TO_SCALAR).concat(voprf::get_context_string::<CS>(mode));
-
-        <Self as GroupDigest>::hash_to_scalar::<ExpandMsgXmd<CS::Hash>>(input, &dst)
+        <Self as GroupDigest>::hash_to_scalar::<ExpandMsgXmd<CS::Hash>>(input, dst)
             .map_err(|_| InternalError::Input)
     }
 

diff --git a/src/group/mod.rs b/src/group/mod.rs
@@ -15,6 +15,7 @@ use core::ops::{Add, Mul, Sub};
 
 use digest::core_api::BlockSizeUser;
 use digest::OutputSizeUser;
+use generic_array::sequence::Concat;
 use generic_array::typenum::{IsLess, IsLessOrEqual, U256};
 use generic_array::{ArrayLength, GenericArray};
 use rand_core::{CryptoRng, RngCore};
@@ -23,7 +24,7 @@ pub use ristretto::Ristretto255;
 use subtle::{Choice, ConstantTimeEq};
 use zeroize::Zeroize;
 
-use crate::voprf::Mode;
+use crate::util::Mode;
 use crate::{CipherSuite, InternalError, Result};
 
 pub(crate) const STR_HASH_TO_SCALAR: [u8; 13] = *b"HashToScalar-";
@@ -33,7 +34,8 @@ pub(crate) const STR_HASH_TO_GROUP: [u8; 12] = *b"HashToGroup-";
 /// subgroup is noted additively — as in the draft RFC — in this trait.
 pub trait Group {
     /// The type of group elements
-    type Elem: Copy
+    type Elem: ConstantTimeEq
+        + Copy
         + Zeroize
         + for<'a> Add<&'a Self::Elem, Output = Self::Elem>
         + for<'a> Mul<&'a Self::Scalar, Output = Self::Elem>;
@@ -74,6 +76,26 @@ pub trait Group {
         input: &[&[u8]],
         mode: Mode,
     ) -> Result<Self::Scalar, InternalError>
+    where
+        <CS::Hash as OutputSizeUser>::OutputSize:
+            IsLess<U256> + IsLessOrEqual<<CS::Hash as BlockSizeUser>::BlockSize>,
+    {
+        let dst = GenericArray::from(STR_HASH_TO_SCALAR)
+            .concat(crate::util::create_context_string::<CS>(mode));
+
+        Self::hash_to_scalar_with_dst::<CS>(input, &dst)
+    }
+
+    /// Hashes a slice of pseudo-random bytes to a scalar, allowing for
+    /// specifying a custom domain separation tag (DST)
+    ///
+    /// # Errors
+    /// [`Error::Input`](crate::Error::Input) if the `input` is empty or longer
+    /// then [`u16::MAX`].
+    fn hash_to_scalar_with_dst<CS: CipherSuite>(
+        input: &[&[u8]],
+        dst: &[u8],
+    ) -> Result<Self::Scalar, InternalError>
     where
         <CS::Hash as OutputSizeUser>::OutputSize:
             IsLess<U256> + IsLessOrEqual<<CS::Hash as BlockSizeUser>::BlockSize>;
@@ -84,6 +106,11 @@ pub trait Group {
     /// Returns the identity group element
     fn identity_elem() -> Self::Elem;
 
+    /// Returns `true` if the element is equal to the identity element
+    fn is_identity_elem(elem: Self::Elem) -> Choice {
+        Self::identity_elem().ct_eq(&elem)
+    }
+
     /// Serializes the `self` group element
     fn serialize_elem(elem: Self::Elem) -> GenericArray<u8, Self::ElemLen>;
 

diff --git a/src/group/ristretto.rs b/src/group/ristretto.rs
@@ -18,9 +18,9 @@ use generic_array::GenericArray;
 use rand_core::{CryptoRng, RngCore};
 use subtle::ConstantTimeEq;
 
-use super::{Group, STR_HASH_TO_GROUP, STR_HASH_TO_SCALAR};
-use crate::voprf::{self, Mode};
-use crate::{CipherSuite, Error, InternalError, Result};
+use super::{Group, STR_HASH_TO_GROUP};
+use crate::util::Mode;
+use crate::{util, CipherSuite, Error, InternalError, Result};
 
 /// [`Group`] implementation for Ristretto255.
 #[derive(Clone, Copy, Debug, Default, Eq, Hash, Ord, PartialEq, PartialOrd)]
@@ -59,7 +59,7 @@ impl Group for Ristretto255 {
             IsLess<U256> + IsLessOrEqual<<CS::Hash as BlockSizeUser>::BlockSize>,
     {
         let dst =
-            GenericArray::from(STR_HASH_TO_GROUP).concat(voprf::get_context_string::<Self>(mode));
+            GenericArray::from(STR_HASH_TO_GROUP).concat(util::create_context_string::<Self>(mode));
 
         let mut uniform_bytes = GenericArray::<_, U64>::default();
         ExpandMsgXmd::<CS::Hash>::expand_message(input, &dst, 64)
@@ -71,19 +71,16 @@ impl Group for Ristretto255 {
 
     // Implements the `HashToScalar()` function from
     // https://www.ietf.org/archive/id/draft-irtf-cfrg-voprf-07.html#section-4.1
-    fn hash_to_scalar<'a, CS: CipherSuite>(
+    fn hash_to_scalar_with_dst<'a, CS: CipherSuite>(
         input: &[&[u8]],
-        mode: Mode,
+        dst: &[u8],
     ) -> Result<Self::Scalar, InternalError>
     where
         <CS::Hash as OutputSizeUser>::OutputSize:
             IsLess<U256> + IsLessOrEqual<<CS::Hash as BlockSizeUser>::BlockSize>,
     {
-        let dst =
-            GenericArray::from(STR_HASH_TO_SCALAR).concat(voprf::get_context_string::<Self>(mode));
-
         let mut uniform_bytes = GenericArray::<_, U64>::default();
-        ExpandMsgXmd::<CS::Hash>::expand_message(input, &dst, 64)
+        ExpandMsgXmd::<CS::Hash>::expand_message(input, dst, 64)
             .map_err(|_| InternalError::Input)?
             .fill_bytes(&mut uniform_bytes);