Merging Version 09 changes into main (#60)

* Syncing new test vectors and base mode * Working set of test vectors for VOPRF mode * Adding POPRF * POPRF test vectors in sync * Address review (#59) Co-authored-by: daxpedda <daxpedda@gmail.com>
facebook · Feb 13, 2022 · f8e0600 · f8e0600
1 parent 9eee936
commit f8e0600
Show file tree

Hide file tree

Showing 15 changed files with 3,717 additions and 2,249 deletions.
diff --git a/src/error.rs b/src/error.rs
@@ -15,18 +15,18 @@ pub type Result<T, E = Error> = core::result::Result<T, E>;
 /// Represents an error in the manipulation of internal cryptographic data
 #[derive(Clone, Copy, Debug, Display, Eq, Hash, Ord, PartialEq, PartialOrd)]
 pub enum Error {
+    /// Size of info is longer then [`u16::MAX`].
+    Info,
     /// Size of input is empty or longer then [`u16::MAX`].
     Input,
-    /// Size of metadata is longer then `u16::MAX - 21`.
-    Metadata,
+    /// Size of info and seed together are longer then `u16::MAX - 3`.
+    DeriveKeyPair,
     /// Failure to deserialize bytes
     Deserialization,
     /// Batched items are more then [`u16::MAX`] or length don't match.
     Batch,
     /// In verifiable mode, occurs when the proof failed to verify
     ProofVerification,
-    /// Size of seed is longer then [`u16::MAX`].
-    Seed,
     /// The protocol has failed and can't be completed.
     Protocol,
 }

diff --git a/src/group/elliptic_curve.rs b/src/group/elliptic_curve.rs
@@ -13,14 +13,11 @@ use elliptic_curve::sec1::{FromEncodedPoint, ModulusSize, ToEncodedPoint};
 use elliptic_curve::{
     AffinePoint, Field, FieldSize, Group as _, ProjectivePoint, PublicKey, Scalar, SecretKey,
 };
-use generic_array::sequence::Concat;
 use generic_array::typenum::{IsLess, IsLessOrEqual, U256};
 use generic_array::GenericArray;
 use rand_core::{CryptoRng, RngCore};
 
 use super::Group;
-use crate::group::{STR_HASH_TO_GROUP, STR_HASH_TO_SCALAR};
-use crate::voprf::{self, Mode};
 use crate::{CipherSuite, Error, InternalError, Result};
 
 impl<C> Group for C
@@ -43,32 +40,26 @@ where
     // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-3
     fn hash_to_curve<CS: CipherSuite>(
         input: &[&[u8]],
-        mode: Mode,
+        dst: &[u8],
     ) -> Result<Self::Elem, InternalError>
     where
         <CS::Hash as OutputSizeUser>::OutputSize:
             IsLess<U256> + IsLessOrEqual<<CS::Hash as BlockSizeUser>::BlockSize>,
     {
-        let dst =
-            GenericArray::from(STR_HASH_TO_GROUP).concat(voprf::get_context_string::<CS>(mode));
-
-        Self::hash_from_bytes::<ExpandMsgXmd<CS::Hash>>(input, &dst)
+        Self::hash_from_bytes::<ExpandMsgXmd<CS::Hash>>(input, dst)
             .map_err(|_| InternalError::Input)
     }
 
     // Implements the `HashToScalar()` function
     fn hash_to_scalar<CS: CipherSuite>(
         input: &[&[u8]],
-        mode: Mode,
+        dst: &[u8],
     ) -> Result<Self::Scalar, InternalError>
     where
         <CS::Hash as OutputSizeUser>::OutputSize:
             IsLess<U256> + IsLessOrEqual<<CS::Hash as BlockSizeUser>::BlockSize>,
     {
-        let dst =
-            GenericArray::from(STR_HASH_TO_SCALAR).concat(voprf::get_context_string::<CS>(mode));
-
-        <Self as GroupDigest>::hash_to_scalar::<ExpandMsgXmd<CS::Hash>>(input, &dst)
+        <Self as GroupDigest>::hash_to_scalar::<ExpandMsgXmd<CS::Hash>>(input, dst)
             .map_err(|_| InternalError::Input)
     }
 

diff --git a/src/group/mod.rs b/src/group/mod.rs
@@ -23,7 +23,6 @@ pub use ristretto::Ristretto255;
 use subtle::{Choice, ConstantTimeEq};
 use zeroize::Zeroize;
 
-use crate::voprf::Mode;
 use crate::{CipherSuite, InternalError, Result};
 
 pub(crate) const STR_HASH_TO_SCALAR: [u8; 13] = *b"HashToScalar-";
@@ -33,7 +32,8 @@ pub(crate) const STR_HASH_TO_GROUP: [u8; 12] = *b"HashToGroup-";
 /// subgroup is noted additively — as in the draft RFC — in this trait.
 pub trait Group {
     /// The type of group elements
-    type Elem: Copy
+    type Elem: ConstantTimeEq
+        + Copy
         + Zeroize
         + for<'a> Add<&'a Self::Elem, Output = Self::Elem>
         + for<'a> Mul<&'a Self::Scalar, Output = Self::Elem>;
@@ -59,7 +59,7 @@ pub trait Group {
     /// then [`u16::MAX`].
     fn hash_to_curve<CS: CipherSuite>(
         input: &[&[u8]],
-        mode: Mode,
+        dst: &[u8],
     ) -> Result<Self::Elem, InternalError>
     where
         <CS::Hash as OutputSizeUser>::OutputSize:
@@ -72,7 +72,7 @@ pub trait Group {
     /// then [`u16::MAX`].
     fn hash_to_scalar<CS: CipherSuite>(
         input: &[&[u8]],
-        mode: Mode,
+        dst: &[u8],
     ) -> Result<Self::Scalar, InternalError>
     where
         <CS::Hash as OutputSizeUser>::OutputSize:
@@ -84,6 +84,11 @@ pub trait Group {
     /// Returns the identity group element
     fn identity_elem() -> Self::Elem;
 
+    /// Returns `true` if the element is equal to the identity element
+    fn is_identity_elem(elem: Self::Elem) -> Choice {
+        Self::identity_elem().ct_eq(&elem)
+    }
+
     /// Serializes the `self` group element
     fn serialize_elem(elem: Self::Elem) -> GenericArray<u8, Self::ElemLen>;
 

diff --git a/src/group/ristretto.rs b/src/group/ristretto.rs
@@ -12,14 +12,12 @@ use curve25519_dalek::traits::Identity;
 use digest::core_api::BlockSizeUser;
 use digest::OutputSizeUser;
 use elliptic_curve::hash2curve::{ExpandMsg, ExpandMsgXmd, Expander};
-use generic_array::sequence::Concat;
 use generic_array::typenum::{IsLess, IsLessOrEqual, U256, U32, U64};
 use generic_array::GenericArray;
 use rand_core::{CryptoRng, RngCore};
 use subtle::ConstantTimeEq;
 
-use super::{Group, STR_HASH_TO_GROUP, STR_HASH_TO_SCALAR};
-use crate::voprf::{self, Mode};
+use super::Group;
 use crate::{CipherSuite, Error, InternalError, Result};
 
 /// [`Group`] implementation for Ristretto255.
@@ -52,17 +50,14 @@ impl Group for Ristretto255 {
     // https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-10.txt
     fn hash_to_curve<CS: CipherSuite>(
         input: &[&[u8]],
-        mode: Mode,
+        dst: &[u8],
     ) -> Result<Self::Elem, InternalError>
     where
         <CS::Hash as OutputSizeUser>::OutputSize:
             IsLess<U256> + IsLessOrEqual<<CS::Hash as BlockSizeUser>::BlockSize>,
     {
-        let dst =
-            GenericArray::from(STR_HASH_TO_GROUP).concat(voprf::get_context_string::<Self>(mode));
-
         let mut uniform_bytes = GenericArray::<_, U64>::default();
-        ExpandMsgXmd::<CS::Hash>::expand_message(input, &dst, 64)
+        ExpandMsgXmd::<CS::Hash>::expand_message(input, dst, 64)
             .map_err(|_| InternalError::Input)?
             .fill_bytes(&mut uniform_bytes);
 
@@ -71,19 +66,16 @@ impl Group for Ristretto255 {
 
     // Implements the `HashToScalar()` function from
     // https://www.ietf.org/archive/id/draft-irtf-cfrg-voprf-07.html#section-4.1
-    fn hash_to_scalar<'a, CS: CipherSuite>(
+    fn hash_to_scalar<CS: CipherSuite>(
         input: &[&[u8]],
-        mode: Mode,
+        dst: &[u8],
     ) -> Result<Self::Scalar, InternalError>
     where
         <CS::Hash as OutputSizeUser>::OutputSize:
             IsLess<U256> + IsLessOrEqual<<CS::Hash as BlockSizeUser>::BlockSize>,
     {
-        let dst =
-            GenericArray::from(STR_HASH_TO_SCALAR).concat(voprf::get_context_string::<Self>(mode));
-
         let mut uniform_bytes = GenericArray::<_, U64>::default();
-        ExpandMsgXmd::<CS::Hash>::expand_message(input, &dst, 64)
+        ExpandMsgXmd::<CS::Hash>::expand_message(input, dst, 64)
             .map_err(|_| InternalError::Input)?
             .fill_bytes(&mut uniform_bytes);