RustCrypto
diff --git a/‎ed448-goldilocks/README.md
Lines changed: 4 additions & 4 deletions b/‎ed448-goldilocks/README.md
Lines changed: 4 additions & 4 deletions
diff --git a/‎ed448-goldilocks/src/curve/edwards/extended.rs
Lines changed: 15 additions & 61 deletions b/‎ed448-goldilocks/src/curve/edwards/extended.rs
Lines changed: 15 additions & 61 deletions
diff --git a/‎ed448-goldilocks/src/curve/scalar.rs
Lines changed: 3 additions & 1 deletion b/‎ed448-goldilocks/src/curve/scalar.rs
Lines changed: 3 additions & 1 deletion
diff --git a/‎ed448-goldilocks/src/decaf/points.rs
Lines changed: 7 additions & 33 deletions b/‎ed448-goldilocks/src/decaf/points.rs
Lines changed: 7 additions & 33 deletions
diff --git a/‎ed448-goldilocks/src/decaf/scalar.rs
Lines changed: 56 additions & 1 deletion b/‎ed448-goldilocks/src/decaf/scalar.rs
Lines changed: 56 additions & 1 deletion
@@ -17,9 +17,9 @@ It is intended to be portable, fast, and safe.
 ## Usage
 
 ```rust
-use ed448_goldilocks::{EdwardsPoint, CompressedEdwardsY, EdwardsScalar, sha3::Shake256};
+use ed448_goldilocks::{Ed448, EdwardsPoint, CompressedEdwardsY, EdwardsScalar, sha3::Shake256};
 use elliptic_curve::Field;
-use hash2curve::ExpandMsgXof;
+use hash2curve::{ExpandMsgXof, GroupDigest};
 use rand_core::OsRng;
 
 let secret_key = EdwardsScalar::TWO;
@@ -33,12 +33,12 @@ let compressed_public_key = public_key.compress();
 
 assert_eq!(compressed_public_key.to_bytes().len(), 57);
 
-let hashed_scalar = EdwardsScalar::hash::<ExpandMsgXof<Shake256>>(b"test", b"edwards448_XOF:SHAKE256_ELL2_RO_");
+let hashed_scalar = Ed448::hash_to_scalar::<ExpandMsgXof<Shake256>>(&[b"test"], &[b"edwards448_XOF:SHAKE256_ELL2_RO_"]).unwrap();
 let input = hex_literal::hex!("c8c6c8f584e0c25efdb6af5ad234583c56dedd7c33e0c893468e96740fa0cf7f1a560667da40b7bde340a39252e89262fcf707d1180fd43400");
 let expected_scalar = EdwardsScalar::from_canonical_bytes(&input.into()).unwrap();
 assert_eq!(hashed_scalar, expected_scalar);
 
-let hashed_point = EdwardsPoint::hash::<ExpandMsgXof<Shake256>>(b"test", b"edwards448_XOF:SHAKE256_ELL2_RO_");
+let hashed_point = Ed448::hash_from_bytes::<ExpandMsgXof<Shake256>>(&[b"test"], &[b"edwards448_XOF:SHAKE256_ELL2_RO_"]).unwrap();
 let expected = hex_literal::hex!("d15c4427b5c5611a53593c2be611fd3635b90272d331c7e6721ad3735e95dd8b9821f8e4e27501ce01aa3c913114052dce2e91e8ca050f4980");
 let expected_point = CompressedEdwardsY(expected).decompress().unwrap();
 assert_eq!(hashed_point, expected_point);
 
@@ -12,13 +12,12 @@ use crate::field::FieldElement;
 use crate::*;
 use elliptic_curve::{
     CurveGroup, Error,
-    array::{Array, typenum::Unsigned},
-    consts::{U28, U84},
+    array::Array,
     group::{Group, GroupEncoding, cofactor::CofactorGroup, prime::PrimeGroup},
     ops::LinearCombination,
     point::NonIdentity,
 };
-use hash2curve::{ExpandMsg, ExpandMsgXof, Expander, FromOkm};
+use hash2curve::ExpandMsgXof;
 use rand_core::TryRngCore;
 use subtle::{Choice, ConditionallyNegatable, ConditionallySelectable, ConstantTimeEq, CtOption};
 
@@ -732,72 +731,26 @@ impl EdwardsPoint {
 
     /// Hash a message to a point on the curve
     ///
-    /// Hash using the default domain separation tag and hash function
+    /// Hash using the default domain separation tag and hash function.
+    /// For more control see [`GroupDigest::hash_from_bytes()`].
     pub fn hash_with_defaults(msg: &[u8]) -> Self {
-        Self::hash::<ExpandMsgXof<sha3::Shake256>>(msg, DEFAULT_HASH_TO_CURVE_SUITE)
-    }
-
-    /// Hash a message to a point on the curve
-    ///
-    /// Implements hash to curve according
-    /// see <https://datatracker.ietf.org/doc/rfc9380/>
-    pub fn hash<X>(msg: &[u8], dst: &[u8]) -> Self
-    where
-        X: ExpandMsg<U28>,
-    {
-        type RandomLen = U84;
-        let mut random_bytes = Array::<u8, RandomLen>::default();
-        let dst = [dst];
-        let mut expander = X::expand_message(
+        Ed448::hash_from_bytes::<ExpandMsgXof<sha3::Shake256>>(
             &[msg],
-            &dst,
-            core::num::NonZero::new(RandomLen::U16 * 2)
-                .expect("invariant violation: random is non zero length"),
+            &[DEFAULT_HASH_TO_CURVE_SUITE],
         )
-        .expect("bad dst");
-        expander.fill_bytes(&mut random_bytes);
-        let u0 = FieldElement::from_okm(&random_bytes);
-        expander.fill_bytes(&mut random_bytes);
-        let u1 = FieldElement::from_okm(&random_bytes);
-        let mut q0 = u0.map_to_curve_elligator2();
-        let mut q1 = u1.map_to_curve_elligator2();
-        q0 = q0.isogeny();
-        q1 = q1.isogeny();
-
-        (q0.to_edwards() + q1.to_edwards()).double().double()
+        .expect("should never fail with the given `ExpandMsg` and `dst`")
     }
 
     /// Encode a message to a point on the curve
     ///
-    /// Encode using the default domain separation tag and hash function
+    /// Encode using the default domain separation tag and hash function.
+    /// For more control see [`GroupDigest::encode_from_bytes()`].
     pub fn encode_with_defaults(msg: &[u8]) -> Self {
-        Self::encode::<ExpandMsgXof<sha3::Shake256>>(msg, DEFAULT_ENCODE_TO_CURVE_SUITE)
-    }
-
-    /// Encode a message to a point on the curve
-    ///
-    /// Implements encode to curve according
-    /// see <https://datatracker.ietf.org/doc/rfc9380/>
-    pub fn encode<X>(msg: &[u8], dst: &[u8]) -> Self
-    where
-        X: ExpandMsg<U28>,
-    {
-        type RandomLen = U84;
-        let mut random_bytes = Array::<u8, RandomLen>::default();
-        let dst = [dst];
-        let mut expander = X::expand_message(
+        Ed448::encode_from_bytes::<ExpandMsgXof<sha3::Shake256>>(
             &[msg],
-            &dst,
-            core::num::NonZero::new(RandomLen::U16)
-                .expect("invariant violation: random is non zero length"),
+            &[DEFAULT_ENCODE_TO_CURVE_SUITE],
         )
-        .expect("bad dst");
-        expander.fill_bytes(&mut random_bytes);
-        let u0 = FieldElement::from_okm(&random_bytes);
-        let mut q0 = u0.map_to_curve_elligator2();
-        q0 = q0.isogeny();
-
-        q0.to_edwards().double().double()
+        .expect("should never fail with the given `ExpandMsg` and `dst`")
     }
 }
 
@@ -1197,7 +1150,7 @@ mod tests {
         ];
 
         for (msg, x, y) in MSGS {
-            let p = EdwardsPoint::hash::<ExpandMsgXof<sha3::Shake256>>(msg, DST);
+            let p = Ed448::hash_from_bytes::<ExpandMsgXof<sha3::Shake256>>(&[msg], &[DST]).unwrap();
             assert_eq!(p.is_on_curve().unwrap_u8(), 1u8);
             let p = p.to_affine();
             let mut xx = [0u8; 56];
@@ -1234,7 +1187,8 @@ mod tests {
         ];
 
         for (msg, x, y) in MSGS {
-            let p = EdwardsPoint::encode::<ExpandMsgXof<sha3::Shake256>>(msg, DST);
+            let p =
+                Ed448::encode_from_bytes::<ExpandMsgXof<sha3::Shake256>>(&[msg], &[DST]).unwrap();
             assert_eq!(p.is_on_curve().unwrap_u8(), 1u8);
             let p = p.to_affine();
             let mut xx = [0u8; 56];
 
@@ -104,6 +104,7 @@ impl FromOkm for EdwardsScalar {
 mod test {
     use super::*;
     use elliptic_curve::array::Array;
+    use hash2curve::GroupDigest;
     use hex_literal::hex;
 
     #[test]
@@ -312,7 +313,8 @@ mod test {
     fn scalar_hash() {
         let msg = b"hello world";
         let dst = b"edwards448_XOF:SHAKE256_ELL2_RO_";
-        let res = EdwardsScalar::hash::<hash2curve::ExpandMsgXof<sha3::Shake256>>(msg, dst);
+        let res = Ed448::hash_to_scalar::<hash2curve::ExpandMsgXof<sha3::Shake256>>(&[msg], &[dst])
+            .unwrap();
         let expected: [u8; 57] = hex_literal::hex!(
             "2d32a08f09b88275cc5f437e625696b18de718ed94559e17e4d64aafd143a8527705132178b5ce7395ea6214735387398a35913656b4951300"
         );
 
@@ -5,15 +5,14 @@ use crate::*;
 
 use elliptic_curve::{
     CurveGroup, Error, Group,
-    array::{Array, typenum::Unsigned},
-    consts::{U32, U56, U84},
+    array::Array,
+    consts::U56,
     group::{GroupEncoding, cofactor::CofactorGroup, prime::PrimeGroup},
     ops::LinearCombination,
     point::NonIdentity,
 };
 
 use core::fmt::{Display, Formatter, LowerHex, Result as FmtResult, UpperHex};
-use hash2curve::{ExpandMsg, Expander, FromOkm};
 use rand_core::{CryptoRng, TryRngCore};
 use subtle::{Choice, ConditionallyNegatable, ConditionallySelectable, ConstantTimeEq, CtOption};
 
@@ -348,35 +347,6 @@ impl DecafPoint {
         Self::from_uniform_bytes(&uniform_bytes)
     }
 
-    /// Construct a `DecafPoint` using `ExpandMsg`.
-    ///
-    /// This function is similar to `hash_to_curve` in the IETF draft
-    /// where an expand_message function can be chosen and a domain
-    /// separation tag.
-    pub fn hash<X>(msg: &[u8], dst: &[u8]) -> Self
-    where
-        X: ExpandMsg<U32>,
-    {
-        type RandomLen = U84;
-        let dst = [dst];
-        let mut random_bytes = Array::<u8, RandomLen>::default();
-        let mut expander = X::expand_message(
-            &[msg],
-            &dst,
-            core::num::NonZero::new(RandomLen::U16 * 2)
-                .expect("invariant violation: random is non zero length"),
-        )
-        .expect("bad dst");
-        expander.fill_bytes(&mut random_bytes);
-        let u0 = FieldElement::from_okm(&random_bytes);
-        expander.fill_bytes(&mut random_bytes);
-        let u1 = FieldElement::from_okm(&random_bytes);
-
-        let q0 = u0.map_to_curve_decaf448();
-        let q1 = u1.map_to_curve_decaf448();
-        Self(q0.add(&q1))
-    }
-
     /// Construct a `DecafPoint` from 112 bytes of data.
     ///
     /// If the input bytes are uniformly distributed, the resulting
@@ -774,7 +744,11 @@ mod test {
         use hash2curve::ExpandMsgXof;
 
         let msg = b"Hello, world!";
-        let point = DecafPoint::hash::<ExpandMsgXof<sha3::Shake256>>(msg, b"test_hash_to_curve");
+        let point = Decaf448::hash_from_bytes::<ExpandMsgXof<sha3::Shake256>>(
+            &[msg],
+            &[b"test_hash_to_curve"],
+        )
+        .unwrap();
         assert_eq!(point.0.is_on_curve().unwrap_u8(), 1u8);
         assert_ne!(point, DecafPoint::IDENTITY);
         assert_ne!(point, DecafPoint::GENERATOR);
 
@@ -87,7 +87,9 @@ mod test {
     use super::*;
     use elliptic_curve::PrimeField;
     use elliptic_curve::array::Array;
+    use hash2curve::{ExpandMsgXof, GroupDigest};
     use hex_literal::hex;
+    use sha3::Shake256;
 
     #[test]
     fn test_basic_add() {
@@ -283,10 +285,63 @@ mod test {
     fn scalar_hash() {
         let msg = b"hello world";
         let dst = b"decaf448_XOF:SHAKE256_D448MAP_RO_";
-        let res = DecafScalar::hash::<hash2curve::ExpandMsgXof<sha3::Shake256>>(msg, dst);
+        let res = Decaf448::hash_to_scalar::<ExpandMsgXof<Shake256>>(&[msg], &[dst]).unwrap();
         let expected: [u8; 56] = hex_literal::hex!(
             "55e7b59aa035db959409c6b69b817a18c8133d9ad06687665f5720672924da0a84eab7fee415ef13e7aaebdd227291ee8e156f32c507ad2e"
         );
         assert_eq!(res.to_repr(), Array::from(expected));
     }
+
+    /// Taken from <https://www.rfc-editor.org/rfc/rfc9497.html#name-decaf448-shake256>.
+    #[test]
+    fn hash_to_scalar_voprf() {
+        struct TestVector {
+            dst: &'static [u8],
+            sk_sm: &'static [u8],
+        }
+
+        const KEY_INFO: &[u8] = b"test key";
+        const SEED: &[u8] =
+            &hex!("a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3");
+
+        const TEST_VECTORS: &[TestVector] = &[
+            TestVector {
+                dst: b"DeriveKeyPairOPRFV1-\x00-decaf448-SHAKE256",
+                sk_sm: &hex!(
+                    "e8b1375371fd11ebeb224f832dcc16d371b4188951c438f751425699ed29ecc80c6c13e558ccd67634fd82eac94aa8d1f0d7fee990695d1e"
+                ),
+            },
+            TestVector {
+                dst: b"DeriveKeyPairOPRFV1-\x01-decaf448-SHAKE256",
+                sk_sm: &hex!(
+                    "e3c01519a076a326a0eb566343e9b21c115fa18e6e85577ddbe890b33104fcc2835ddfb14a928dc3f5d79b936e17c76b99e0bf6a1680930e"
+                ),
+            },
+            TestVector {
+                dst: b"DeriveKeyPairOPRFV1-\x02-decaf448-SHAKE256",
+                sk_sm: &hex!(
+                    "792a10dcbd3ba4a52a054f6f39186623208695301e7adb9634b74709ab22de402990eb143fd7c67ac66be75e0609705ecea800992aac8e19"
+                ),
+            },
+        ];
+
+        let key_info_len = u16::try_from(KEY_INFO.len()).unwrap().to_be_bytes();
+
+        'outer: for test_vector in TEST_VECTORS {
+            for counter in 0_u8..=u8::MAX {
+                let scalar = Decaf448::hash_to_scalar::<ExpandMsgXof<Shake256>>(
+                    &[SEED, &key_info_len, KEY_INFO, &counter.to_be_bytes()],
+                    &[test_vector.dst],
+                )
+                .unwrap();
+
+                if !bool::from(scalar.is_zero()) {
+                    assert_eq!(scalar.to_bytes().as_slice(), test_vector.sk_sm);
+                    continue 'outer;
+                }
+            }
+
+            panic!("deriving key failed");
+        }
+    }
 }