Skip to content

ExpandMsg improvements #1862

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tarcieri merged 8 commits into from
May 28, 2025
Merged

ExpandMsg improvements #1862

tarcieri merged 8 commits into from
May 28, 2025

Conversation

@daxpedda
Copy link
Contributor

@daxpedda daxpedda commented May 27, 2025
edited
Loading

Changes to ExpandMsg

  • Move generic parameter K from ExpandMsg implementers to trait ExpandMsg itself. This was necessary to be able to enforce the correct K instead of letting users insert an arbitrary one. E.g. GroupDigest::hash_from_bytes() can now where X: ExpandMsg<Self::K> instead of users calling hash_from_bytes::<ExpandMsgXmd<Sha256, U0>>().

    However, this made calling ExpandMsg implementers directly more difficult. E.g. instead of ExpandMsgXmd::<Sha256, U32>::expand_msg(...) users now have to write <ExpandMsgXmd<Sha256> as ExpandMsg<U32>>::expand_message(). If we want to address this, I propose adding RawExpandMsgXmd.

  • Add CollisionResistance requirement to ExpandMsgXof.

  • Move the lifetime on ExpandMsg to the associated type Expander<'dst>.

  • Fix dst not actually being checked to be empty, but instead checked for number of slices.

  • Move GroupDigests ProjectivePoint: CofactorGroup bound to super trait bounds. This makes it less "poisoning" so downstream users don't have to write where ProjectivePoint: CofactorGroup every time they use GroupDigest.

  • Move GroupDigest::hash_to_scalar()s Scalar: FromOkm bounds to GroupDigest. I believe this was a historical leftover when FromOkm wasn't implemented for Scalars yet.

  • Improved some documentation around hash2curve and updated all mentions of the draft to RFC9380.

  • Rename parameter names msgs and dsts to singular msg and dst. This is to avoid confusion: even though the type is &[&[u8]], it doesn't represent multiple messages or DSTs, but single concated ones.

  • Remove non-functioning examples. While I don't think the examples are necessary, I'm happy to re-add them if desired, but I would have to add GroupDigest to the Dev curve.

Changes to VOPRF

While I was at it, I also adjusted a couple of things around VoprfParameters (but I'm happy to split this into its own PR):

  • Renamed all mentions of VOPRF to OPRF. VOPRF was the old name of the draft when it was just a single "mode", the RFC is split into three modes: OPRF, VOPRF and POPRF. The RFC itself is called "Oblivious Pseudorandom Functions (OPRFs)".
  • Changed associated const ID from &str to &[u8].
  • Changed associated type Hash from requiring Digest to Default + FixedOutput + Update.
  • Updated all mentions of the VOPRF draft to RFC9497.

Related: RustCrypto/hashes#694.
Companion PR: RustCrypto/elliptic-curves#1203.

@daxpedda daxpedda force-pushed the hash2curve-improvement-3 branch from 7b221e2 to 9df328e Compare May 27, 2025 21:28
@daxpedda daxpedda mentioned this pull request May 27, 2025
Merged
@daxpedda daxpedda force-pushed the hash2curve-improvement-3 branch from 9df328e to 5c1b97f Compare May 27, 2025 21:35
@daxpedda daxpedda mentioned this pull request May 27, 2025
Merged
@daxpedda
Copy link
Contributor Author

daxpedda commented May 28, 2025

Cc @mikelodder7.

newpavlov pushed a commit to RustCrypto/hashes that referenced this pull request May 28, 2025
@daxpedda
Implement CollisionResistance for XOFs (#694)
d9ad085 
This PR implements `CollisionResistance` for all XOFs. I started with
those to add support for `ExpandMsgXof` in `elliptic-curve` and will do
follow-up PRs for at least SHA2 and SHA3 fixed output hashes.

Companion PR: RustCrypto/traits#1862.

See RustCrypto/traits#1816 for previous
discussions.
@daxpedda daxpedda force-pushed the hash2curve-improvement-3 branch from 5c1b97f to fac0af9 Compare May 28, 2025 12:15
@daxpedda daxpedda marked this pull request as ready for review May 28, 2025 12:15
@andrewwhitehead
Copy link
Contributor

andrewwhitehead commented May 28, 2025

Looks good to me.

I was just preparing a PR to address #1146 which would remove the CofactorGroup dependency here. I would propose implementing MapToCurve as in that issue and then simplifying to pub trait GroupDigest: MapToCurve. This would also allow removing the no-op CofactorGroup implementations in the elliptic-curves repo. I could follow up with those changes to avoid conflicts.

@mikelodder7
Copy link
Contributor

mikelodder7 commented May 28, 2025

This LGTM. I like the approach to remove the poisoning effect.

@daxpedda
Copy link
Contributor Author

daxpedda commented May 28, 2025
edited
Loading

I could follow up with those changes to avoid conflicts.

Feel free to do your thing, I'm happy to rebase.

@daxpedda daxpedda force-pushed the hash2curve-improvement-3 branch from fac0af9 to d11b3be Compare May 28, 2025 19:02
@tarcieri tarcieri merged commit e728ece into RustCrypto:master May 28, 2025
79 checks passed
sebastinas pushed a commit to sebastinas/ascon-aead that referenced this pull request Nov 3, 2025
@daxpedda @sebastinas
Implement CollisionResistance for XOFs
7f250d1 
This PR implements `CollisionResistance` for all XOFs. I started with
those to add support for `ExpandMsgXof` in `elliptic-curve` and will do
follow-up PRs for at least SHA2 and SHA3 fixed output hashes.

Companion PR: RustCrypto/traits#1862.

See RustCrypto/traits#1816 for previous
discussions.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tarcieri tarcieri tarcieri approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@daxpedda @andrewwhitehead @mikelodder7 @tarcieri