Skip to content

ExpandMsg improvements#1862

Merged
tarcieri merged 8 commits intoRustCrypto:masterfrom
khonsulabs:hash2curve-improvement-3
May 28, 2025
Merged

ExpandMsg improvements#1862
tarcieri merged 8 commits intoRustCrypto:masterfrom
khonsulabs:hash2curve-improvement-3

Conversation

@daxpedda
Copy link
Contributor

@daxpedda daxpedda commented May 27, 2025
edited
Loading

Changes to ExpandMsg

  • Move generic parameter K from ExpandMsg implementers to trait ExpandMsg itself. This was necessary to be able to enforce the correct K instead of letting users insert an arbitrary one. E.g. GroupDigest::hash_from_bytes() can now where X: ExpandMsg<Self::K> instead of users calling hash_from_bytes::<ExpandMsgXmd<Sha256, U0>>().

    However, this made calling ExpandMsg implementers directly more difficult. E.g. instead of ExpandMsgXmd::<Sha256, U32>::expand_msg(...) users now have to write <ExpandMsgXmd<Sha256> as ExpandMsg<U32>>::expand_message(). If we want to address this, I propose adding RawExpandMsgXmd.

  • Add CollisionResistance requirement to ExpandMsgXof.

  • Move the lifetime on ExpandMsg to the associated type Expander<'dst>.

  • Fix dst not actually being checked to be empty, but instead checked for number of slices.

  • Move GroupDigests ProjectivePoint: CofactorGroup bound to super trait bounds. This makes it less "poisoning" so downstream users don't have to write where ProjectivePoint: CofactorGroup every time they use GroupDigest.

  • Move GroupDigest::hash_to_scalar()s Scalar: FromOkm bounds to GroupDigest. I believe this was a historical leftover when FromOkm wasn't implemented for Scalars yet.

  • Improved some documentation around hash2curve and updated all mentions of the draft to RFC9380.

  • Rename parameter names msgs and dsts to singular msg and dst. This is to avoid confusion: even though the type is &[&[u8]], it doesn't represent multiple messages or DSTs, but single concated ones.

  • Remove non-functioning examples. While I don't think the examples are necessary, I'm happy to re-add them if desired, but I would have to add GroupDigest to the Dev curve.

Changes to VOPRF

While I was at it, I also adjusted a couple of things around VoprfParameters (but I'm happy to split this into its own PR):

  • Renamed all mentions of VOPRF to OPRF. VOPRF was the old name of the draft when it was just a single "mode", the RFC is split into three modes: OPRF, VOPRF and POPRF. The RFC itself is called "Oblivious Pseudorandom Functions (OPRFs)".
  • Changed associated const ID from &str to &[u8].
  • Changed associated type Hash from requiring Digest to Default + FixedOutput + Update.
  • Updated all mentions of the VOPRF draft to RFC9497.

Related: RustCrypto/hashes#694.
Companion PR: RustCrypto/elliptic-curves#1203.

@daxpedda daxpedda force-pushed the hash2curve-improvement-3 branch from 7b221e2 to 9df328e Compare May 27, 2025 21:28
@daxpedda daxpedda mentioned this pull request May 27, 2025
Merged
@daxpedda daxpedda force-pushed the hash2curve-improvement-3 branch from 9df328e to 5c1b97f Compare May 27, 2025 21:35
@daxpedda daxpedda mentioned this pull request May 27, 2025
Merged
@daxpedda
Copy link
Contributor Author

daxpedda commented May 28, 2025

Cc @mikelodder7.

newpavlov pushed a commit to RustCrypto/hashes that referenced this pull request May 28, 2025
@daxpedda
Implement CollisionResistance for XOFs (#694)
d9ad085 
This PR implements `CollisionResistance` for all XOFs. I started with
those to add support for `ExpandMsgXof` in `elliptic-curve` and will do
follow-up PRs for at least SHA2 and SHA3 fixed output hashes.

Companion PR: RustCrypto/traits#1862.

See RustCrypto/traits#1816 for previous
discussions.
@daxpedda daxpedda force-pushed the hash2curve-improvement-3 branch from 5c1b97f to fac0af9 Compare May 28, 2025 12:15
@daxpedda daxpedda marked this pull request as ready for review May 28, 2025 12:15
@andrewwhitehead
Copy link
Contributor

andrewwhitehead commented May 28, 2025

Looks good to me.

I was just preparing a PR to address #1146 which would remove the CofactorGroup dependency here. I would propose implementing MapToCurve as in that issue and then simplifying to pub trait GroupDigest: MapToCurve. This would also allow removing the no-op CofactorGroup implementations in the elliptic-curves repo. I could follow up with those changes to avoid conflicts.

@mikelodder7
Copy link
Contributor

mikelodder7 commented May 28, 2025

This LGTM. I like the approach to remove the poisoning effect.

@daxpedda
Copy link
Contributor Author

daxpedda commented May 28, 2025
edited
Loading

I could follow up with those changes to avoid conflicts.

Feel free to do your thing, I'm happy to rebase.

@daxpedda daxpedda force-pushed the hash2curve-improvement-3 branch from fac0af9 to d11b3be Compare May 28, 2025 19:02
@tarcieri tarcieri merged commit e728ece into RustCrypto:master May 28, 2025
79 checks passed
sebastinas pushed a commit to sebastinas/ascon-aead that referenced this pull request Nov 3, 2025
@daxpedda @sebastinas
Implement CollisionResistance for XOFs
7f250d1 
This PR implements `CollisionResistance` for all XOFs. I started with
those to add support for `ExpandMsgXof` in `elliptic-curve` and will do
follow-up PRs for at least SHA2 and SHA3 fixed output hashes.

Companion PR: RustCrypto/traits#1862.

See RustCrypto/traits#1816 for previous
discussions.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tarcieri tarcieri tarcieri approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@daxpedda @andrewwhitehead @mikelodder7 @tarcieri