diff --git a/src/arkworks/elligator2.rs b/src/arkworks/elligator2.rs index d88f65b..e1f6756 100644 --- a/src/arkworks/elligator2.rs +++ b/src/arkworks/elligator2.rs @@ -5,12 +5,7 @@ //! - Elligator2 hash-to-curve for Bandersnatch: https://github.com/arkworks-rs/algebra/pull/758 use ark_ec::{ - hashing::{ - // TODO: this looks identical to the one introduced by #659 - curve_maps::swu::parity, - map_to_curve_hasher::MapToCurve, - HashToCurveError, - }, + hashing::{curve_maps::swu::parity, map_to_curve_hasher::MapToCurve, HashToCurveError}, twisted_edwards::{Affine, MontCurveConfig, Projective, TECurveConfig}, }; use ark_ff::{Field, One, Zero}; diff --git a/src/codec.rs b/src/codec.rs index de4ca63..a6d9dc5 100644 --- a/src/codec.rs +++ b/src/codec.rs @@ -32,7 +32,7 @@ impl Codec for ArkworksCodec { } fn point_decode(buf: &[u8]) -> Result, Error> { - AffinePoint::::deserialize_compressed_unchecked(buf).map_err(|e| e.into()) + AffinePoint::::deserialize_compressed_unchecked(buf).map_err(Into::into) } fn scalar_encode(sc: &ScalarField, buf: &mut Vec) { diff --git a/src/suites/bandersnatch.rs b/src/suites/bandersnatch.rs index d20e777..35a777a 100644 --- a/src/suites/bandersnatch.rs +++ b/src/suites/bandersnatch.rs @@ -136,7 +136,6 @@ pub mod edwards { fn data_to_point(data: &[u8]) -> Option { // "XMD" for expand_message_xmd (Section 5.3.1). // "RO" for random oracle (Section 3 - hash_to_curve method) - // TODO: prepend `encode_to_curve_salt` (i.e. pk) let h2c_suite_id = b"Bandersnatch_XMD:SHA-512_ELL2_RO_"; utils::hash_to_curve_ell2_rfc_9380::(data, h2c_suite_id) } diff --git a/src/utils.rs b/src/utils.rs index 9a7da4e..a1d4393 100644 --- a/src/utils.rs +++ b/src/utils.rs @@ -89,12 +89,15 @@ pub fn hash_to_curve_tai_rfc_9381(data: &[u8]) -> Option(&buf).to_vec(); + let mut buf = hash::(&buf).to_vec(); + // TODO: remove this hack at some point! + // Maybe we can just leave `buf` "as-is", and introduce a default behavior in + // `point_decode` where, if flag is missing, then use the default one (e.g. 0x02). if S::Codec::BIG_ENDIAN { - hash.insert(0, 0x02); + buf.insert(0, 0x02); } - if let Ok(pt) = codec::point_decode::(&hash[..]) { + if let Ok(pt) = codec::point_decode::(&buf[..]) { let pt = pt.clear_cofactor(); if !pt.is_zero() { return Some(pt); @@ -144,7 +147,7 @@ where Some(res) } -/// Challenge generation according to RFC 9381 section 5.4.3. +/// Challenge generation according to RFC-9381 section 5.4.3. pub fn challenge_rfc_9381(pts: &[&AffinePoint], ad: &[u8]) -> ScalarField { const DOM_SEP_START: u8 = 0x02; const DOM_SEP_END: u8 = 0x00; @@ -158,7 +161,7 @@ pub fn challenge_rfc_9381(pts: &[&AffinePoint], ad: &[u8]) -> Scala ScalarField::::from_be_bytes_mod_order(hash) } -/// Point to a hash according to RFC 9381 section . +/// Point to a hash according to RFC-9381 section 5.2. pub fn point_to_hash_rfc_9381(pt: &AffinePoint) -> HashOutput { const DOM_SEP_START: u8 = 0x03; const DOM_SEP_END: u8 = 0x00; @@ -168,7 +171,7 @@ pub fn point_to_hash_rfc_9381(pt: &AffinePoint) -> HashOutput { hash::(&buf) } -/// Nonce generation according to RFC 9381 section 5.4.2.2. +/// Nonce generation according to RFC-9381 section 5.4.2.2. /// /// This procedure is based on section 5.1.6 of RFC 8032: "Edwards-Curve Digital /// Signature Algorithm (EdDSA)".