From 09466e0ed76762ebed3cb12f5ae8446c19a1b614 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Sun, 21 Jul 2024 21:55:33 +0000 Subject: [PATCH] Require `ExpandMsgXmd` has `H::OutputSize < 256` instead of truncating The draft (and the final RFC) do not explicitly give an upper limit on the hash output size, but section 5.3.3 says that `expand_message_xmd` requires that DST is at most 255 bytes, and when given a longer domain separation tag, to use the output of `H` directly as the DST. To avoid any ambiguities, we bound the set of `H` we support. --- src/hash_to_curve/expand_msg.rs | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/hash_to_curve/expand_msg.rs b/src/hash_to_curve/expand_msg.rs index e9993aab..129c7f3f 100644 --- a/src/hash_to_curve/expand_msg.rs +++ b/src/hash_to_curve/expand_msg.rs @@ -67,9 +67,13 @@ impl ExpandMsgDst { } /// Produces a DST for use with `expand_message_xmd`. + /// + /// The output size of `H` is required to be less than 256 bytes, so it can be used to + /// reduce domain separation tags that are longer than 255 bytes. fn for_xmd(dst: &[u8]) -> Self where H: Default + FixedOutput + Update, + H::OutputSize: IsLess, { let input_len = dst.len(); ExpandMsgDst::new(|buf| { @@ -78,7 +82,7 @@ impl ExpandMsgDst { .chain(OVERSIZE_DST_SALT) .chain(&dst) .finalize_fixed(); - let len = hashed.len().min(MAX_DST_LENGTH); + let len = hashed.len(); buf[..len].copy_from_slice(&hashed); len } else { @@ -216,7 +220,12 @@ where /// /// Implements [section 5.3.1 of `draft-irtf-cfrg-hash-to-curve-16`][expand_message_xmd]. /// +/// The output size of `H` is required to be less than 256 bytes, so it can be used to +/// reduce domain separation tags that are longer than 255 bytes (as specified in +/// [section 5.3.3 of `draft-irtf-cfrg-hash-to-curve-16`][dst]). +/// /// [expand_message_xmd]: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16#section-5.3.1 +/// [dst]: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16#section-5.3.3 pub struct ExpandMsgXmd { dst: ExpandMsgDst, b_0: GenericArray, @@ -237,6 +246,7 @@ impl Debug for ExpandMsgXmd { impl ExpandMessage for ExpandMsgXmd where H: Default + BlockInput + FixedOutput + Update, + H::OutputSize: IsLess, { fn init_expand(message: M, dst: &[u8], len_in_bytes: usize) -> Self where