Add decaf488 support

Author: daxpedda

.github/workflows/main.yml

@@ -36,6 +36,8 @@ jobs:
       matrix:
         backend_feature:
           - --features ristretto255-ciphersuite
+          - --features decaf448-ciphersuite
+          - --features ristretto255-ciphersuite,decaf448-ciphersuite
           -
         frontend_feature:
           -
@@ -94,6 +96,8 @@ jobs:
         backend_feature:
           -
           - --features ristretto255-ciphersuite
+          - --features decaf448-ciphersuite
+          - --features ristretto255-ciphersuite,decaf448-ciphersuite
         frontend_feature:
           -
           - --features danger

Cargo.toml

@@ -14,6 +14,8 @@ version = "0.5.0"
 [features]
 alloc = []
 danger = []
+decaf448 = ["dep:ed448"]
+decaf448-ciphersuite = ["decaf448", "dep:sha3"]
 default = ["ristretto255-ciphersuite", "dep:serde"]
 ristretto255 = ["dep:curve25519-dalek"]
 ristretto255-ciphersuite = ["ristretto255", "dep:sha2"]
@@ -29,6 +31,9 @@ curve25519-dalek = { version = "4", default-features = false, features = [
 derive-where = { version = "1", features = ["zeroize-on-drop"] }
 digest = "0.11.0-pre.10"
 displaydoc = { version = "0.2", default-features = false }
+ed448 = { version = "0.17.0-pre.0", default-features = false, features = [
+  "zeroize",
+], optional = true }
 elliptic-curve = { version = "0.14.0-rc.1", features = [
   "hash2curve",
   "sec1",
@@ -40,6 +45,7 @@ serde = { version = "1", default-features = false, features = [
   "derive",
 ], optional = true }
 sha2 = { version = "0.11.0-pre.5", default-features = false, optional = true }
+sha3 = { version = "0.11.0-pre.5", default-features = false, optional = true }
 subtle = { version = "2.3", default-features = false }
 zeroize = { version = "1.5", default-features = false }
 
@@ -71,6 +77,7 @@ targets = []
 [patch.crates-io]
 crypto-bigint = { git = "https://github.com/RustCrypto/crypto-bigint.git", rev = "e97beae6593c30b4477b7f29e30e5372cd8204bf" }
 curve25519-dalek = { git = "https://github.com/khonsulabs/curve25519-dalek", branch = "voprf" }
+ed448 = { git = "https://github.com/khonsulabs/elliptic-curves", branch = "ed448-voprf" }
 elliptic-curve = { git = "https://github.com/RustCrypto/traits", rev = "204a4e030fa98863429ccd3797e12f9e7c45dc33" }
 ff = { git = "https://github.com/zkcrypto/ff", branch = "release-0.14.0" }
 group = { git = "https://github.com/pinkforest/group", branch = "bump-rand-0.9" }

src/ciphersuite.rs

@@ -11,15 +11,15 @@
 use digest::core_api::BlockSizeUser;
 use digest::{FixedOutput, HashMarker, OutputSizeUser};
 use elliptic_curve::VoprfParameters;
+use elliptic_curve::hash2curve::{ExpandMsg, ExpandMsgXmd};
 use hybrid_array::typenum::{IsLess, IsLessOrEqual, U256};
 
 use crate::Group;
 
 /// Configures the underlying primitives used in VOPRF
 pub trait CipherSuite
 where
-    <Self::Hash as OutputSizeUser>::OutputSize:
-        IsLess<U256> + IsLessOrEqual<<Self::Hash as BlockSizeUser>::BlockSize>,
+    <Self::Hash as OutputSizeUser>::OutputSize: IsLess<U256>,
 {
     /// The ciphersuite identifier as dictated by
     /// <https://www.rfc-editor.org/rfc/rfc9497>
@@ -31,7 +31,11 @@ where
 
     /// The main hash function to use (for HKDF computations and hashing
     /// transcripts).
-    type Hash: BlockSizeUser + Default + FixedOutput + HashMarker;
+    type Hash: Default + FixedOutput + HashMarker;
+
+    /// Which function to use for `expand_message` in `HashToGroup()` and
+    /// `HashToScalar()`.
+    type ExpandMsg: for<'a> ExpandMsg<'a>;
 }
 
 impl<T: VoprfParameters> CipherSuite for T
@@ -46,4 +50,6 @@ where
     type Group = T;
 
     type Hash = T::Hash;
+
+    type ExpandMsg = ExpandMsgXmd<Self::Hash>;
 }

src/common.rs

@@ -179,7 +179,7 @@ pub(crate) fn generate_proof<CS: CipherSuite, R: TryRngCore + TryCryptoRng>(
 
     let dst = Dst::new::<CS, _>(STR_HASH_TO_SCALAR, mode);
     // This can't fail, the size of the `input` is known.
-    let c_scalar = CS::Group::hash_to_scalar::<CS::Hash>(&h2_input, &dst.as_dst()).unwrap();
+    let c_scalar = CS::Group::hash_to_scalar::<CS::ExpandMsg>(&h2_input, &dst.as_dst()).unwrap();
     let s_scalar = r - &(c_scalar * &k);
 
     Ok(Proof { c_scalar, s_scalar })
@@ -235,7 +235,7 @@ pub(crate) fn verify_proof<CS: CipherSuite>(
 
     let dst = Dst::new::<CS, _>(STR_HASH_TO_SCALAR, mode);
     // This can't fail, the size of the `input` is known.
-    let c = CS::Group::hash_to_scalar::<CS::Hash>(&h2_input, &dst.as_dst()).unwrap();
+    let c = CS::Group::hash_to_scalar::<CS::ExpandMsg>(&h2_input, &dst.as_dst()).unwrap();
 
     match c.ct_eq(&proof.c_scalar).into() {
         true => Ok(()),
@@ -309,7 +309,7 @@ fn compute_composites<
 
         let dst = Dst::new::<CS, _>(STR_HASH_TO_SCALAR, mode);
         // This can't fail, the size of the `input` is known.
-        let di = CS::Group::hash_to_scalar::<CS::Hash>(&h2_input, &dst.as_dst()).unwrap();
+        let di = CS::Group::hash_to_scalar::<CS::ExpandMsg>(&h2_input, &dst.as_dst()).unwrap();
         m = c * &di + &m;
         z = match k_option {
             Some(_) => z,
@@ -344,7 +344,7 @@ pub(crate) fn derive_key_internal<CS: CipherSuite>(
         // deriveInput = seed || I2OSP(len(info), 2) || info
         // skS = G.HashToScalar(deriveInput || I2OSP(counter, 1), DST = "DeriveKeyPair"
         // || contextString)
-        let sk_s = CS::Group::hash_to_scalar::<CS::Hash>(
+        let sk_s = CS::Group::hash_to_scalar::<CS::ExpandMsg>(
             &[seed, &info_len, info, &counter.to_be_bytes()],
             &dst.as_dst(),
         )
@@ -410,7 +410,7 @@ pub(crate) fn hash_to_group<CS: CipherSuite>(
     mode: Mode,
 ) -> Result<<CS::Group as Group>::Elem> {
     let dst = Dst::new::<CS, _>(STR_HASH_TO_GROUP, mode);
-    CS::Group::hash_to_curve::<CS::Hash>(&[input], &dst.as_dst()).map_err(|_| Error::Input)
+    CS::Group::hash_to_curve::<CS::ExpandMsg>(&[input], &dst.as_dst()).map_err(|_| Error::Input)
 }
 
 /// Internal function that finalizes the hash input for OPRF, VOPRF & POPRF.

src/group/decaf.rs

@@ -0,0 +1,143 @@
+// Copyright (c) Meta Platforms, Inc. and affiliates.
+//
+// This source code is dual-licensed under either the MIT license found in the
+// LICENSE-MIT file in the root directory of this source tree or the Apache
+// License, Version 2.0 found in the LICENSE-APACHE file in the root directory
+// of this source tree. You may select, at your option, one of the above-listed
+// licenses.
+
+use ed448::{CompressedDecaf, DecafPoint, Scalar};
+use elliptic_curve::bigint::{Encoding, NonZero, U448, U512};
+use elliptic_curve::hash2curve::{ExpandMsg, ExpandMsgXof, Expander};
+use hybrid_array::Array;
+use hybrid_array::typenum::U56;
+use rand_core::{TryCryptoRng, TryRngCore};
+use subtle::ConstantTimeEq;
+
+use super::Group;
+use crate::{Error, InternalError, Result};
+
+/// [`Group`] implementation for Decaf448.
+#[derive(Clone, Copy, Debug, Default, Eq, Hash, Ord, PartialEq, PartialOrd)]
+pub struct Decaf448;
+
+const WIDE_ORDER: NonZero<U512> = NonZero::<U512>::new_unwrap(U512::from_be_hex("00000000000000003fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3"));
+const ORDER: NonZero<U448> = NonZero::<U448>::new_unwrap(ed448::ORDER);
+
+#[cfg(feature = "decaf448-ciphersuite")]
+impl crate::CipherSuite for Decaf448 {
+    const ID: &'static str = "decaf448-SHAKE256";
+
+    type Group = Decaf448;
+
+    type Hash = super::xof_fixed_wrapper::XofFixedWrapper<sha3::Shake256, hybrid_array::sizes::U64>;
+
+    type ExpandMsg = ExpandMsgXof<Self::Hash>;
+}
+
+impl Group for Decaf448 {
+    type Elem = DecafPoint;
+
+    type ElemLen = U56;
+
+    type Scalar = Scalar;
+
+    type ScalarLen = U56;
+
+    // Implements the `hash_to_ristretto255()` function from
+    // https://www.rfc-editor.org/rfc/rfc9380.html#appendix-C
+    fn hash_to_curve<X>(input: &[&[u8]], dst: &[&[u8]]) -> Result<Self::Elem, InternalError>
+    where
+        X: for<'a> ExpandMsg<'a>,
+    {
+        let mut uniform_bytes = [0; 112];
+        X::expand_message(input, dst, 112)
+            .map_err(|_| InternalError::Input)?
+            .fill_bytes(&mut uniform_bytes);
+
+        Ok(DecafPoint::from_uniform_bytes(&uniform_bytes))
+    }
+
+    // Implements the `HashToScalar()` function from
+    // https://www.rfc-editor.org/rfc/rfc9497#section-4.2
+    fn hash_to_scalar<X>(input: &[&[u8]], dst: &[&[u8]]) -> Result<Self::Scalar, InternalError>
+    where
+        X: for<'a> ExpandMsg<'a>,
+    {
+        let mut uniform_bytes = [0; 64];
+        X::expand_message(input, dst, 64)
+            .map_err(|_| InternalError::Input)?
+            .fill_bytes(&mut uniform_bytes);
+        let uniform_bytes = U512::from_le_slice(&uniform_bytes);
+
+        let scalar = uniform_bytes.rem(&WIDE_ORDER);
+        let scalar = Scalar::from_bytes(&scalar.to_le_bytes()[..56].try_into().unwrap());
+
+        Ok(scalar)
+    }
+
+    fn base_elem() -> Self::Elem {
+        DecafPoint::GENERATOR
+    }
+
+    fn identity_elem() -> Self::Elem {
+        DecafPoint::IDENTITY
+    }
+
+    // serialization of a group element
+    fn serialize_elem(elem: Self::Elem) -> Array<u8, Self::ElemLen> {
+        elem.compress().0.into()
+    }
+
+    fn deserialize_elem(element_bits: &[u8]) -> Result<Self::Elem> {
+        let result = element_bits
+            .try_into()
+            .map(CompressedDecaf)
+            .map_err(|_| Error::Deserialization)?
+            .decompress();
+        Option::from(result)
+            .filter(|point| point != &DecafPoint::IDENTITY)
+            .ok_or(Error::Deserialization)
+    }
+
+    fn random_scalar<R: TryRngCore + TryCryptoRng>(rng: &mut R) -> Result<Self::Scalar, R::Error> {
+        loop {
+            let mut scalar_bytes = [0; 64];
+            rng.try_fill_bytes(&mut scalar_bytes)?;
+            let scalar_bytes = U512::from_le_slice(&scalar_bytes);
+            let scalar = scalar_bytes.rem(&WIDE_ORDER);
+            let scalar = Scalar::from_bytes(&scalar.to_le_bytes()[..56].try_into().unwrap());
+
+            if scalar != Scalar::ZERO {
+                break Ok(scalar);
+            }
+        }
+    }
+
+    fn invert_scalar(scalar: Self::Scalar) -> Self::Scalar {
+        scalar.invert()
+    }
+
+    fn is_zero_scalar(scalar: Self::Scalar) -> subtle::Choice {
+        scalar.ct_eq(&Scalar::ZERO)
+    }
+
+    #[cfg(test)]
+    fn zero_scalar() -> Self::Scalar {
+        Scalar::ZERO
+    }
+
+    fn serialize_scalar(scalar: Self::Scalar) -> Array<u8, Self::ScalarLen> {
+        scalar.to_bytes().into()
+    }
+
+    fn deserialize_scalar(scalar_bits: &[u8]) -> Result<Self::Scalar> {
+        scalar_bits
+            .try_into()
+            .ok()
+            .map(U448::from_le_bytes)
+            .map(|value| Scalar::from_bytes(&value.rem(&ORDER).to_le_bytes()))
+            .filter(|scalar| scalar != &Scalar::ZERO)
+            .ok_or(Error::Deserialization)
+    }
+}

src/group/elliptic_curve.rs

@@ -8,15 +8,13 @@
 
 use core::ops::Add;
 
-use digest::core_api::BlockSizeUser;
-use digest::{FixedOutput, HashMarker};
 use elliptic_curve::group::cofactor::CofactorGroup;
-use elliptic_curve::hash2curve::{ExpandMsgXmd, FromOkm, GroupDigest};
+use elliptic_curve::hash2curve::{ExpandMsg, FromOkm, GroupDigest};
 use elliptic_curve::sec1::{FromEncodedPoint, ModulusSize, ToEncodedPoint};
 use elliptic_curve::{
     AffinePoint, Field, FieldBytesSize, Group as _, ProjectivePoint, PublicKey, Scalar, SecretKey,
 };
-use hybrid_array::typenum::{IsLess, IsLessOrEqual, Sum, U256};
+use hybrid_array::typenum::Sum;
 use hybrid_array::{Array, ArraySize};
 use rand_core::{TryCryptoRng, TryRngCore};
 
@@ -50,22 +48,19 @@ where
 
     // Implements the `hash_to_curve()` function from
     // https://www.rfc-editor.org/rfc/rfc9380.html#section-3
-    fn hash_to_curve<H>(input: &[&[u8]], dst: &[&[u8]]) -> Result<Self::Elem, InternalError>
+    fn hash_to_curve<X>(input: &[&[u8]], dst: &[&[u8]]) -> Result<Self::Elem, InternalError>
     where
-        H: BlockSizeUser + Default + FixedOutput + HashMarker,
-        H::OutputSize: IsLess<U256> + IsLessOrEqual<H::BlockSize>,
+        X: for<'a> ExpandMsg<'a>,
     {
-        Self::hash_from_bytes::<ExpandMsgXmd<H>>(input, dst).map_err(|_| InternalError::Input)
+        Self::hash_from_bytes::<X>(input, dst).map_err(|_| InternalError::Input)
     }
 
     // Implements the `HashToScalar()` function
-    fn hash_to_scalar<H>(input: &[&[u8]], dst: &[&[u8]]) -> Result<Self::Scalar, InternalError>
+    fn hash_to_scalar<X>(input: &[&[u8]], dst: &[&[u8]]) -> Result<Self::Scalar, InternalError>
     where
-        H: BlockSizeUser + Default + FixedOutput + HashMarker,
-        H::OutputSize: IsLess<U256> + IsLessOrEqual<H::BlockSize>,
+        X: for<'a> ExpandMsg<'a>,
     {
-        <Self as GroupDigest>::hash_to_scalar::<ExpandMsgXmd<H>>(input, dst)
-            .map_err(|_| InternalError::Input)
+        <Self as GroupDigest>::hash_to_scalar::<X>(input, dst).map_err(|_| InternalError::Input)
     }
 
     fn base_elem() -> Self::Elem {

src/group/mod.rs

@@ -8,15 +8,20 @@
 
 //! Defines the Group trait to specify the underlying prime order group
 
+#[cfg(feature = "decaf448")]
+mod decaf;
 mod elliptic_curve;
 #[cfg(feature = "ristretto255")]
 mod ristretto;
+#[cfg(feature = "decaf448-ciphersuite")]
+mod xof_fixed_wrapper;
 
 use core::ops::{Add, Mul, Sub};
 
-use digest::core_api::BlockSizeUser;
-use digest::{FixedOutput, HashMarker};
-use hybrid_array::typenum::{IsLess, IsLessOrEqual, Sum, U256};
+use ::elliptic_curve::hash2curve::ExpandMsg;
+#[cfg(feature = "decaf448")]
+pub use decaf::Decaf448;
+use hybrid_array::typenum::Sum;
 use hybrid_array::{Array, ArraySize};
 use rand_core::{TryCryptoRng, TryRngCore};
 #[cfg(feature = "ristretto255")]
@@ -63,20 +68,18 @@ where
     /// # Errors
     /// [`Error::Input`](crate::Error::Input) if the `input` is empty or longer
     /// then [`u16::MAX`].
-    fn hash_to_curve<H>(input: &[&[u8]], dst: &[&[u8]]) -> Result<Self::Elem, InternalError>
+    fn hash_to_curve<X>(input: &[&[u8]], dst: &[&[u8]]) -> Result<Self::Elem, InternalError>
     where
-        H: BlockSizeUser + Default + FixedOutput + HashMarker,
-        H::OutputSize: IsLess<U256> + IsLessOrEqual<H::BlockSize>;
+        X: for<'a> ExpandMsg<'a>;
 
     /// Hashes a slice of pseudo-random bytes to a scalar
     ///
     /// # Errors
     /// [`Error::Input`](crate::Error::Input) if the `input` is empty or longer
     /// then [`u16::MAX`].
-    fn hash_to_scalar<H>(input: &[&[u8]], dst: &[&[u8]]) -> Result<Self::Scalar, InternalError>
+    fn hash_to_scalar<X>(input: &[&[u8]], dst: &[&[u8]]) -> Result<Self::Scalar, InternalError>
     where
-        H: BlockSizeUser + Default + FixedOutput + HashMarker,
-        H::OutputSize: IsLess<U256> + IsLessOrEqual<H::BlockSize>;
+        X: for<'a> ExpandMsg<'a>;
 
     /// Get the base point for the group
     fn base_elem() -> Self::Elem;