Revert "Various fixes and improvements to hash2curve (#1813)"

This reverts commit 5d3e031.

Temporarily reverting to unblock updating
https://github.com/RustCrypto/elliptic-curves

Author: tarcieri

elliptic-curve/src/hash2curve/group_digest.rs

@@ -3,7 +3,6 @@
 use super::{ExpandMsg, FromOkm, MapToCurve, hash_to_field};
 use crate::{CurveArithmetic, ProjectivePoint, Result};
 use group::cofactor::CofactorGroup;
-use hybrid_array::typenum::Unsigned;
 
 /// Adds hashing arbitrary byte sequences to a valid group element
 pub trait GroupDigest: CurveArithmetic
@@ -13,11 +12,6 @@ where
     /// The field element representation for a group value with multiple elements
     type FieldElement: FromOkm + MapToCurve<Output = ProjectivePoint<Self>> + Default + Copy;
 
-    /// The target security level in bytes:
-    /// <https://www.rfc-editor.org/rfc/rfc9380.html#section-8.9-2.2>
-    /// <https://www.rfc-editor.org/rfc/rfc9380.html#name-target-security-levels>
-    type K: Unsigned;
-
     /// Computes the hash to curve routine.
     ///
     /// From <https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-13.html>:

elliptic-curve/src/hash2curve/hash2field.rs

@@ -4,20 +4,15 @@
 
 mod expand_msg;
 
-use core::num::NonZeroUsize;
-
 pub use expand_msg::{xmd::*, xof::*, *};
 
 use crate::{Error, Result};
-use hybrid_array::{
-    Array, ArraySize,
-    typenum::{NonZero, Unsigned},
-};
+use hybrid_array::{Array, ArraySize, typenum::Unsigned};
 
 /// The trait for helping to convert to a field element.
 pub trait FromOkm {
     /// The number of bytes needed to convert to a field element.
-    type Length: ArraySize + NonZero;
+    type Length: ArraySize;
 
     /// Convert a byte sequence into a field element.
     fn from_okm(data: &Array<u8, Self::Length>) -> Self;
@@ -42,10 +37,7 @@ where
     E: ExpandMsg<'a>,
     T: FromOkm + Default,
 {
-    let len_in_bytes = T::Length::to_usize()
-        .checked_mul(out.len())
-        .and_then(NonZeroUsize::new)
-        .ok_or(Error)?;
+    let len_in_bytes = T::Length::to_usize().checked_mul(out.len()).ok_or(Error)?;
     let mut tmp = Array::<u8, <T as FromOkm>::Length>::default();
     let mut expander = E::expand_message(data, domain, len_in_bytes)?;
     for o in out.iter_mut() {

elliptic-curve/src/hash2curve/hash2field/expand_msg.rs

@@ -3,8 +3,6 @@
 pub(super) mod xmd;
 pub(super) mod xof;
 
-use core::num::NonZero;
-
 use crate::{Error, Result};
 use digest::{Digest, ExtendableOutput, Update, XofReader};
 use hybrid_array::typenum::{IsLess, U256};
@@ -30,7 +28,7 @@ pub trait ExpandMsg<'a> {
     fn expand_message(
         msgs: &[&[u8]],
         dsts: &'a [&'a [u8]],
-        len_in_bytes: NonZero<usize>,
+        len_in_bytes: usize,
     ) -> Result<Self::Expander>;
 }
 

elliptic-curve/src/hash2curve/hash2field/expand_msg/xmd.rs

@@ -1,69 +1,59 @@
 //! `expand_message_xmd` based on a hash function.
 
-use core::{marker::PhantomData, num::NonZero, ops::Mul};
+use core::marker::PhantomData;
 
 use super::{Domain, ExpandMsg, Expander};
 use crate::{Error, Result};
 use digest::{
     FixedOutput, HashMarker,
     array::{
         Array,
-        typenum::{IsGreaterOrEqual, IsLess, IsLessOrEqual, U2, U256, Unsigned},
+        typenum::{IsLess, IsLessOrEqual, U256, Unsigned},
     },
     core_api::BlockSizeUser,
 };
 
-/// Implements `expand_message_xof` via the [`ExpandMsg`] trait:
-/// <https://www.rfc-editor.org/rfc/rfc9380.html#name-expand_message_xmd>
-///
-/// `K` is the target security level in bytes:
-/// <https://www.rfc-editor.org/rfc/rfc9380.html#section-8.9-2.2>
-/// <https://www.rfc-editor.org/rfc/rfc9380.html#name-target-security-levels>
+/// Placeholder type for implementing `expand_message_xmd` based on a hash function
 ///
 /// # Errors
 /// - `dst.is_empty()`
+/// - `len_in_bytes == 0`
 /// - `len_in_bytes > u16::MAX`
 /// - `len_in_bytes > 255 * HashT::OutputSize`
 #[derive(Debug)]
-pub struct ExpandMsgXmd<HashT, K>(PhantomData<(HashT, K)>)
+pub struct ExpandMsgXmd<HashT>(PhantomData<HashT>)
 where
     HashT: BlockSizeUser + Default + FixedOutput + HashMarker,
     HashT::OutputSize: IsLess<U256>,
-    HashT::OutputSize: IsLessOrEqual<HashT::BlockSize>,
-    K: Mul<U2>,
-    HashT::OutputSize: IsGreaterOrEqual<<K as Mul<U2>>::Output>;
+    HashT::OutputSize: IsLessOrEqual<HashT::BlockSize>;
 
-impl<'a, HashT, K> ExpandMsg<'a> for ExpandMsgXmd<HashT, K>
+/// ExpandMsgXmd implements expand_message_xmd for the ExpandMsg trait
+impl<'a, HashT> ExpandMsg<'a> for ExpandMsgXmd<HashT>
 where
     HashT: BlockSizeUser + Default + FixedOutput + HashMarker,
-    // If DST is larger than 255 bytes, the length of the computed DST will depend on the output
-    // size of the hash, which is still not allowed to be larger than 256:
+    // If `len_in_bytes` is bigger then 256, length of the `DST` will depend on
+    // the output size of the hash, which is still not allowed to be bigger then 256:
     // https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-13.html#section-5.4.1-6
     HashT::OutputSize: IsLess<U256>,
     // Constraint set by `expand_message_xmd`:
     // https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-13.html#section-5.4.1-4
     HashT::OutputSize: IsLessOrEqual<HashT::BlockSize>,
-    // The number of bits output by `HashT` MUST be larger or equal to `K * 2`:
-    // https://www.rfc-editor.org/rfc/rfc9380.html#section-5.3.1-2.1
-    K: Mul<U2>,
-    HashT::OutputSize: IsGreaterOrEqual<<K as Mul<U2>>::Output>,
 {
     type Expander = ExpanderXmd<'a, HashT>;
 
     fn expand_message(
         msgs: &[&[u8]],
         dsts: &'a [&'a [u8]],
-        len_in_bytes: NonZero<usize>,
+        len_in_bytes: usize,
     ) -> Result<Self::Expander> {
-        let len_in_bytes_u16 = u16::try_from(len_in_bytes.get()).map_err(|_| Error)?;
-
-        // `255 * <b_in_bytes>` can not exceed `u16::MAX`
-        if len_in_bytes_u16 > 255 * HashT::OutputSize::to_u16() {
+        if len_in_bytes == 0 {
             return Err(Error);
         }
 
+        let len_in_bytes_u16 = u16::try_from(len_in_bytes).map_err(|_| Error)?;
+
         let b_in_bytes = HashT::OutputSize::to_usize();
-        let ell = u8::try_from(len_in_bytes.get().div_ceil(b_in_bytes)).map_err(|_| Error)?;
+        let ell = u8::try_from(len_in_bytes.div_ceil(b_in_bytes)).map_err(|_| Error)?;
 
         let domain = Domain::xmd::<HashT>(dsts)?;
         let mut b_0 = HashT::default();
@@ -167,7 +157,7 @@ mod test {
     use hex_literal::hex;
     use hybrid_array::{
         ArraySize,
-        typenum::{U4, U8, U32, U128},
+        typenum::{U32, U128},
     };
     use sha2::Sha256;
 
@@ -219,17 +209,13 @@ mod test {
         ) -> Result<()>
         where
             HashT: BlockSizeUser + Default + FixedOutput + HashMarker,
-            HashT::OutputSize: IsLess<U256> + IsLessOrEqual<HashT::BlockSize> + Mul<U8>,
-            HashT::OutputSize: IsGreaterOrEqual<<U4 as Mul<U2>>::Output>,
+            HashT::OutputSize: IsLess<U256> + IsLessOrEqual<HashT::BlockSize>,
         {
             assert_message::<HashT>(self.msg, domain, L::to_u16(), self.msg_prime);
 
             let dst = [dst];
-            let mut expander = ExpandMsgXmd::<HashT, U4>::expand_message(
-                &[self.msg],
-                &dst,
-                NonZero::new(L::to_usize()).ok_or(Error)?,
-            )?;
+            let mut expander =
+                ExpandMsgXmd::<HashT>::expand_message(&[self.msg], &dst, L::to_usize())?;
 
             let mut uniform_bytes = Array::<u8, L>::default();
             expander.fill_bytes(&mut uniform_bytes);

elliptic-curve/src/hash2curve/hash2field/expand_msg/xof.rs

@@ -2,38 +2,26 @@
 
 use super::{Domain, ExpandMsg, Expander};
 use crate::{Error, Result};
-use core::{fmt, marker::PhantomData, num::NonZero, ops::Mul};
-use digest::{ExtendableOutput, HashMarker, Update, XofReader};
-use hybrid_array::{
-    ArraySize,
-    typenum::{IsLess, U2, U256},
-};
-
-/// Implements `expand_message_xof` via the [`ExpandMsg`] trait:
-/// <https://www.rfc-editor.org/rfc/rfc9380.html#name-expand_message_xof>
-///
-/// `K` is the target security level in bytes:
-/// <https://www.rfc-editor.org/rfc/rfc9380.html#section-8.9-2.2>
-/// <https://www.rfc-editor.org/rfc/rfc9380.html#name-target-security-levels>
+use core::fmt;
+use digest::{ExtendableOutput, Update, XofReader};
+use hybrid_array::typenum::U32;
+
+/// Placeholder type for implementing `expand_message_xof` based on an extendable output function
 ///
 /// # Errors
 /// - `dst.is_empty()`
+/// - `len_in_bytes == 0`
 /// - `len_in_bytes > u16::MAX`
-pub struct ExpandMsgXof<HashT, K>
+pub struct ExpandMsgXof<HashT>
 where
-    HashT: Default + ExtendableOutput + Update + HashMarker,
-    K: Mul<U2>,
-    <K as Mul<U2>>::Output: ArraySize + IsLess<U256>,
+    HashT: Default + ExtendableOutput + Update,
 {
     reader: <HashT as ExtendableOutput>::Reader,
-    _k: PhantomData<K>,
 }
 
-impl<HashT, K> fmt::Debug for ExpandMsgXof<HashT, K>
+impl<HashT> fmt::Debug for ExpandMsgXof<HashT>
 where
-    HashT: Default + ExtendableOutput + Update + HashMarker,
-    K: Mul<U2>,
-    <K as Mul<U2>>::Output: ArraySize + IsLess<U256>,
+    HashT: Default + ExtendableOutput + Update,
     <HashT as ExtendableOutput>::Reader: fmt::Debug,
 {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
@@ -43,24 +31,25 @@ where
     }
 }
 
-impl<'a, HashT, K> ExpandMsg<'a> for ExpandMsgXof<HashT, K>
+/// ExpandMsgXof implements `expand_message_xof` for the [`ExpandMsg`] trait
+impl<'a, HashT> ExpandMsg<'a> for ExpandMsgXof<HashT>
 where
-    HashT: Default + ExtendableOutput + Update + HashMarker,
-    // If DST is larger than 255 bytes, the length of the computed DST is calculated by `K * 2`.
-    // https://www.rfc-editor.org/rfc/rfc9380.html#section-5.3.1-2.1
-    K: Mul<U2>,
-    <K as Mul<U2>>::Output: ArraySize + IsLess<U256>,
+    HashT: Default + ExtendableOutput + Update,
 {
     type Expander = Self;
 
     fn expand_message(
         msgs: &[&[u8]],
         dsts: &'a [&'a [u8]],
-        len_in_bytes: NonZero<usize>,
+        len_in_bytes: usize,
     ) -> Result<Self::Expander> {
-        let len_in_bytes = u16::try_from(len_in_bytes.get()).map_err(|_| Error)?;
+        if len_in_bytes == 0 {
+            return Err(Error);
+        }
+
+        let len_in_bytes = u16::try_from(len_in_bytes).map_err(|_| Error)?;
 
-        let domain = Domain::<<K as Mul<U2>>::Output>::xof::<HashT>(dsts)?;
+        let domain = Domain::<U32>::xof::<HashT>(dsts)?;
         let mut reader = HashT::default();
 
         for msg in msgs {
@@ -71,18 +60,13 @@ where
         domain.update_hash(&mut reader);
         reader.update(&[domain.len()]);
         let reader = reader.finalize_xof();
-        Ok(Self {
-            reader,
-            _k: PhantomData,
-        })
+        Ok(Self { reader })
     }
 }
 
-impl<HashT, K> Expander for ExpandMsgXof<HashT, K>
+impl<HashT> Expander for ExpandMsgXof<HashT>
 where
-    HashT: Default + ExtendableOutput + Update + HashMarker,
-    K: Mul<U2>,
-    <K as Mul<U2>>::Output: ArraySize + IsLess<U256>,
+    HashT: Default + ExtendableOutput + Update,
 {
     fn fill_bytes(&mut self, okm: &mut [u8]) {
         self.reader.read(okm);
@@ -94,10 +78,7 @@ mod test {
     use super::*;
     use core::mem::size_of;
     use hex_literal::hex;
-    use hybrid_array::{
-        Array, ArraySize,
-        typenum::{U16, U32, U128},
-    };
+    use hybrid_array::{Array, ArraySize, typenum::U128};
     use sha3::Shake128;
 
     fn assert_message(msg: &[u8], domain: &Domain<'_, U32>, len_in_bytes: u16, bytes: &[u8]) {
@@ -129,16 +110,13 @@ mod test {
         #[allow(clippy::panic_in_result_fn)]
         fn assert<HashT, L>(&self, dst: &'static [u8], domain: &Domain<'_, U32>) -> Result<()>
         where
-            HashT: Default + ExtendableOutput + Update + HashMarker,
+            HashT: Default + ExtendableOutput + Update,
             L: ArraySize,
         {
             assert_message(self.msg, domain, L::to_u16(), self.msg_prime);
 
-            let mut expander = ExpandMsgXof::<HashT, U16>::expand_message(
-                &[self.msg],
-                &[dst],
-                NonZero::new(L::to_usize()).ok_or(Error)?,
-            )?;
+            let mut expander =
+                ExpandMsgXof::<HashT>::expand_message(&[self.msg], &[dst], L::to_usize())?;
 
             let mut uniform_bytes = Array::<u8, L>::default();
             expander.fill_bytes(&mut uniform_bytes);