Hash-to-curve is now RFC 9380 There don't appear to be any changes since draft-16 beyond some copy-editing, so we can just update the comments. https://author-tools.ietf.org/iddiff?url1=draft-irtf-cfrg-hash-to-curve-16&url2=rfc9380&difftype=--html Change-Id: Ida48b647c146f1fb1eeb6033b8878cba880c4b9b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62326 Reviewed-by: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com>
diff --git a/crypto/ec_extra/hash_to_curve.c b/crypto/ec_extra/hash_to_curve.c index 2d11ef5..f29ef13 100644 --- a/crypto/ec_extra/hash_to_curve.c +++ b/crypto/ec_extra/hash_to_curve.c
@@ -26,8 +26,7 @@ #include "../internal.h" -// This file implements hash-to-curve, as described in -// draft-irtf-cfrg-hash-to-curve-16. +// This file implements hash-to-curve, as described in RFC 9380. // // This hash-to-curve implementation is written generically with the // expectation that we will eventually wish to support other curves. If it @@ -48,8 +47,7 @@ // templates to make specializing more convenient. // expand_message_xmd implements the operation described in section 5.3.1 of -// draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on -// error. +// RFC 9380. It returns one on success and zero on error. static int expand_message_xmd(const EVP_MD *md, uint8_t *out, size_t out_len, const uint8_t *msg, size_t msg_len, const uint8_t *dst, size_t dst_len) { @@ -138,7 +136,7 @@ // num_bytes_to_derive determines the number of bytes to derive when hashing to // a number modulo |modulus|. See the hash_to_field operation defined in -// section 5.2 of draft-irtf-cfrg-hash-to-curve-16. +// section 5.2 of RFC 9380. static int num_bytes_to_derive(size_t *out, const BIGNUM *modulus, unsigned k) { size_t bits = BN_num_bits(modulus); size_t L = (bits + k + 7) / 8; @@ -171,8 +169,7 @@ } // hash_to_field implements the operation described in section 5.2 -// of draft-irtf-cfrg-hash-to-curve-16, with count = 2. |k| is the security -// factor. +// of RFC 9380, with count = 2. |k| is the security factor. static int hash_to_field2(const EC_GROUP *group, const EVP_MD *md, EC_FELEM *out1, EC_FELEM *out2, const uint8_t *dst, size_t dst_len, unsigned k, const uint8_t *msg, @@ -221,8 +218,7 @@ ec_felem_sub(group, out, in, &tmp); // out = -3*in } -// sgn0 implements the operation described in section 4.1.2 of -// draft-irtf-cfrg-hash-to-curve-16. +// sgn0 implements the operation described in section 4.1.2 of RFC 9380. static BN_ULONG sgn0(const EC_GROUP *group, const EC_FELEM *a) { uint8_t buf[EC_MAX_BYTES]; size_t len; @@ -235,7 +231,7 @@ } // sqrt_ratio_3mod4 implements the operation described in appendix F.2.1.2 -// of draft-irtf-cfrg-hash-to-curve-16. +// of RFC 9380. static BN_ULONG sqrt_ratio_3mod4(const EC_GROUP *group, const EC_FELEM *Z, const BN_ULONG *c1, size_t num_c1, const EC_FELEM *c2, EC_FELEM *out_y, @@ -270,8 +266,7 @@ } // map_to_curve_simple_swu implements the operation described in section 6.6.2 -// of draft-irtf-cfrg-hash-to-curve-16, using the straight-line implementation -// in appendix F.2. +// of RFC 9380, using the straight-line implementation in appendix F.2. static void map_to_curve_simple_swu(const EC_GROUP *group, const EC_FELEM *Z, const BN_ULONG *c1, size_t num_c1, const EC_FELEM *c2, EC_JACOBIAN *out, @@ -405,7 +400,7 @@ EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len) { - // See section 8.3 of draft-irtf-cfrg-hash-to-curve-16. + // See section 8.3 of RFC 9380. if (EC_GROUP_get_curve_name(group) != NID_X9_62_prime256v1) { OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH); return 0; @@ -438,7 +433,7 @@ EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len) { - // See section 8.3 of draft-irtf-cfrg-hash-to-curve-16. + // See section 8.3 of RFC 9380. if (EC_GROUP_get_curve_name(group) != NID_secp384r1) { OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH); return 0;
diff --git a/crypto/ec_extra/internal.h b/crypto/ec_extra/internal.h index 8a9d990..6b865a3 100644 --- a/crypto/ec_extra/internal.h +++ b/crypto/ec_extra/internal.h
@@ -30,24 +30,22 @@ // ec_hash_to_curve_p256_xmd_sha256_sswu hashes |msg| to a point on |group| and // writes the result to |out|, implementing the P256_XMD:SHA-256_SSWU_RO_ suite -// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on -// error. +// from RFC 9380. It returns one on success and zero on error. OPENSSL_EXPORT int ec_hash_to_curve_p256_xmd_sha256_sswu( const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); // ec_hash_to_curve_p384_xmd_sha384_sswu hashes |msg| to a point on |group| and // writes the result to |out|, implementing the P384_XMD:SHA-384_SSWU_RO_ suite -// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on -// error. +// from RFC 9380. It returns one on success and zero on error. OPENSSL_EXPORT int ec_hash_to_curve_p384_xmd_sha384_sswu( const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); // ec_hash_to_scalar_p384_xmd_sha384 hashes |msg| to a scalar on |group| // and writes the result to |out|, using the hash_to_field operation from the -// P384_XMD:SHA-384_SSWU_RO_ suite from draft-irtf-cfrg-hash-to-curve-16, but -// generating a value modulo the group order rather than a field element. +// P384_XMD:SHA-384_SSWU_RO_ suite from RFC 9380, but generating a value modulo +// the group order rather than a field element. OPENSSL_EXPORT int ec_hash_to_scalar_p384_xmd_sha384( const EC_GROUP *group, EC_SCALAR *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len);
diff --git a/crypto/fipsmodule/ec/ec_test.cc b/crypto/fipsmodule/ec/ec_test.cc index 75e11f8..b9bc1a2 100644 --- a/crypto/fipsmodule/ec/ec_test.cc +++ b/crypto/fipsmodule/ec/ec_test.cc
@@ -1223,7 +1223,7 @@ const char *y_hex; }; const HashToCurveTest kTests[] = { - // See draft-irtf-cfrg-hash-to-curve-16, appendix J.1.1. + // See RFC 9380, appendix J.1.1. {&EC_hash_to_curve_p256_xmd_sha256_sswu, EC_group_p256(), "QUUX-V01-CS02-with-P256_XMD:SHA-256_SSWU_RO_", "", "2c15230b26dbc6fc9a37051158c95b79656e17a1a920b11394ca91"
diff --git a/include/openssl/ec.h b/include/openssl/ec.h index f1a77b2..2d005af 100644 --- a/include/openssl/ec.h +++ b/include/openssl/ec.h
@@ -340,24 +340,22 @@ // Hash-to-curve. // -// The following functions implement primitives from -// draft-irtf-cfrg-hash-to-curve-16. The |dst| parameter in each function is the -// domain separation tag and must be unique for each protocol and between the -// |hash_to_curve| and |hash_to_scalar| variants. See section 3.1 of the spec -// for additional guidance on this parameter. +// The following functions implement primitives from RFC 9380. The |dst| +// parameter in each function is the domain separation tag and must be unique +// for each protocol and between the |hash_to_curve| and |hash_to_scalar| +// variants. See section 3.1 of the spec for additional guidance on this +// parameter. // EC_hash_to_curve_p256_xmd_sha256_sswu hashes |msg| to a point on |group| and // writes the result to |out|, implementing the P256_XMD:SHA-256_SSWU_RO_ suite -// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on -// error. +// from RFC 9380. It returns one on success and zero on error. OPENSSL_EXPORT int EC_hash_to_curve_p256_xmd_sha256_sswu( const EC_GROUP *group, EC_POINT *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); // EC_hash_to_curve_p384_xmd_sha384_sswu hashes |msg| to a point on |group| and // writes the result to |out|, implementing the P384_XMD:SHA-384_SSWU_RO_ suite -// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on -// error. +// from RFC 9380. It returns one on success and zero on error. OPENSSL_EXPORT int EC_hash_to_curve_p384_xmd_sha384_sswu( const EC_GROUP *group, EC_POINT *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len);