Hash-to-curve is now RFC 9380
There don't appear to be any changes since draft-16 beyond some
copy-editing, so we can just update the comments.
https://author-tools.ietf.org/iddiff?url1=draft-irtf-cfrg-hash-to-curve-16&url2=rfc9380&difftype=--html
Change-Id: Ida48b647c146f1fb1eeb6033b8878cba880c4b9b
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62326
Reviewed-by: Adam Langley <agl@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
diff --git a/crypto/ec_extra/hash_to_curve.c b/crypto/ec_extra/hash_to_curve.c
index 2d11ef5..f29ef13 100644
--- a/crypto/ec_extra/hash_to_curve.c
+++ b/crypto/ec_extra/hash_to_curve.c
@@ -26,8 +26,7 @@
#include "../internal.h"
-// This file implements hash-to-curve, as described in
-// draft-irtf-cfrg-hash-to-curve-16.
+// This file implements hash-to-curve, as described in RFC 9380.
//
// This hash-to-curve implementation is written generically with the
// expectation that we will eventually wish to support other curves. If it
@@ -48,8 +47,7 @@
// templates to make specializing more convenient.
// expand_message_xmd implements the operation described in section 5.3.1 of
-// draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on
-// error.
+// RFC 9380. It returns one on success and zero on error.
static int expand_message_xmd(const EVP_MD *md, uint8_t *out, size_t out_len,
const uint8_t *msg, size_t msg_len,
const uint8_t *dst, size_t dst_len) {
@@ -138,7 +136,7 @@
// num_bytes_to_derive determines the number of bytes to derive when hashing to
// a number modulo |modulus|. See the hash_to_field operation defined in
-// section 5.2 of draft-irtf-cfrg-hash-to-curve-16.
+// section 5.2 of RFC 9380.
static int num_bytes_to_derive(size_t *out, const BIGNUM *modulus, unsigned k) {
size_t bits = BN_num_bits(modulus);
size_t L = (bits + k + 7) / 8;
@@ -171,8 +169,7 @@
}
// hash_to_field implements the operation described in section 5.2
-// of draft-irtf-cfrg-hash-to-curve-16, with count = 2. |k| is the security
-// factor.
+// of RFC 9380, with count = 2. |k| is the security factor.
static int hash_to_field2(const EC_GROUP *group, const EVP_MD *md,
EC_FELEM *out1, EC_FELEM *out2, const uint8_t *dst,
size_t dst_len, unsigned k, const uint8_t *msg,
@@ -221,8 +218,7 @@
ec_felem_sub(group, out, in, &tmp); // out = -3*in
}
-// sgn0 implements the operation described in section 4.1.2 of
-// draft-irtf-cfrg-hash-to-curve-16.
+// sgn0 implements the operation described in section 4.1.2 of RFC 9380.
static BN_ULONG sgn0(const EC_GROUP *group, const EC_FELEM *a) {
uint8_t buf[EC_MAX_BYTES];
size_t len;
@@ -235,7 +231,7 @@
}
// sqrt_ratio_3mod4 implements the operation described in appendix F.2.1.2
-// of draft-irtf-cfrg-hash-to-curve-16.
+// of RFC 9380.
static BN_ULONG sqrt_ratio_3mod4(const EC_GROUP *group, const EC_FELEM *Z,
const BN_ULONG *c1, size_t num_c1,
const EC_FELEM *c2, EC_FELEM *out_y,
@@ -270,8 +266,7 @@
}
// map_to_curve_simple_swu implements the operation described in section 6.6.2
-// of draft-irtf-cfrg-hash-to-curve-16, using the straight-line implementation
-// in appendix F.2.
+// of RFC 9380, using the straight-line implementation in appendix F.2.
static void map_to_curve_simple_swu(const EC_GROUP *group, const EC_FELEM *Z,
const BN_ULONG *c1, size_t num_c1,
const EC_FELEM *c2, EC_JACOBIAN *out,
@@ -405,7 +400,7 @@
EC_JACOBIAN *out, const uint8_t *dst,
size_t dst_len, const uint8_t *msg,
size_t msg_len) {
- // See section 8.3 of draft-irtf-cfrg-hash-to-curve-16.
+ // See section 8.3 of RFC 9380.
if (EC_GROUP_get_curve_name(group) != NID_X9_62_prime256v1) {
OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH);
return 0;
@@ -438,7 +433,7 @@
EC_JACOBIAN *out, const uint8_t *dst,
size_t dst_len, const uint8_t *msg,
size_t msg_len) {
- // See section 8.3 of draft-irtf-cfrg-hash-to-curve-16.
+ // See section 8.3 of RFC 9380.
if (EC_GROUP_get_curve_name(group) != NID_secp384r1) {
OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH);
return 0;
diff --git a/crypto/ec_extra/internal.h b/crypto/ec_extra/internal.h
index 8a9d990..6b865a3 100644
--- a/crypto/ec_extra/internal.h
+++ b/crypto/ec_extra/internal.h
@@ -30,24 +30,22 @@
// ec_hash_to_curve_p256_xmd_sha256_sswu hashes |msg| to a point on |group| and
// writes the result to |out|, implementing the P256_XMD:SHA-256_SSWU_RO_ suite
-// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on
-// error.
+// from RFC 9380. It returns one on success and zero on error.
OPENSSL_EXPORT int ec_hash_to_curve_p256_xmd_sha256_sswu(
const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len,
const uint8_t *msg, size_t msg_len);
// ec_hash_to_curve_p384_xmd_sha384_sswu hashes |msg| to a point on |group| and
// writes the result to |out|, implementing the P384_XMD:SHA-384_SSWU_RO_ suite
-// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on
-// error.
+// from RFC 9380. It returns one on success and zero on error.
OPENSSL_EXPORT int ec_hash_to_curve_p384_xmd_sha384_sswu(
const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len,
const uint8_t *msg, size_t msg_len);
// ec_hash_to_scalar_p384_xmd_sha384 hashes |msg| to a scalar on |group|
// and writes the result to |out|, using the hash_to_field operation from the
-// P384_XMD:SHA-384_SSWU_RO_ suite from draft-irtf-cfrg-hash-to-curve-16, but
-// generating a value modulo the group order rather than a field element.
+// P384_XMD:SHA-384_SSWU_RO_ suite from RFC 9380, but generating a value modulo
+// the group order rather than a field element.
OPENSSL_EXPORT int ec_hash_to_scalar_p384_xmd_sha384(
const EC_GROUP *group, EC_SCALAR *out, const uint8_t *dst, size_t dst_len,
const uint8_t *msg, size_t msg_len);
diff --git a/crypto/fipsmodule/ec/ec_test.cc b/crypto/fipsmodule/ec/ec_test.cc
index 75e11f8..b9bc1a2 100644
--- a/crypto/fipsmodule/ec/ec_test.cc
+++ b/crypto/fipsmodule/ec/ec_test.cc
@@ -1223,7 +1223,7 @@
const char *y_hex;
};
const HashToCurveTest kTests[] = {
- // See draft-irtf-cfrg-hash-to-curve-16, appendix J.1.1.
+ // See RFC 9380, appendix J.1.1.
{&EC_hash_to_curve_p256_xmd_sha256_sswu, EC_group_p256(),
"QUUX-V01-CS02-with-P256_XMD:SHA-256_SSWU_RO_", "",
"2c15230b26dbc6fc9a37051158c95b79656e17a1a920b11394ca91"
diff --git a/include/openssl/ec.h b/include/openssl/ec.h
index f1a77b2..2d005af 100644
--- a/include/openssl/ec.h
+++ b/include/openssl/ec.h
@@ -340,24 +340,22 @@
// Hash-to-curve.
//
-// The following functions implement primitives from
-// draft-irtf-cfrg-hash-to-curve-16. The |dst| parameter in each function is the
-// domain separation tag and must be unique for each protocol and between the
-// |hash_to_curve| and |hash_to_scalar| variants. See section 3.1 of the spec
-// for additional guidance on this parameter.
+// The following functions implement primitives from RFC 9380. The |dst|
+// parameter in each function is the domain separation tag and must be unique
+// for each protocol and between the |hash_to_curve| and |hash_to_scalar|
+// variants. See section 3.1 of the spec for additional guidance on this
+// parameter.
// EC_hash_to_curve_p256_xmd_sha256_sswu hashes |msg| to a point on |group| and
// writes the result to |out|, implementing the P256_XMD:SHA-256_SSWU_RO_ suite
-// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on
-// error.
+// from RFC 9380. It returns one on success and zero on error.
OPENSSL_EXPORT int EC_hash_to_curve_p256_xmd_sha256_sswu(
const EC_GROUP *group, EC_POINT *out, const uint8_t *dst, size_t dst_len,
const uint8_t *msg, size_t msg_len);
// EC_hash_to_curve_p384_xmd_sha384_sswu hashes |msg| to a point on |group| and
// writes the result to |out|, implementing the P384_XMD:SHA-384_SSWU_RO_ suite
-// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on
-// error.
+// from RFC 9380. It returns one on success and zero on error.
OPENSSL_EXPORT int EC_hash_to_curve_p384_xmd_sha384_sswu(
const EC_GROUP *group, EC_POINT *out, const uint8_t *dst, size_t dst_len,
const uint8_t *msg, size_t msg_len);
