hash2curve: move oversized DST requirements to runtime errors (#1901)

This PR introduces two changes:
- Remove requirements that were only relevant for oversized `DST`s. Now
these requirements are checked on runtime. While this is unfortunate,
the currently limitations simply was that usage with regular sized
`DST`s incurred limitations that were not necessary.
- Change `len_in_bytes` from `NonZero<usize>` to `NonZero<u16>`. This
isn't a big improvement because the error is just moved from
`expand_msg()` to the various `GroupDigest` methods.

Companion PR: RustCrypto/elliptic-curves#1256.

---
I know I have been refactoring this API over and over again, but I
actually think this is the last of it (apart from
#872 with
`generic_const_exprs`).

But for completions sake I want to mention the following [from the
spec](https://www.rfc-editor.org/rfc/rfc9380.html#section-5.3.1-8):
> It is possible, however, to entirely avoid this overhead by taking
advantage of the fact that Z_pad depends only on H, and not on the
arguments to expand_message_xmd. To do so, first precompute and save the
internal state of H after ingesting Z_pad. Then, when computing b_0,
initialize H using the saved state. Further details are implementation
dependent and are beyond the scope of this document.

In summary, we could cache this part:
```rust
let mut b_0 = HashT::default();
b_0.update(&Array::<u8, HashT::BlockSize>::default());
```
Doing this requires passing `ExpandMsg` state, which would change the
entire API having to add a parameter to every function.

However, as the spec mentions, the cost of not caching it is most likely
negligible. We will see in the future if this shows up in benchmarks and
if it does we can re-evaluate. I don't believe this will be the case
though.

Alternatively, we could add a trait to `digest` which allows users to
construct a hash prefixed with a `BlockSize` full of zeros that has been
computed at compile-time. Which would also require no changes to the API
except binding to this trait.

Author: daxpedda

elliptic-curve/src/hash2curve/group_digest.rs

@@ -23,9 +23,10 @@ pub trait GroupDigest: MapToCurve {
     /// > hash function is used.
     ///
     /// # Errors
-    /// See implementors of [`ExpandMsg`] for errors:
-    /// - [`ExpandMsgXmd`]
-    /// - [`ExpandMsgXof`]
+    /// - `len_in_bytes > u16::MAX`
+    /// - See implementors of [`ExpandMsg`] for additional errors:
+    ///   - [`ExpandMsgXmd`]
+    ///   - [`ExpandMsgXof`]
     ///
     /// `len_in_bytes = <Self::FieldElement as FromOkm>::Length * 2`
     ///
@@ -53,9 +54,10 @@ pub trait GroupDigest: MapToCurve {
     /// > points in this set are more likely to be output than others.
     ///
     /// # Errors
-    /// See implementors of [`ExpandMsg`] for errors:
-    /// - [`ExpandMsgXmd`]
-    /// - [`ExpandMsgXof`]
+    /// - `len_in_bytes > u16::MAX`
+    /// - See implementors of [`ExpandMsg`] for additional errors:
+    ///   - [`ExpandMsgXmd`]
+    ///   - [`ExpandMsgXof`]
     ///
     /// `len_in_bytes = <Self::FieldElement as FromOkm>::Length`
     ///
@@ -76,9 +78,10 @@ pub trait GroupDigest: MapToCurve {
     /// and returns a scalar.
     ///
     /// # Errors
-    /// See implementors of [`ExpandMsg`] for errors:
-    /// - [`ExpandMsgXmd`]
-    /// - [`ExpandMsgXof`]
+    /// - `len_in_bytes > u16::MAX`
+    /// - See implementors of [`ExpandMsg`] for additional errors:
+    ///   - [`ExpandMsgXmd`]
+    ///   - [`ExpandMsgXof`]
     ///
     /// `len_in_bytes = <Self::Scalar as FromOkm>::Length`
     ///

elliptic-curve/src/hash2curve/hash2field.rs

@@ -4,7 +4,7 @@
 
 mod expand_msg;
 
-use core::num::NonZeroUsize;
+use core::num::NonZeroU16;
 
 pub use expand_msg::{xmd::*, xof::*, *};
 
@@ -28,9 +28,10 @@ pub trait FromOkm {
 /// <https://www.rfc-editor.org/rfc/rfc9380.html#name-hash_to_field-implementatio>
 ///
 /// # Errors
-/// See implementors of [`ExpandMsg`] for errors:
-/// - [`ExpandMsgXmd`]
-/// - [`ExpandMsgXof`]
+/// - `len_in_bytes > u16::MAX`
+/// - See implementors of [`ExpandMsg`] for additional errors:
+///   - [`ExpandMsgXmd`]
+///   - [`ExpandMsgXof`]
 ///
 /// `len_in_bytes = T::Length * out.len()`
 ///
@@ -42,9 +43,10 @@ where
     E: ExpandMsg<K>,
     T: FromOkm + Default,
 {
-    let len_in_bytes = T::Length::to_usize()
+    let len_in_bytes = T::Length::USIZE
         .checked_mul(out.len())
-        .and_then(NonZeroUsize::new)
+        .and_then(|len| len.try_into().ok())
+        .and_then(NonZeroU16::new)
         .ok_or(Error)?;
     let mut tmp = Array::<u8, <T as FromOkm>::Length>::default();
     let mut expander = E::expand_message(data, domain, len_in_bytes)?;

elliptic-curve/src/hash2curve/hash2field/expand_msg.rs

@@ -7,7 +7,6 @@ use core::num::NonZero;
 
 use crate::{Error, Result};
 use digest::{Digest, ExtendableOutput, Update, XofReader};
-use hybrid_array::typenum::{IsLess, True, U256};
 use hybrid_array::{Array, ArraySize};
 
 /// Salt when the DST is too long
@@ -34,7 +33,7 @@ pub trait ExpandMsg<K> {
     fn expand_message<'dst>(
         msg: &[&[u8]],
         dst: &'dst [&[u8]],
-        len_in_bytes: NonZero<usize>,
+        len_in_bytes: NonZero<u16>,
     ) -> Result<Self::Expander<'dst>>;
 }
 
@@ -50,20 +49,14 @@ pub trait Expander {
 ///
 /// [dst]: https://www.rfc-editor.org/rfc/rfc9380.html#name-using-dsts-longer-than-255-
 #[derive(Debug)]
-pub(crate) enum Domain<'a, L>
-where
-    L: ArraySize + IsLess<U256, Output = True>,
-{
+pub(crate) enum Domain<'a, L: ArraySize> {
     /// > 255
     Hashed(Array<u8, L>),
     /// <= 255
     Array(&'a [&'a [u8]]),
 }
 
-impl<'a, L> Domain<'a, L>
-where
-    L: ArraySize + IsLess<U256, Output = True>,
-{
+impl<'a, L: ArraySize> Domain<'a, L> {
     pub fn xof<X>(dst: &'a [&'a [u8]]) -> Result<Self>
     where
         X: Default + ExtendableOutput + Update,
@@ -72,6 +65,10 @@ where
         if dst.iter().map(|slice| slice.len()).sum::<usize>() == 0 {
             Err(Error)
         } else if dst.iter().map(|slice| slice.len()).sum::<usize>() > MAX_DST_LEN {
+            if L::USIZE > u8::MAX.into() {
+                return Err(Error);
+            }
+
             let mut data = Array::<u8, L>::default();
             let mut hash = X::default();
             hash.update(OVERSIZE_DST_SALT);
@@ -96,6 +93,10 @@ where
         if dst.iter().map(|slice| slice.len()).sum::<usize>() == 0 {
             Err(Error)
         } else if dst.iter().map(|slice| slice.len()).sum::<usize>() > MAX_DST_LEN {
+            if L::USIZE > u8::MAX.into() {
+                return Err(Error);
+            }
+
             Ok(Self::Hashed({
                 let mut hash = X::new();
                 hash.update(OVERSIZE_DST_SALT);
@@ -124,8 +125,8 @@ where
 
     pub fn len(&self) -> u8 {
         match self {
-            // Can't overflow because it's enforced on a type level.
-            Self::Hashed(_) => L::to_u8(),
+            // Can't overflow because it's checked on creation.
+            Self::Hashed(_) => L::U8,
             // Can't overflow because it's checked on creation.
             Self::Array(d) => {
                 u8::try_from(d.iter().map(|d| d.len()).sum::<usize>()).expect("length overflow")

elliptic-curve/src/hash2curve/hash2field/expand_msg/xmd.rs

@@ -8,7 +8,7 @@ use digest::{
     FixedOutput, HashMarker,
     array::{
         Array,
-        typenum::{IsGreaterOrEqual, IsLess, IsLessOrEqual, Prod, True, U2, U256, Unsigned},
+        typenum::{IsGreaterOrEqual, IsLessOrEqual, Prod, True, U2, Unsigned},
     },
     block_api::BlockSizeUser,
 };
@@ -18,22 +18,17 @@ use digest::{
 ///
 /// # Errors
 /// - `dst` contains no bytes
-/// - `len_in_bytes > u16::MAX`
+/// - `dst > 255 && HashT::OutputSize > 255`
 /// - `len_in_bytes > 255 * HashT::OutputSize`
 #[derive(Debug)]
 pub struct ExpandMsgXmd<HashT>(PhantomData<HashT>)
 where
     HashT: BlockSizeUser + Default + FixedOutput + HashMarker,
-    HashT::OutputSize: IsLess<U256, Output = True>,
     HashT::OutputSize: IsLessOrEqual<HashT::BlockSize, Output = True>;
 
 impl<HashT, K> ExpandMsg<K> for ExpandMsgXmd<HashT>
 where
     HashT: BlockSizeUser + Default + FixedOutput + HashMarker,
-    // If DST is larger than 255 bytes, the length of the computed DST will depend on the output
-    // size of the hash, which is still not allowed to be larger than 255.
-    // https://www.rfc-editor.org/rfc/rfc9380.html#section-5.3.1-6
-    HashT::OutputSize: IsLess<U256, Output = True>,
     // The number of bits output by `HashT` MUST be at most `HashT::BlockSize`.
     // https://www.rfc-editor.org/rfc/rfc9380.html#section-5.3.1-4
     HashT::OutputSize: IsLessOrEqual<HashT::BlockSize, Output = True>,
@@ -47,17 +42,17 @@ where
     fn expand_message<'dst>(
         msg: &[&[u8]],
         dst: &'dst [&[u8]],
-        len_in_bytes: NonZero<usize>,
+        len_in_bytes: NonZero<u16>,
     ) -> Result<Self::Expander<'dst>> {
-        let len_in_bytes_u16 = u16::try_from(len_in_bytes.get()).map_err(|_| Error)?;
+        let b_in_bytes = HashT::OutputSize::USIZE;
 
         // `255 * <b_in_bytes>` can not exceed `u16::MAX`
-        if len_in_bytes_u16 > 255 * HashT::OutputSize::to_u16() {
+        if usize::from(len_in_bytes.get()) > 255 * b_in_bytes {
             return Err(Error);
         }
 
-        let b_in_bytes = HashT::OutputSize::to_usize();
-        let ell = u8::try_from(len_in_bytes.get().div_ceil(b_in_bytes)).map_err(|_| Error)?;
+        let ell = u8::try_from(usize::from(len_in_bytes.get()).div_ceil(b_in_bytes))
+            .expect("should never pass the previous check");
 
         let domain = Domain::xmd::<HashT>(dst)?;
         let mut b_0 = HashT::default();
@@ -67,7 +62,7 @@ where
             b_0.update(msg);
         }
 
-        b_0.update(&len_in_bytes_u16.to_be_bytes());
+        b_0.update(&len_in_bytes.get().to_be_bytes());
         b_0.update(&[0]);
         domain.update_hash(&mut b_0);
         b_0.update(&[domain.len()]);
@@ -96,7 +91,6 @@ where
 pub struct ExpanderXmd<'a, HashT>
 where
     HashT: BlockSizeUser + Default + FixedOutput + HashMarker,
-    HashT::OutputSize: IsLess<U256, Output = True>,
     HashT::OutputSize: IsLessOrEqual<HashT::BlockSize, Output = True>,
 {
     b_0: Array<u8, HashT::OutputSize>,
@@ -110,7 +104,6 @@ where
 impl<HashT> ExpanderXmd<'_, HashT>
 where
     HashT: BlockSizeUser + Default + FixedOutput + HashMarker,
-    HashT::OutputSize: IsLess<U256, Output = True>,
     HashT::OutputSize: IsLessOrEqual<HashT::BlockSize, Output = True>,
 {
     fn next(&mut self) -> bool {
@@ -140,7 +133,6 @@ where
 impl<HashT> Expander for ExpanderXmd<'_, HashT>
 where
     HashT: BlockSizeUser + Default + FixedOutput + HashMarker,
-    HashT::OutputSize: IsLess<U256, Output = True>,
     HashT::OutputSize: IsLessOrEqual<HashT::BlockSize, Output = True>,
 {
     fn fill_bytes(&mut self, okm: &mut [u8]) {
@@ -157,11 +149,10 @@ where
 #[cfg(test)]
 mod test {
     use super::*;
-    use core::mem::size_of;
     use hex_literal::hex;
     use hybrid_array::{
         ArraySize,
-        typenum::{U4, U8, U32, U128},
+        typenum::{IsLess, U4, U8, U32, U128, U65536},
     };
     use sha2::Sha256;
 
@@ -172,9 +163,8 @@ mod test {
         bytes: &[u8],
     ) where
         HashT: BlockSizeUser + Default + FixedOutput + HashMarker,
-        HashT::OutputSize: IsLess<U256, Output = True>,
     {
-        let block = HashT::BlockSize::to_usize();
+        let block = HashT::BlockSize::USIZE;
         assert_eq!(
             Array::<u8, HashT::BlockSize>::default().as_slice(),
             &bytes[..block]
@@ -206,25 +196,24 @@ mod test {
 
     impl TestVector {
         #[allow(clippy::panic_in_result_fn)]
-        fn assert<HashT, L: ArraySize>(
+        fn assert<HashT, L>(
             &self,
             dst: &'static [u8],
             domain: &Domain<'_, HashT::OutputSize>,
         ) -> Result<()>
         where
             HashT: BlockSizeUser + Default + FixedOutput + HashMarker,
-            HashT::OutputSize: IsLess<U256, Output = True>
-                + IsLessOrEqual<HashT::BlockSize, Output = True>
-                + Mul<U8>,
+            HashT::OutputSize: IsLessOrEqual<HashT::BlockSize, Output = True>,
             HashT::OutputSize: IsGreaterOrEqual<U8, Output = True>,
+            L: ArraySize + IsLess<U65536, Output = True>,
         {
-            assert_message::<HashT>(self.msg, domain, L::to_u16(), self.msg_prime);
+            assert_message::<HashT>(self.msg, domain, L::U16, self.msg_prime);
 
             let dst = [dst];
             let mut expander = <ExpandMsgXmd<HashT> as ExpandMsg<U4>>::expand_message(
                 &[self.msg],
                 &dst,
-                NonZero::new(L::to_usize()).ok_or(Error)?,
+                NonZero::new(L::U16).ok_or(Error)?,
             )?;
 
             let mut uniform_bytes = Array::<u8, L>::default();

elliptic-curve/src/hash2curve/hash2field/expand_msg/xof.rs

@@ -1,22 +1,22 @@
 //! `expand_message_xof` for the `ExpandMsg` trait
 
 use super::{Domain, ExpandMsg, Expander};
-use crate::{Error, Result};
+use crate::Result;
 use core::{fmt, num::NonZero, ops::Mul};
 use digest::{
     CollisionResistance, ExtendableOutput, HashMarker, Update, XofReader, typenum::IsGreaterOrEqual,
 };
 use hybrid_array::{
     ArraySize,
-    typenum::{IsLess, Prod, True, U2, U256},
+    typenum::{Prod, True, U2},
 };
 
 /// Implements `expand_message_xof` via the [`ExpandMsg`] trait:
 /// <https://www.rfc-editor.org/rfc/rfc9380.html#name-expand_message_xof>
 ///
 /// # Errors
 /// - `dst` contains no bytes
-/// - `len_in_bytes > u16::MAX`
+/// - `dst > 255 && K * 2 > 255`
 pub struct ExpandMsgXof<HashT>
 where
     HashT: Default + ExtendableOutput + Update + HashMarker,
@@ -41,7 +41,7 @@ where
     HashT: Default + ExtendableOutput + Update + HashMarker,
     // If DST is larger than 255 bytes, the length of the computed DST is calculated by `K * 2`.
     // https://www.rfc-editor.org/rfc/rfc9380.html#section-5.3.1-2.1
-    K: Mul<U2, Output: ArraySize + IsLess<U256, Output = True>>,
+    K: Mul<U2, Output: ArraySize>,
     // The collision resistance of `HashT` MUST be at least `K` bits.
     // https://www.rfc-editor.org/rfc/rfc9380.html#section-5.3.2-2.1
     HashT: CollisionResistance<CollisionResistance: IsGreaterOrEqual<K, Output = True>>,
@@ -51,9 +51,9 @@ where
     fn expand_message<'dst>(
         msg: &[&[u8]],
         dst: &'dst [&[u8]],
-        len_in_bytes: NonZero<usize>,
+        len_in_bytes: NonZero<u16>,
     ) -> Result<Self::Expander<'dst>> {
-        let len_in_bytes = u16::try_from(len_in_bytes.get()).map_err(|_| Error)?;
+        let len_in_bytes = len_in_bytes.get();
 
         let domain = Domain::<Prod<K, U2>>::xof::<HashT>(dst)?;
         let mut reader = HashT::default();
@@ -81,12 +81,14 @@ where
 
 #[cfg(test)]
 mod test {
+    use crate::Error;
+
     use super::*;
     use core::mem::size_of;
     use hex_literal::hex;
     use hybrid_array::{
         Array, ArraySize,
-        typenum::{U16, U32, U128},
+        typenum::{IsLess, U16, U32, U128, U65536},
     };
     use sha3::Shake128;
 
@@ -124,14 +126,14 @@ mod test {
                 + Update
                 + HashMarker
                 + CollisionResistance<CollisionResistance: IsGreaterOrEqual<U16, Output = True>>,
-            L: ArraySize,
+            L: ArraySize + IsLess<U65536, Output = True>,
         {
             assert_message(self.msg, domain, L::to_u16(), self.msg_prime);
 
             let mut expander = <ExpandMsgXof<HashT> as ExpandMsg<U16>>::expand_message(
                 &[self.msg],
                 &[dst],
-                NonZero::new(L::to_usize()).ok_or(Error)?,
+                NonZero::new(L::U16).ok_or(Error)?,
             )?;
 
             let mut uniform_bytes = Array::<u8, L>::default();