Optional cofactor clearing

Author: davxy

src/lib.rs

@@ -19,7 +19,7 @@
 use zeroize::Zeroize;
 
 use ark_ec::{AffineRepr, CurveGroup};
-use ark_ff::PrimeField;
+use ark_ff::{One, PrimeField, Zero};
 use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
 use ark_std::vec::Vec;
 
@@ -58,7 +58,7 @@ pub use codec::Codec;
 
 #[derive(Debug)]
 pub enum Error {
-    /// Verification error(s)
+    /// Verification error
     VerificationFailure,
     /// Bad input data
     InvalidData,
@@ -135,9 +135,9 @@ pub trait Suite: Copy {
 
     /// Hash data to a curve point.
     ///
-    /// By default uses "try and increment" method described by RFC 9381.
+    /// By default uses "try and increment" method described by RFC-9381.
     ///
-    /// The input `data` is assumed to be `[salt||]alpha` according to the RFC 9381.
+    /// The input `data` is assumed to be `[salt||]alpha` according to the RFC-9381.
     /// In other words, salt is not applied by this function.
     #[inline(always)]
     fn data_to_point(data: &[u8]) -> Option<AffinePoint<Self>> {
@@ -146,10 +146,10 @@ pub trait Suite: Copy {
 
     /// Map the point to a hash value using `Self::Hasher`.
     ///
-    /// By default uses the algorithm described by RFC 9381.
+    /// By default uses the algorithm described by RFC-9381 without cofactor clearing.
     #[inline(always)]
     fn point_to_hash(pt: &AffinePoint<Self>) -> HashOutput<Self> {
-        utils::point_to_hash_rfc_9381::<Self>(pt)
+        utils::point_to_hash_rfc_9381::<Self>(pt, false)
     }
 
     /// Generator used through all the suite.
@@ -221,7 +221,10 @@ impl<S: Suite> Secret<S> {
     /// The `seed` is hashed using the `Suite::hash` to construct the secret scalar.
     pub fn from_seed(seed: &[u8]) -> Self {
         let bytes = utils::hash::<S::Hasher>(seed);
-        let scalar = ScalarField::<S>::from_le_bytes_mod_order(&bytes[..]);
+        let mut scalar = ScalarField::<S>::from_le_bytes_mod_order(&bytes[..]);
+        if scalar.is_zero() {
+            scalar.set_one();
+        }
         Self::from_scalar(scalar)
     }
 

src/utils/common.rs

@@ -129,11 +129,35 @@ pub fn challenge_rfc_9381<S: Suite>(pts: &[&AffinePoint<S>], ad: &[u8]) -> Scala
 }
 
 /// Point to a hash according to RFC-9381 section 5.2.
-pub fn point_to_hash_rfc_9381<S: Suite>(pt: &AffinePoint<S>) -> HashOutput<S> {
+///
+/// According to the RFC, the input point `pt` should be multiplied by the cofactor
+/// before being hashed. However, in typical usage, the hashed point is the result
+/// of a scalar multiplication on a point produced by the `Suite::data_to_point`
+/// (also referred to as the _hash-to-curve_ or _h2c_) algorithm, which is expected
+/// to yield a point that already belongs to the prime order subgroup of the curve.
+///
+/// Therefore, assuming the `data_to_point` function is implemented correctly, the
+/// input point `pt` will inherently reside in the prime order subgroup, making the
+/// cofactor multiplication unnecessary and redundant in terms of security. The primary
+/// purpose of multiplying by the cofactor is as a safeguard against potential issues
+/// with an incorrect implementation of `data_to_point`.
+///
+/// Since multiplying by the cofactor changes the point being hashed, this step is
+/// made optional to accommodate scenarios where strict compliance with the RFC's
+/// prescribed procedure is not required.
+pub fn point_to_hash_rfc_9381<S: Suite>(
+    pt: &AffinePoint<S>,
+    mul_by_cofactor: bool,
+) -> HashOutput<S> {
+    use ark_std::borrow::Cow::*;
     const DOM_SEP_START: u8 = 0x03;
     const DOM_SEP_END: u8 = 0x00;
     let mut buf = [S::SUITE_ID, &[DOM_SEP_START]].concat();
-    S::Codec::point_encode_into(pt, &mut buf);
+    let pt = match mul_by_cofactor {
+        false => Borrowed(pt),
+        true => Owned(pt.mul_by_cofactor()),
+    };
+    S::Codec::point_encode_into(&pt, &mut buf);
     buf.push(DOM_SEP_END);
     hash::<S::Hasher>(&buf)
 }