Update VOPRF to draft 19

.github/workflows/main.yml

@@ -23,7 +23,7 @@ jobs:
           - --features serde
         toolchain:
           - stable
-          - 1.60.0
+          - 1.61.0
     name: test
     steps:
       - name: Checkout sources
@@ -78,7 +78,7 @@ jobs:
       matrix:
         toolchain:
           - stable
-          - 1.60.0
+          - 1.61.0
     name: test simple_login command-line example
     steps:
       - name: install expect
@@ -101,7 +101,7 @@ jobs:
       matrix:
         toolchain:
           - stable
-          - 1.60.0
+          - 1.61.0
     name: test digital_locker command-line example
     steps:
       - name: install expect

Cargo.toml

@@ -8,7 +8,7 @@ license = "Apache-2.0 OR MIT"
 name = "opaque-ke"
 readme = "README.md"
 repository = "https://github.com/novifinancial/opaque-ke"
-rust-version = "1.60"
+rust-version = "1.61"
 version = "2.0.0"
 
 [features]
@@ -31,7 +31,10 @@ curve25519-dalek = { version = "=4.0.0-rc.1", default-features = false, features
 derive-where = { version = "1", features = ["zeroize-on-drop"] }
 digest = "0.10"
 displaydoc = { version = "0.2", default-features = false }
-elliptic-curve = { version = "0.12", features = ["hash2curve", "sec1"] }
+elliptic-curve = { version = "=0.13.0-pre.5", features = [
+  "hash2curve",
+  "sec1",
+] }
 generic-array = "0.14"
 hkdf = "0.12"
 hmac = "0.12"
@@ -54,7 +57,7 @@ chacha20poly1305 = "0.10"
 criterion = "0.4"
 hex = "0.4"
 json = "0.12"
-p256 = { version = "0.12", default-features = false, features = [
+p256 = { version = "=0.13.0-pre", default-features = false, features = [
   "hash2curve",
   "voprf",
 ] }
@@ -78,3 +81,7 @@ targets = []
 [[example]]
 name = "simple_login"
 required-features = ["argon2"]
+
+[patch.crates-io]
+p256 = { git = "https://github.com/RustCrypto/elliptic-curves", rev = "136fed7944d53c0508b1a93cd97bdab46891bcf7" }
+voprf = { git = "https://github.com/khonsulabs/voprf", branch = "draft-19" }

README.md

@@ -27,7 +27,7 @@ opaque-ke = "2"
 
 ### Minimum Supported Rust Version
 
-Rust **1.60** or higher.
+Rust **1.61** or higher.
 
 Audit
 -----

src/hash.rs

@@ -9,7 +9,7 @@
 
 use digest::block_buffer::Eager;
 use digest::core_api::{BlockSizeUser, BufferKindUser, CoreProxy, FixedOutputCore};
-use digest::{Digest, FixedOutputReset, HashMarker, OutputSizeUser};
+use digest::{FixedOutputReset, HashMarker, OutputSizeUser};
 use generic_array::typenum::{IsLess, Le, NonZero, U256};
 
 pub(crate) type OutputSize<D> = <<D as CoreProxy>::Core as OutputSizeUser>::OutputSize;
@@ -35,7 +35,8 @@ where
 /// HKDF and HMAC Associated types could be simplified when they are made as
 /// defaults: <https://github.com/rust-lang/rust/issues/29661>
 pub trait Hash:
-    Digest
+    Default
+    + HashMarker
     + OutputSizeUser<OutputSize = OutputSize<Self>>
     + BlockSizeUser
     + FixedOutputReset
@@ -49,7 +50,8 @@ where
 }
 
 impl<
-        T: Digest
+        T: Default
+            + HashMarker
             + OutputSizeUser<OutputSize = OutputSize<Self>>
             + BlockSizeUser
             + FixedOutputReset

src/key_exchange/group/curve25519.rs

@@ -12,7 +12,7 @@ use curve25519_dalek::montgomery::MontgomeryPoint;
 use curve25519_dalek::scalar::Scalar;
 use curve25519_dalek::traits::Identity;
 use digest::core_api::BlockSizeUser;
-use digest::Digest;
+use digest::{FixedOutput, HashMarker};
 use elliptic_curve::hash2curve::{ExpandMsg, ExpandMsgXmd, Expander};
 use generic_array::typenum::{IsLess, IsLessOrEqual, U256, U32, U64};
 use generic_array::GenericArray;
@@ -57,9 +57,9 @@ impl KeGroup for Curve25519 {
 
     // Implements the `HashToScalar()` function from
     // <https://www.ietf.org/archive/id/draft-irtf-cfrg-voprf-09.html#section-4.1>
-    fn hash_to_scalar<'a, H>(input: &[&[u8]], dst: &[u8]) -> Result<Self::Sk, InternalError>
+    fn hash_to_scalar<'a, H>(input: &[&[u8]], dst: &[&[u8]]) -> Result<Self::Sk, InternalError>
     where
-        H: Digest + BlockSizeUser,
+        H: BlockSizeUser + Default + FixedOutput + HashMarker,
         H::OutputSize: IsLess<U256> + IsLessOrEqual<H::BlockSize>,
     {
         let mut uniform_bytes = GenericArray::<_, U64>::default();

src/key_exchange/group/elliptic_curve.rs

@@ -6,12 +6,12 @@
 // of this source tree.
 
 use digest::core_api::BlockSizeUser;
-use digest::Digest;
+use digest::{FixedOutput, HashMarker};
 use elliptic_curve::group::cofactor::CofactorGroup;
 use elliptic_curve::hash2curve::{ExpandMsgXmd, FromOkm, GroupDigest};
 use elliptic_curve::sec1::{FromEncodedPoint, ModulusSize, ToEncodedPoint};
 use elliptic_curve::{
-    AffinePoint, Field, FieldSize, Group, ProjectivePoint, PublicKey, Scalar, SecretKey,
+    AffinePoint, Field, FieldBytesSize, Group, ProjectivePoint, PublicKey, Scalar, SecretKey,
 };
 use generic_array::typenum::{IsLess, IsLessOrEqual, U256};
 use generic_array::GenericArray;
@@ -23,18 +23,18 @@ use crate::errors::InternalError;
 impl<G> KeGroup for G
 where
     G: GroupDigest,
-    FieldSize<Self>: ModulusSize,
+    FieldBytesSize<Self>: ModulusSize,
     AffinePoint<Self>: FromEncodedPoint<Self> + ToEncodedPoint<Self>,
     ProjectivePoint<Self>: CofactorGroup + ToEncodedPoint<Self>,
     Scalar<Self>: FromOkm,
 {
     type Pk = ProjectivePoint<Self>;
 
-    type PkLen = <FieldSize<Self> as ModulusSize>::CompressedPointSize;
+    type PkLen = <FieldBytesSize<Self> as ModulusSize>::CompressedPointSize;
 
     type Sk = Scalar<Self>;
 
-    type SkLen = FieldSize<Self>;
+    type SkLen = FieldBytesSize<Self>;
 
     fn serialize_pk(pk: Self::Pk) -> GenericArray<u8, Self::PkLen> {
         GenericArray::clone_from_slice(pk.to_encoded_point(true).as_bytes())
@@ -52,9 +52,9 @@ where
 
     // Implements the `HashToScalar()` function from
     // <https://www.ietf.org/archive/id/draft-irtf-cfrg-voprf-09.html#section-4.1>
-    fn hash_to_scalar<H>(input: &[&[u8]], dst: &[u8]) -> Result<Self::Sk, InternalError>
+    fn hash_to_scalar<H>(input: &[&[u8]], dst: &[&[u8]]) -> Result<Self::Sk, InternalError>
     where
-        H: Digest + BlockSizeUser,
+        H: BlockSizeUser + Default + FixedOutput + HashMarker,
         H::OutputSize: IsLess<U256> + IsLessOrEqual<H::BlockSize>,
     {
         Self::hash_to_scalar::<ExpandMsgXmd<H>>(input, dst)
@@ -85,7 +85,7 @@ where
     }
 
     fn deserialize_sk(bytes: &[u8]) -> Result<Self::Sk, InternalError> {
-        SecretKey::<Self>::from_be_bytes(bytes)
+        SecretKey::<Self>::from_slice(bytes)
             .map(|secret_key| *secret_key.to_nonzero_scalar())
             .map_err(|_| InternalError::PointError)
     }

src/key_exchange/group/mod.rs

@@ -14,9 +14,9 @@ mod elliptic_curve;
 pub mod ristretto255;
 
 use digest::core_api::BlockSizeUser;
-use digest::{Digest, OutputSizeUser};
+use digest::{FixedOutput, HashMarker, OutputSizeUser};
 use generic_array::sequence::Concat;
-use generic_array::typenum::{IsLess, IsLessOrEqual, U11, U256};
+use generic_array::typenum::{IsLess, IsLessOrEqual, U256};
 use generic_array::{ArrayLength, GenericArray};
 use rand::{CryptoRng, RngCore};
 use zeroize::Zeroize;
@@ -48,9 +48,9 @@ pub trait KeGroup {
     /// # Errors
     /// [`InternalError::HashToScalar`] if the `input` is empty or longer then
     /// [`u16::MAX`].
-    fn hash_to_scalar<H>(input: &[&[u8]], dst: &[u8]) -> Result<Self::Sk, InternalError>
+    fn hash_to_scalar<H>(input: &[&[u8]], dst: &[&[u8]]) -> Result<Self::Sk, InternalError>
     where
-        H: Digest + BlockSizeUser,
+        H: BlockSizeUser + Default + FixedOutput + HashMarker,
         H::OutputSize: IsLess<U256> + IsLessOrEqual<H::BlockSize>;
 
     /// Corresponds to the DeriveAuthKeyPair() function defined in
@@ -67,8 +67,11 @@ pub trait KeGroup {
         <CS::Hash as OutputSizeUser>::OutputSize:
             IsLess<U256> + IsLessOrEqual<<CS::Hash as BlockSizeUser>::BlockSize>,
     {
-        let context_string = create_context_string::<CS>(voprf::Mode::Oprf);
-        let dst = GenericArray::from(STR_DERIVE_KEYPAIR).concat(context_string);
+        let dst_1 = GenericArray::from(STR_DERIVE_KEYPAIR)
+            .concat(STR_OPRF.into())
+            .concat([voprf::Mode::Oprf.to_u8()].into())
+            .concat([b'-'].into());
+        let dst_2 = CS::ID.as_bytes();
 
         let info_len = i2osp_2(info.len())
             .map_err(|_| InternalError::OprfError(voprf::Error::DeriveKeyPair))?;
@@ -79,7 +82,7 @@ pub trait KeGroup {
             // || contextString)
             let sk_s = Self::hash_to_scalar::<CS::Hash>(
                 &[seed, &info_len, info, &counter.to_be_bytes()],
-                &dst,
+                &[&dst_1, dst_2],
             )
             .map_err(|_| InternalError::OprfError(voprf::Error::DeriveKeyPair))?;
 
@@ -110,21 +113,9 @@ pub trait KeGroup {
 // Helper functions used to compute DeriveAuthKeyPair() (taken from the voprf
 // crate)
 
-const STR_VOPRF: [u8; 8] = *b"VOPRF10-";
+const STR_OPRF: [u8; 7] = *b"OPRFV1-";
 const STR_DERIVE_KEYPAIR: [u8; 13] = *b"DeriveKeyPair";
 
-/// Generates the contextString parameter as defined in
-/// <https://datatracker.ietf.org/doc/draft-irtf-cfrg-voprf/>
-fn create_context_string<CS: voprf::CipherSuite>(mode: voprf::Mode) -> GenericArray<u8, U11>
-where
-    <CS::Hash as OutputSizeUser>::OutputSize:
-        IsLess<U256> + IsLessOrEqual<<CS::Hash as BlockSizeUser>::BlockSize>,
-{
-    GenericArray::from(STR_VOPRF)
-        .concat([mode.to_u8()].into())
-        .concat(CS::ID.to_be_bytes().into())
-}
-
 fn i2osp_2(input: usize) -> Result<[u8; 2], InternalError> {
     u16::try_from(input)
         .map(|input| input.to_be_bytes())

src/key_exchange/group/ristretto255.rs

@@ -12,7 +12,7 @@ use curve25519_dalek::ristretto::{CompressedRistretto, RistrettoPoint};
 use curve25519_dalek::scalar::Scalar;
 use curve25519_dalek::traits::Identity;
 use digest::core_api::BlockSizeUser;
-use digest::Digest;
+use digest::{FixedOutput, HashMarker};
 use generic_array::typenum::{IsLess, IsLessOrEqual, U256, U32};
 use generic_array::GenericArray;
 use rand::{CryptoRng, RngCore};
@@ -71,9 +71,9 @@ impl KeGroup for Ristretto255 {
 
     // Implements the `HashToScalar()` function from
     // <https://www.ietf.org/archive/id/draft-irtf-cfrg-voprf-09.html#section-4.1>
-    fn hash_to_scalar<'a, H>(input: &[&[u8]], dst: &[u8]) -> Result<Self::Sk, InternalError>
+    fn hash_to_scalar<'a, H>(input: &[&[u8]], dst: &[&[u8]]) -> Result<Self::Sk, InternalError>
     where
-        H: Digest + BlockSizeUser,
+        H: BlockSizeUser + Default + FixedOutput + HashMarker,
         H::OutputSize: IsLess<U256> + IsLessOrEqual<H::BlockSize>,
     {
         <voprf::Ristretto255 as Group>::hash_to_scalar::<H>(input, dst)
@@ -108,7 +108,7 @@ impl KeGroup for Ristretto255 {
 
 #[cfg(feature = "ristretto255-voprf")]
 impl voprf::CipherSuite for Ristretto255 {
-    const ID: u16 = voprf::Ristretto255::ID;
+    const ID: &'static str = voprf::Ristretto255::ID;
 
     type Group = <voprf::Ristretto255 as voprf::CipherSuite>::Group;
 
@@ -126,21 +126,21 @@ impl Group for Ristretto255 {
 
     fn hash_to_curve<H>(
         input: &[&[u8]],
-        dst: &[u8],
+        dst: &[&[u8]],
     ) -> voprf::Result<Self::Elem, voprf::InternalError>
     where
-        H: Digest + BlockSizeUser,
+        H: BlockSizeUser + Default + FixedOutput + HashMarker,
         H::OutputSize: IsLess<U256> + IsLessOrEqual<H::BlockSize>,
     {
         <voprf::Ristretto255 as Group>::hash_to_curve::<H>(input, dst)
     }
 
     fn hash_to_scalar<H>(
         input: &[&[u8]],
-        dst: &[u8],
+        dst: &[&[u8]],
     ) -> voprf::Result<Self::Scalar, voprf::InternalError>
     where
-        H: Digest + BlockSizeUser,
+        H: BlockSizeUser + Default + FixedOutput + HashMarker,
         H::OutputSize: IsLess<U256> + IsLessOrEqual<H::BlockSize>,
     {
         <voprf::Ristretto255 as Group>::hash_to_scalar::<H>(input, dst)

src/lib.rs

@@ -14,7 +14,7 @@
 //!
 //! ### Minimum Supported Rust Version
 //!
-//! Rust **1.60** or higher.
+//! Rust **1.61** or higher.
 //!
 //! # Overview
 //!