Get rid of exposed domain separation tags and use dedicated functions…

… instead
nucypher · Mar 6, 2021 · 7185b54 · 7185b54
1 parent 957bdee
commit 7185b54
Show file tree

Hide file tree

Showing 6 changed files with 49 additions and 31 deletions.
diff --git a/umbral-pre/src/capsule.rs b/umbral-pre/src/capsule.rs
@@ -1,7 +1,7 @@
 use crate::capsule_frag::CapsuleFrag;
-use crate::constants::{NON_INTERACTIVE, X_COORDINATE};
 use crate::curve::{CurvePoint, CurveScalar, PublicKey, SecretKey};
 use crate::hashing::ScalarDigest;
+use crate::hashing_ds::{hash_to_polynomial_arg, hash_to_shared_secret};
 use crate::params::Parameters;
 use crate::traits::SerializableToArray;
 
@@ -126,14 +126,9 @@ impl Capsule {
         let dh_point = &precursor * &receiving_sk.to_secret_scalar();
 
         // Combination of CFrags via Shamir's Secret Sharing reconstruction
-        let points = [precursor, pub_key, dh_point];
         let mut lc = Vec::<CurveScalar>::with_capacity(cfrags.len());
         for cfrag in cfrags {
-            let coeff = ScalarDigest::new()
-                .chain_points(&points)
-                .chain_bytes(X_COORDINATE)
-                .chain_scalar(&cfrag.kfrag_id)
-                .finalize();
+            let coeff = hash_to_polynomial_arg(&precursor, &pub_key, &dh_point, &cfrag.kfrag_id);
             lc.push(coeff);
         }
 
@@ -148,10 +143,7 @@ impl Capsule {
         }
 
         // Secret value 'd' allows to make Umbral non-interactive
-        let d = ScalarDigest::new()
-            .chain_points(&[precursor, pub_key, dh_point])
-            .chain_bytes(NON_INTERACTIVE)
-            .finalize();
+        let d = hash_to_shared_secret(&precursor, &pub_key, &dh_point);
 
         let e = self.point_e;
         let v = self.point_v;

diff --git a/umbral-pre/src/constants.rs b/umbral-pre/src/constants.rs
diff --git a/umbral-pre/src/hashing.rs b/umbral-pre/src/hashing.rs
@@ -63,7 +63,11 @@ pub(crate) struct ScalarDigest(Sha3_256);
 // TODO (#2): original uses ExtendedKeccak here
 impl ScalarDigest {
     pub fn new() -> Self {
-        Self(Sha3_256::new()).chain_bytes(b"hash_to_curvebn")
+        Self(Sha3_256::new())
+    }
+
+    pub fn new_with_dst(bytes: &[u8]) -> Self {
+        Self::new().chain_bytes(bytes)
     }
 
     fn chain_impl(self, bytes: &[u8]) -> Self {

diff --git a/umbral-pre/src/hashing_ds.rs b/umbral-pre/src/hashing_ds.rs
@@ -0,0 +1,31 @@
+//! This module contains hashing sequences with included domain separation tags
+//! shared between different parts of the code.
+
+use crate::curve::{CurvePoint, CurveScalar};
+use crate::hashing::ScalarDigest;
+
+pub(crate) fn hash_to_polynomial_arg(
+    precursor: &CurvePoint,
+    pubkey: &CurvePoint,
+    dh_point: &CurvePoint,
+    id: &CurveScalar,
+) -> CurveScalar {
+    ScalarDigest::new_with_dst(b"POLYNOMIAL_ARG")
+        .chain_point(precursor)
+        .chain_point(pubkey)
+        .chain_point(dh_point)
+        .chain_scalar(id)
+        .finalize()
+}
+
+pub(crate) fn hash_to_shared_secret(
+    precursor: &CurvePoint,
+    pubkey: &CurvePoint,
+    dh_point: &CurvePoint,
+) -> CurveScalar {
+    ScalarDigest::new_with_dst(b"SHARED_SECRET")
+        .chain_point(precursor)
+        .chain_point(pubkey)
+        .chain_point(dh_point)
+        .finalize()
+}
diff --git a/umbral-pre/src/key_frag.rs b/umbral-pre/src/key_frag.rs
@@ -1,7 +1,7 @@
-use crate::constants::{NON_INTERACTIVE, X_COORDINATE};
 use crate::curve::{CurvePoint, CurveScalar};
 use crate::curve::{PublicKey, SecretKey, Signature};
-use crate::hashing::{ScalarDigest, SignatureDigest};
+use crate::hashing::SignatureDigest;
+use crate::hashing_ds::{hash_to_polynomial_arg, hash_to_shared_secret};
 use crate::params::Parameters;
 use crate::traits::SerializableToArray;
 
@@ -158,15 +158,12 @@ impl KeyFrag {
         // Sharing corresponds to x in the tuple (x, f(x)), with f being the
         // generating polynomial), is used to prevent reconstruction of the
         // re-encryption key without Bob's intervention
-        let share_index = ScalarDigest::new()
-            .chain_points(&[
-                factory.precursor,
-                factory.bob_pubkey_point,
-                factory.dh_point,
-            ])
-            .chain_bytes(X_COORDINATE)
-            .chain_scalar(&kfrag_id)
-            .finalize();
+        let share_index = hash_to_polynomial_arg(
+            &factory.precursor,
+            &factory.bob_pubkey_point,
+            &factory.dh_point,
+            &kfrag_id,
+        );
 
         // The re-encryption key share is the result of evaluating the generating
         // polynomial for the index value
@@ -277,10 +274,7 @@ impl KeyFragFactory {
             let dh_point = &bob_pubkey_point * &private_precursor;
 
             // Secret value 'd' allows to make Umbral non-interactive
-            let d = ScalarDigest::new()
-                .chain_points(&[precursor, bob_pubkey_point, dh_point])
-                .chain_bytes(NON_INTERACTIVE)
-                .finalize();
+            let d = hash_to_shared_secret(&precursor, &bob_pubkey_point, &dh_point);
 
             // At the moment we cannot statically ensure `d` is a `NonZeroScalar`,
             // but we need it to be non-zero for the algorithm to work.

diff --git a/umbral-pre/src/lib.rs b/umbral-pre/src/lib.rs
@@ -96,10 +96,10 @@ extern crate typenum;
 pub mod bench; // Re-export some internals for benchmarks.
 mod capsule;
 mod capsule_frag;
-mod constants;
 mod curve;
 mod dem;
 mod hashing;
+mod hashing_ds;
 mod key_frag;
 mod params;
 mod pre;