Hashing to nonzero scalars

[fjarri]

At the moment we have two places where things are hashed to a Scalar: hash_to_polynomial_arg() and hash_to_shared_secret(). In PyUmbral the result of both was a non-zero scalar (implemented by taking order - 1 modulus of the digest and adding 1).

For hash_to_shared_secret() we enforce this externally (see KeyFragFactory::new()): we generate inputs until the result is nonzero. For hash_to_polynomial_arg() we do not currently enforce it.

A way to solve this would be to add from_digest() implementation to RustCrypto's NonZeroScalar.

This is also related to #35

@tuxxy , @cygnusv , how important is it?

[cygnusv]

What do you mean by "we generate inputs until the result is non zero"?

[fjarri]

Basically https://github.com/nucypher/rust-umbral/blob/master/umbral-pre/src/key_frag.rs#L299

[tuxxy]

@fjarri can you provide a link to the NonZeroScalar from RustCrypto?

[cygnusv]

As a general solution, it doesn't work. Sure, for KFrag generation we can resample the input until we get the hash output right, but we may not have the same luck in general.
On the other hand, the probability of the result being zero is so low that it simply won't happen.

A way to solve this would be to add from_digest() implementation to RustCrypto's NonZeroScalar.

How would this look like?

[fjarri]

@tuxxy :
https://docs.rs/elliptic-curve/0.9.6/elliptic_curve/struct.NonZeroScalar.html .

How would this look like?

Something simlar to how it is implemented for Scalar:
https://github.com/RustCrypto/elliptic-curves/blob/master/k256/src/arithmetic/scalar.rs#L338
which is essentially just mod(random_bytes, order).

I see two ways to implement that for NonZeroScalar:

1. (simple) check for zero after taking mod order and add 1 (in constant-time, of course)
2. (more complicated) take mod (order - 1) and add 1. That will require writing a special modulo function in the backend.

Thoughts?