diff --git a/include/mcl/fp.hpp b/include/mcl/fp.hpp index 403bcf1..894d939 100644 --- a/include/mcl/fp.hpp +++ b/include/mcl/fp.hpp @@ -74,6 +74,7 @@ uint32_t sha256(void *out, uint32_t maxOutSize, const void *msg, uint32_t msgSiz uint32_t sha512(void *out, uint32_t maxOutSize, const void *msg, uint32_t msgSize); void hkdf_extract_addZeroByte(uint8_t hmac[32], const uint8_t *salt, size_t saltSize, const uint8_t *msg, size_t msgSize); +void hkdf_extract(uint8_t hmac[32], const uint8_t *salt, size_t saltSize, const uint8_t *msg, size_t msgSize); void hkdf_expand(uint8_t out[64], const uint8_t prk[32], char info[6]); namespace local { diff --git a/include/mcl/mapto_wb19.hpp b/include/mcl/mapto_wb19.hpp index 37c184e..ba6662b 100644 --- a/include/mcl/mapto_wb19.hpp +++ b/include/mcl/mapto_wb19.hpp @@ -9,14 +9,18 @@ */ // ctr = 0 or 1 or 2 -inline void hashToFp2(Fp2& out, const void *msg, size_t msgSize, uint8_t ctr, const void *dst, size_t dstSize) +inline void hashToFp2(Fp2& out, const void *msg, size_t msgSize, uint8_t ctr, const void *dst, size_t dstSize, bool addZero = true) { assert(ctr <= 2); const size_t degree = 2; uint8_t msg_prime[32]; // add '\0' at the end of dst // see. 5.3. Implementation of https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve - fp::hkdf_extract_addZeroByte(msg_prime, reinterpret_cast(dst), dstSize, reinterpret_cast(msg), msgSize); + if (addZero) { + fp::hkdf_extract_addZeroByte(msg_prime, reinterpret_cast(dst), dstSize, reinterpret_cast(msg), msgSize); + } else { + fp::hkdf_extract(msg_prime, reinterpret_cast(dst), dstSize, reinterpret_cast(msg), msgSize); + } char info_pfx[] = "H2C000"; info_pfx[3] = ctr; for (size_t i = 0; i < degree; i++) { @@ -480,13 +484,17 @@ struct MapToG2_WB19 { iso3(P, Pp); clear_h2(P, P); } - void map2curve_osswu2(G2& out, const void *msg, size_t msgSize, const void *dst, size_t dstSize) const + void map2curve_osswu2(G2& out, const void *msg, size_t msgSize, const void *dst, size_t dstSize, bool addZero = true) const { Fp2 t1, t2; - hashToFp2(t1, msg, msgSize, 0, dst, dstSize); - hashToFp2(t2, msg, msgSize, 1, dst, dstSize); + hashToFp2(t1, msg, msgSize, 0, dst, dstSize, addZero); + hashToFp2(t2, msg, msgSize, 1, dst, dstSize, addZero); opt_swu2_map(out, t1, &t2); } - + void msgToG2(G2& out, const void *msg, size_t msgSize) const + { + const char *dst = "BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_POP_"; + map2curve_osswu2(out, msg, msgSize, dst, strlen(dst), false); + } }; diff --git a/src/fp.cpp b/src/fp.cpp index 4dce66d..64dc4a1 100644 --- a/src/fp.cpp +++ b/src/fp.cpp @@ -139,6 +139,17 @@ void hkdf_extract_addZeroByte(uint8_t hmac[32], const uint8_t *salt, size_t salt cybozu::hmac256addZeroByte(hmac, salt, saltSize, msg, msgSize); } +void hkdf_extract(uint8_t hmac[32], const uint8_t *salt, size_t saltSize, const uint8_t *msg, size_t msgSize) +{ + uint8_t saltZero[32]; + if (salt == 0 || saltSize == 0) { + memset(saltZero, 0, sizeof(saltZero)); + salt = saltZero; + saltSize = sizeof(saltZero); + } + cybozu::hmac256(hmac, salt, saltSize, msg, msgSize); +} + void hkdf_expand(uint8_t out[64], const uint8_t prk[32], char info[6]) { info[5] = 1;