search

cfrg / draft-irtf-cfrg-hash-to-curve

Hashing to Elliptic Curves
Other
79 stars 27 forks source link

Potential mistake in `hash_to_field` pseudocode #302

Closed forgetfulmorphism closed 3 years ago

forgetfulmorphism commented 3 years ago

From this section, In the pseudocode below:

   Steps:
   1. len_in_bytes = count * m * L
   2. uniform_bytes = expand_message(msg, DST, len_in_bytes)
   3. for i in (0, ..., count - 1):
   4.   for j in (0, ..., m - 1):
   5.     elm_offset = L * (j + i * m)
   6.     tv = substr(uniform_bytes, elm_offset, L)
   7.     e_j = OS2IP(tv) mod p
   8.   u_i = (e_0, ..., e_(m - 1))
   9. return (u_0, ..., u_(count - 1))

Given count=2 and m=1, the second assignment of elm_offset will be L*(0 + 1 * 1)=L which makes tv=substr(uniform_bytes, L, L) therefore len(tv) != L. If we proceed as follows, we will get the current length for each tv:

elm_offset = L * (j + i * m)
next_elm_offset = L * ((j + 1) + i * m)
tv = substr(uniform_bytes, elm_offset, next_elm_offset)
forgetfulmorphism commented 3 years ago

Just reread the definition of substr and it makes sense!