Open davidben opened 1 year ago
This is an oversight. I suppose one could assume the pseudocode implicitly rejects zero-length tags, but it doesn't hurt to add that to be explicit. We should do this.
Agreed! Thanks @davidben for spotting this.
Whoops, looks like this might have slipped through.
Argh. I'm very sorry about this.
https://github.com/cfrg/draft-irtf-cfrg-hash-to-curve/pull/264 added some text to 3.1:
However, it did not update any of the actual procedures, notably
expand_message_xmd
, leaving the text inconsistent. Was the intention that implementations reject empty DST values, or not? If yes, the actual procedures should be updated. If no, I'm not sure what that text is meant to prescribe... just instructions for callers but the underlying function tolerates zero length?