HashToGroup can produce the identity element and HashToScalar can produce a zero scalar. It is extremely unlikely though.
Currently it's not specified how to behave when this happens. Potentially, on failure to produce a valid output, the program might just automatically try again, which would simply be rejection sampling. Maybe that's fine, IANA cryptographer.
In addition DeriveKeyPair relies on HashToScalar, but it's currently undefined how to handler zero scalars.
Two functions can be used for generating a (V)OPRF key pair (skS, pkS)
where skS is a non-zero integer less than p and pkS = ScalarBaseMult(skS):
GenerateKeyPair and DeriveKeyPair.
chris-wood
commented
2 years ago
HashToGroupcan produce the identity element andHashToScalarcan produce a zero scalar. It is extremely unlikely though.Currently it's not specified how to behave when this happens. Potentially, on failure to produce a valid output, the program might just automatically try again, which would simply be rejection sampling. Maybe that's fine, IANA cryptographer.
In addition
DeriveKeyPairrelies onHashToScalar, but it's currently undefined how to handler zero scalars.https://www.ietf.org/archive/id/draft-irtf-cfrg-voprf-08.html#section-2.1-5
Related: cfrg/draft-irtf-cfrg-opaque#298.