bug: possibly incorrect DST_prime in ExpandMsgXmd

[hussein-aitlahcen]

Unless I am missing something, it look like instead of DST_prime = I2OSP(len(DST), 1) ∥ DST, we do DST_prime = DST || I2OSP(len(DST), 1) in:

• gnark-crypto/field/hash/hashutils.go

  Lines 37 to 40 in eb75782

  	if _, err := h.Write(dst); err != nil {
  	return nil, err
  	}
  	if _, err := h.Write([]byte{sizeDomain}); err != nil {

• gnark-crypto/field/hash/hashutils.go

  Lines 53 to 56 in eb75782

  	if _, err := h.Write(dst); err != nil {
  	return nil, err
  	}
  	if _, err := h.Write([]byte{sizeDomain}); err != nil {

• gnark-crypto/field/hash/hashutils.go

  Lines 77 to 80 in eb75782

  	if _, err := h.Write(dst); err != nil {
  	return nil, err
  	}
  	if _, err := h.Write([]byte{sizeDomain}); err != nil {

[ivokub]

Indeed, I also encountered it some time ago. I'd have to recheck, but imo it was due to different versions of the RFC we implemented hash-to-field from.

[hussein-aitlahcen]

Indeed, I also encountered it some time ago. I'd have to recheck, but imo it was due to different versions of the RFC we implemented hash-to-field from.

I figured out while rewriting this in a gnark circuit... Do you want me to open a PR or we consider this to be fine (maybe backward compatibility would be hurt here)?

[ivokub]

So, we have referenced version 06 in the code, but actually implemented the final version, see: https://datatracker.ietf.org/doc/html/rfc9380.

[ivokub]

Indeed, it would already hurt backwards compatibility as we also implement hash-to-field in the Solidity smart contract verifier and the current PLONK version we have is audited, so cannot modify easily anymore.

[hussein-aitlahcen]

Ah the implementation is correct then, let me just change the reference in case anyone hit this again haha. Thanks for the quick answer!

[ivokub]

It would be perfect!