Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify purpose of FromDigest trait #244

Merged
merged 1 commit into from
Feb 15, 2021
Merged

Conversation

rvolgers
Copy link
Contributor

@rvolgers rvolgers commented Feb 13, 2021

This is my best understanding from what I was told in another issue.

@tarcieri
Copy link
Member

tarcieri commented Feb 13, 2021

The FromDigest trait is not specifically related to RFC 6979.

The main use case is as a core part of the ECDSA algorithm, however the operation it performs, a hash-to-scalar transformation based on a modular output of a hash function, is the same as the operation described in RFC6979 Section 2.4:

       H(m) is transformed into an integer modulo q using the bits2int
       transform and an extra modular reduction:

          h = bits2int(H(m)) mod q

       As was noted in the description of bits2octets, the extra modular
       reduction is no more than a conditional subtraction.

The ECDSA algorithm itself, separately from RFC 6979, performs a modular reduction of the output of a hash function in order to compute a scalar 𝑒 from H(m), which is subsequently used for both signing and verification.

@rvolgers
Copy link
Contributor Author

And that's why it should remain in ecdsa instead of being moved to rfc6979, right?

It's good additional context, but I don't see anything actionable for me to change. The RFC6979 explanations of anything are much clearer than the ones in the DSA standard, and the point is to be clear about the expected semantics.

@tarcieri
Copy link
Member

Yes, that's why it should be in ecdsa and the rfc6979 crate should consume the reduced outputs.

I think the wording is a bit confusing in that it cites RFC 6979, but unfortunately the primary documentation for ECDSA (e.g. ANSI X9.62) is paywalled.

Comment on lines +151 to +153
///
/// This trait may also be useful for other hash-to-scalar or hash-to-curve
/// use cases.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This part can probably be removed

@tarcieri tarcieri merged commit ed5ba6a into RustCrypto:master Feb 15, 2021
@tarcieri tarcieri mentioned this pull request Apr 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants