Skip to content

Commit

Permalink
secp256k1-tr: fix hashes_to_scalar to avoid panics (ZcashFoundation#777)
Browse files Browse the repository at this point in the history
  • Loading branch information
conradoplg authored and suefay committed Dec 25, 2024
1 parent ab3251b commit 98aff9f
Showing 1 changed file with 6 additions and 3 deletions.
9 changes: 6 additions & 3 deletions frost-secp256k1-tr/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,15 @@
use std::collections::BTreeMap;

use frost_rerandomized::RandomizedCiphersuite;
use k256::elliptic_curve::ops::Reduce;
use k256::{
elliptic_curve::{
bigint::U256,
group::prime::PrimeCurveAffine,
hash2curve::{hash_to_field, ExpandMsgXmd},
point::AffineCoordinates,
sec1::{FromEncodedPoint, ToEncodedPoint},
Field as FFField, PrimeField, ScalarPrimitive,
Field as FFField, PrimeField,
},
AffinePoint, ProjectivePoint, Scalar,
};
Expand Down Expand Up @@ -190,8 +191,10 @@ pub struct Secp256K1Sha256;

/// Digest the hasher to a Scalar
fn hasher_to_scalar(hasher: Sha256) -> Scalar {
let sp = ScalarPrimitive::new(U256::from_be_slice(&hasher.finalize())).unwrap();
Scalar::from(&sp)
// This is acceptable because secp256k1 curve order is close to 2^256,
// and the input is uniformly random since it is a hash output, therefore
// the bias is negligibly small.
Scalar::reduce(U256::from_be_slice(&hasher.finalize()))
}

/// Create a BIP340 compliant tagged hash
Expand Down

0 comments on commit 98aff9f

Please sign in to comment.