Change K to represent bytes instead of bits

daxpedda · daxpedda · commit 1f2fd8bcc49a · 2025-04-17T16:04:41.000+02:00
diff --git a/elliptic-curve/src/hash2curve/group_digest.rs b/elliptic-curve/src/hash2curve/group_digest.rs
@@ -13,7 +13,7 @@ where
     /// The field element representation for a group value with multiple elements
     type FieldElement: FromOkm + MapToCurve<Output = ProjectivePoint<Self>> + Default + Copy;
 
-    /// The target security level in bits:
+    /// The target security level in bytes:
     /// <https://www.rfc-editor.org/rfc/rfc9380.html#section-8.9-2.2>
     /// <https://www.rfc-editor.org/rfc/rfc9380.html#name-target-security-levels>
     type K: Unsigned;
diff --git a/elliptic-curve/src/hash2curve/hash2field/expand_msg/xmd.rs b/elliptic-curve/src/hash2curve/hash2field/expand_msg/xmd.rs
@@ -8,15 +8,15 @@ use digest::{
     FixedOutput, HashMarker,
     array::{
         Array,
-        typenum::{IsGreaterOrEqual, IsLess, IsLessOrEqual, U2, U8, U256, Unsigned},
+        typenum::{IsGreaterOrEqual, IsLess, IsLessOrEqual, U2, U256, Unsigned},
     },
     core_api::BlockSizeUser,
 };
 
 /// Implements `expand_message_xof` via the [`ExpandMsg`] trait:
 /// <https://www.rfc-editor.org/rfc/rfc9380.html#name-expand_message_xmd>
 ///
-/// `K` is the target security level in bits:
+/// `K` is the target security level in bytes:
 /// <https://www.rfc-editor.org/rfc/rfc9380.html#section-8.9-2.2>
 /// <https://www.rfc-editor.org/rfc/rfc9380.html#name-target-security-levels>
 ///
@@ -30,9 +30,8 @@ where
     HashT: BlockSizeUser + Default + FixedOutput + HashMarker,
     HashT::OutputSize: IsLess<U256>,
     HashT::OutputSize: IsLessOrEqual<HashT::BlockSize>,
-    HashT::OutputSize: Mul<U8>,
-    U2: Mul<K>,
-    <HashT::OutputSize as Mul<U8>>::Output: IsGreaterOrEqual<<U2 as Mul<K>>::Output>;
+    K: Mul<U2>,
+    HashT::OutputSize: IsGreaterOrEqual<<K as Mul<U2>>::Output>;
 
 impl<'a, HashT, K> ExpandMsg<'a> for ExpandMsgXmd<HashT, K>
 where
@@ -44,11 +43,10 @@ where
     // Constraint set by `expand_message_xmd`:
     // https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-13.html#section-5.4.1-4
     HashT::OutputSize: IsLessOrEqual<HashT::BlockSize>,
-    // The number of bits output by `HashT` MUST be larger or equal to `2 * K`:
+    // The number of bits output by `HashT` MUST be larger or equal to `K * 2`:
     // https://www.rfc-editor.org/rfc/rfc9380.html#section-5.3.1-2.1
-    HashT::OutputSize: Mul<U8>,
-    U2: Mul<K>,
-    <HashT::OutputSize as Mul<U8>>::Output: IsGreaterOrEqual<<U2 as Mul<K>>::Output>,
+    K: Mul<U2>,
+    HashT::OutputSize: IsGreaterOrEqual<<K as Mul<U2>>::Output>,
 {
     type Expander = ExpanderXmd<'a, HashT>;
 
@@ -169,7 +167,7 @@ mod test {
     use hex_literal::hex;
     use hybrid_array::{
         ArraySize,
-        typenum::{U8, U32, U128},
+        typenum::{U8, U4, U32, U128},
     };
     use sha2::Sha256;
 
@@ -222,13 +220,12 @@ mod test {
         where
             HashT: BlockSizeUser + Default + FixedOutput + HashMarker,
             HashT::OutputSize: IsLess<U256> + IsLessOrEqual<HashT::BlockSize> + Mul<U8>,
-            U2: Mul<U32>,
-            <HashT::OutputSize as Mul<U8>>::Output: IsGreaterOrEqual<<U2 as Mul<U32>>::Output>,
+            HashT::OutputSize: IsGreaterOrEqual<<U4 as Mul<U2>>::Output>,
         {
             assert_message::<HashT>(self.msg, domain, L::to_u16(), self.msg_prime);
 
             let dst = [dst];
-            let mut expander = ExpandMsgXmd::<HashT, U32>::expand_message(
+            let mut expander = ExpandMsgXmd::<HashT, U4>::expand_message(
                 &[self.msg],
                 &dst,
                 NonZero::new(L::to_usize()).ok_or(Error)?,
diff --git a/elliptic-curve/src/hash2curve/hash2field/expand_msg/xof.rs b/elliptic-curve/src/hash2curve/hash2field/expand_msg/xof.rs
@@ -2,22 +2,17 @@
 
 use super::{Domain, ExpandMsg, Expander};
 use crate::{Error, Result};
-use core::{
-    fmt,
-    marker::PhantomData,
-    num::NonZero,
-    ops::{Div, Mul},
-};
+use core::{fmt, marker::PhantomData, num::NonZero, ops::Mul};
 use digest::{ExtendableOutput, HashMarker, Update, XofReader};
 use hybrid_array::{
     ArraySize,
-    typenum::{IsLess, U2, U8, U256},
+    typenum::{IsLess, U2, U256},
 };
 
 /// Implements `expand_message_xof` via the [`ExpandMsg`] trait:
 /// <https://www.rfc-editor.org/rfc/rfc9380.html#name-expand_message_xof>
 ///
-/// `K` is the target security level in bits:
+/// `K` is the target security level in bytes:
 /// <https://www.rfc-editor.org/rfc/rfc9380.html#section-8.9-2.2>
 /// <https://www.rfc-editor.org/rfc/rfc9380.html#name-target-security-levels>
 ///
@@ -27,9 +22,8 @@ use hybrid_array::{
 pub struct ExpandMsgXof<HashT, K>
 where
     HashT: Default + ExtendableOutput + Update + HashMarker,
-    U2: Mul<K>,
-    <U2 as Mul<K>>::Output: Div<U8>,
-    HashSize<K>: ArraySize + IsLess<U256>,
+    K: Mul<U2>,
+    <K as Mul<U2>>::Output: ArraySize + IsLess<U256>,
 {
     reader: <HashT as ExtendableOutput>::Reader,
     _k: PhantomData<K>,
@@ -38,9 +32,8 @@ where
 impl<HashT, K> fmt::Debug for ExpandMsgXof<HashT, K>
 where
     HashT: Default + ExtendableOutput + Update + HashMarker,
-    U2: Mul<K>,
-    <U2 as Mul<K>>::Output: Div<U8>,
-    HashSize<K>: ArraySize + IsLess<U256>,
+    K: Mul<U2>,
+    <K as Mul<U2>>::Output: ArraySize + IsLess<U256>,
     <HashT as ExtendableOutput>::Reader: fmt::Debug,
 {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
@@ -50,17 +43,13 @@ where
     }
 }
 
-type HashSize<K> = <<U2 as Mul<K>>::Output as Div<U8>>::Output;
-
 impl<'a, HashT, K> ExpandMsg<'a> for ExpandMsgXof<HashT, K>
 where
     HashT: Default + ExtendableOutput + Update + HashMarker,
-    // If DST is larger than 255 bytes, the length of the computed DST is calculated by
-    // `2 * k / 8`.
+    // If DST is larger than 255 bytes, the length of the computed DST is calculated by `K * 2`.
     // https://www.rfc-editor.org/rfc/rfc9380.html#section-5.3.1-2.1
-    U2: Mul<K>,
-    <U2 as Mul<K>>::Output: Div<U8>,
-    HashSize<K>: ArraySize + IsLess<U256>,
+    K: Mul<U2>,
+    <K as Mul<U2>>::Output: ArraySize + IsLess<U256>,
 {
     type Expander = Self;
 
@@ -71,7 +60,7 @@ where
     ) -> Result<Self::Expander> {
         let len_in_bytes = u16::try_from(len_in_bytes.get()).map_err(|_| Error)?;
 
-        let domain = Domain::<HashSize<K>>::xof::<HashT>(dsts)?;
+        let domain = Domain::<<K as Mul<U2>>::Output>::xof::<HashT>(dsts)?;
         let mut reader = HashT::default();
 
         for msg in msgs {
@@ -92,9 +81,8 @@ where
 impl<HashT, K> Expander for ExpandMsgXof<HashT, K>
 where
     HashT: Default + ExtendableOutput + Update + HashMarker,
-    U2: Mul<K>,
-    <U2 as Mul<K>>::Output: Div<U8>,
-    HashSize<K>: ArraySize + IsLess<U256>,
+    K: Mul<U2>,
+    <K as Mul<U2>>::Output: ArraySize + IsLess<U256>,
 {
     fn fill_bytes(&mut self, okm: &mut [u8]) {
         self.reader.read(okm);
@@ -108,7 +96,7 @@ mod test {
     use hex_literal::hex;
     use hybrid_array::{
         Array, ArraySize,
-        typenum::{U32, U128},
+        typenum::{U16, U32, U128},
     };
     use sha3::Shake128;
 
@@ -146,7 +134,7 @@ mod test {
         {
             assert_message(self.msg, domain, L::to_u16(), self.msg_prime);
 
-            let mut expander = ExpandMsgXof::<HashT, U128>::expand_message(
+            let mut expander = ExpandMsgXof::<HashT, U16>::expand_message(
                 &[self.msg],
                 &[dst],
                 NonZero::new(L::to_usize()).ok_or(Error)?,
