Upgrade k256 and p256 dependencies (#262)

* Upgrade k256, remove & replace hash_to_field with hash2curve::hash_to_field

* Upgrade p256 to 0.13.0

* Remove now-redundant PrimeCurveAffine trait import

* DRY up hash_to_scalar()

frost-p256/Cargo.toml

@@ -22,7 +22,7 @@ description = "A Schnorr signature scheme over the NIST P-256 curve that support
 features = ["nightly"]
 
 [dependencies]
-p256 = { version = "0.11.1", features = ["hash2curve"] }
+p256 = { version = "0.12.0", features = ["hash2curve"] }
 frost-core = { path = "../frost-core", features = ["test-impl"] }
 rand_core = "0.6"
 sha2 = "0.10.2"

frost-p256/src/lib.rs

@@ -4,7 +4,6 @@
 
 use p256::{
     elliptic_curve::{
-        group::prime::PrimeCurveAffine,
         hash2curve::{hash_to_field, ExpandMsgXmd},
         sec1::{FromEncodedPoint, ToEncodedPoint},
         Field as FFField, PrimeField,

frost-secp256k1/Cargo.toml

@@ -22,9 +22,7 @@ features = ["nightly"]
 
 [dependencies]
 frost-core = { path = "../frost-core", features = ["test-impl"] }
-# Waiting for release after https://github.com/RustCrypto/elliptic-curves/pull/673 merged
-# k256 = { version = "0.11.6", features = ["arithmetic", "hash2curve"] }
-k256 = { git = "https://github.com/RustCrypto/elliptic-curves", rev = "e82a44cd4088dae04849824b6f84d37eb67a0e97", features = ["arithmetic", "hash2curve"] }
+k256 = { version = "0.13.0", features = ["arithmetic", "expose-field", "hash2curve"] }
 rand_core = "0.6"
 sha2 = "0.10.2"
 

frost-secp256k1/src/lib.rs

@@ -4,10 +4,8 @@
 
 use k256::{
     elliptic_curve::{
-        bigint::{Encoding, U384},
-        generic_array::GenericArray,
         group::prime::PrimeCurveAffine,
-        hash2curve::{ExpandMsg, ExpandMsgXmd, Expander},
+        hash2curve::{hash_to_field, ExpandMsgXmd},
         sec1::{FromEncodedPoint, ToEncodedPoint},
         Field as FFField, PrimeField,
     },
@@ -93,7 +91,7 @@ impl Group for Secp256K1Group {
     type Serialization = [u8; 33];
 
     fn cofactor() -> <Self::Field as Field>::Scalar {
-        Scalar::one()
+        Scalar::ONE
     }
 
     fn identity() -> Self::Element {
@@ -152,30 +150,11 @@ fn hash_to_array(inputs: &[&[u8]]) -> [u8; 32] {
     output
 }
 
-/// hash2field implementation from <https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-11#section-5.3>
-///
-/// From <https://github.com/serai-dex/serai/blob/5df74ac9e28f9299e674e98d08e64c99c34e579c/crypto/ciphersuite/src/kp256.rs#L45-L62>
-//
-// After https://github.com/RustCrypto/elliptic-curves/pull/673/ merges this should
-// be removed, and a similar implementation to p256 should be used.
-fn hash_to_field(msg: &[u8], dst: &[u8]) -> Scalar {
-    let mut modulus = [0; 48];
-    modulus[16..].copy_from_slice(&(Scalar::ZERO - Scalar::ONE).to_bytes());
-    let modulus = U384::from_be_slice(&modulus).wrapping_add(&U384::ONE);
-
-    let unreduced = U384::from_be_bytes({
-        let mut bytes = [0; 48];
-        ExpandMsgXmd::<Sha256>::expand_message(&[msg], dst, 48)
-            .expect("should never return error according to error cases described in ExpandMsgXmd")
-            .fill_bytes(&mut bytes);
-        bytes
-    })
-    .reduce(&modulus)
-    .unwrap()
-    .to_be_bytes();
-
-    let array = *GenericArray::from_slice(&unreduced[16..]);
-    Scalar::from_repr(array).unwrap()
+fn hash_to_scalar(domain: &[u8], msg: &[u8]) -> Scalar {
+    let mut u = [Secp256K1ScalarField::zero()];
+    hash_to_field::<ExpandMsgXmd<Sha256>, Scalar>(&[msg], &[domain], &mut u)
+        .expect("should never return error according to error cases described in ExpandMsgXmd");
+    u[0]
 }
 
 /// Context string from the ciphersuite in the [spec].
@@ -198,24 +177,21 @@ impl Ciphersuite for Secp256K1Sha256 {
     ///
     /// [spec]: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-11.html#section-6.5-2.2.2.1
     fn H1(m: &[u8]) -> <<Self::Group as Group>::Field as Field>::Scalar {
-        let dst = CONTEXT_STRING.to_owned() + "rho";
-        hash_to_field(m, dst.as_bytes())
+        hash_to_scalar((CONTEXT_STRING.to_owned() + "rho").as_bytes(), m)
     }
 
     /// H2 for FROST(secp256k1, SHA-256)
     ///
     /// [spec]: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-11.html#section-6.5-2.2.2.2
     fn H2(m: &[u8]) -> <<Self::Group as Group>::Field as Field>::Scalar {
-        let dst = CONTEXT_STRING.to_owned() + "chal";
-        hash_to_field(m, dst.as_bytes())
+        hash_to_scalar((CONTEXT_STRING.to_owned() + "chal").as_bytes(), m)
     }
 
     /// H3 for FROST(secp256k1, SHA-256)
     ///
     /// [spec]: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-11.html#section-6.5-2.2.2.3
     fn H3(m: &[u8]) -> <<Self::Group as Group>::Field as Field>::Scalar {
-        let dst = CONTEXT_STRING.to_owned() + "nonce";
-        hash_to_field(m, dst.as_bytes())
+        hash_to_scalar((CONTEXT_STRING.to_owned() + "nonce").as_bytes(), m)
     }
 
     /// H4 for FROST(secp256k1, SHA-256)
@@ -234,8 +210,10 @@ impl Ciphersuite for Secp256K1Sha256 {
 
     /// HDKG for FROST(secp256k1, SHA-256)
     fn HDKG(m: &[u8]) -> Option<<<Self::Group as Group>::Field as Field>::Scalar> {
-        let dst = CONTEXT_STRING.to_owned() + "dkg";
-        Some(hash_to_field(m, dst.as_bytes()))
+        Some(hash_to_scalar(
+            (CONTEXT_STRING.to_owned() + "dkg").as_bytes(),
+            m,
+        ))
     }
 }