P-521 suites have inconsistent L and k values
davidben opened this issue · 1 comments
The P-521 suites define L to be 96 and k to be 256. This is reflected in the reference implementation, which specifies both values.
https://cfrg.github.io/draft-irtf-cfrg-hash-to-curve/draft-irtf-cfrg-hash-to-curve.html#name-suites-for-nist-p-521
https://github.com/cfrg/draft-irtf-cfrg-hash-to-curve/blob/master/poc/suite_p521.sage#L21
However, L is a derived parameter in hash_to_field. It's computed as L = ceil((ceil(log2(p)) + k) / 8).
https://cfrg.github.io/draft-irtf-cfrg-hash-to-curve/draft-irtf-cfrg-hash-to-curve.html#name-hash_to_field-implementatio
For P-521 and k = 256, this gives L = ceil((521 + 256) / 8) = ceil(777 / 8) = 98, not 96. One would get 96 if 521 was misread as 512. Between this and wanting to specify enough bits beyond the prime[*], it seems we want L = 98 rather than L = 96? The reference implementation and test vectors appear to be computed based on L rather than k, so those too probably need to be updated.
[*] Although, in the case of P-521, the prime is 1 below a power of two anyway...
Thanks for pointing out this inconsistency, I will prepare the changes to fix this.