RFC 9497, "Oblivious Pseudorandom Functions (OPRFs) Using Prime-Order Groups", December 2023

Errata ID: 8392
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: daxpedda
Date Reported: 2025-04-25

Section 4 says:

RandomScalar():  Implemented by returning a uniformly random
         Scalar in the range [0, G.Order() - 1].

It should say:

RandomScalar():  Implemented by returning a uniformly random
         Scalar in the range [1, G.Order() - 1].

Notes:

Section 2.1 (https://www.rfc-editor.org/rfc/rfc9497#section-2.1-4.12) states:
> Chooses at random a nonzero element in GF(p).

So `RandomScalar()` implementations can't return 0.

Report New Errata