RFC Errata
RFC 9497, "Oblivious Pseudorandom Functions (OPRFs) Using Prime-Order Groups", December 2023
Source of RFC: IRTF
Errata ID: 8393
Status: Reported
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: daxpedda
Date Reported: 2025-04-25
Section 4.7 says:
4.7.1. Rejection Sampling Generate a random byte array with Ns bytes and attempt to map to a Scalar by calling DeserializeScalar in constant time. ... 4.7.2. Random Number Generation Using Extra Random Bits Generate a random byte array with L = ceil(((3 * ceil(log2(G.Order()))) / 2) / 8) bytes, and interpret it as an integer; reduce the integer modulo G.Order(), and return the result.
It should say:
4.7.1. Rejection Sampling Generate a random byte array with Ns bytes and attempt to map to a Scalar by calling DeserializeScalar and checking for a nonzero Scalar in constant time. ... 4.7.2. Random Number Generation Using Extra Random Bits Generate a random byte array with L = ceil(((3 * ceil(log2(G.Order()))) / 2) / 8) bytes, and interpret it as an integer; reduce the integer modulo G.Order() - 1, 1, and return the result.
Notes:
Section 2.1 (https://www.rfc-editor.org/rfc/rfc9497#section-2.1-4.12) states:
> Chooses at random a nonzero element in GF(p).
So `RandomScalar()` implementations can't return 0.
For rejection sampling I actually recommend changing `DeserializeScalar()` instead to check for nonzero Scalar and decline those. My suggested errata is just a compromise to keep the change as specific as possible. Changing `DeserializeScalar()` might need a separate discussion, but I will await feedback for that.
For "Random Number Generation Using Extra Random Bits" my suggestion is to follow FIPS 186-5 A.2.1 (https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf#%5B%7B%22num%22%3A154%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C70%2C586%2C0%5D), which is described in my errata. I found no standard referring to Ristretto255, but the one provided by FIPS for ECDSA works as well here.