RFC Errata
RFC 9497, "Oblivious Pseudorandom Functions (OPRFs) Using Prime-Order Groups", December 2023
Source of RFC: IRTF
Errata ID: 8393
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: daxpedda
Date Reported: 2025-04-25
Held for Document Update by: Nick Sullivan
Date Held: 2026-01-27
Section 4.7 says:
4.7.1. Rejection Sampling Generate a random byte array with Ns bytes and attempt to map to a Scalar by calling DeserializeScalar in constant time. ... 4.7.2. Random Number Generation Using Extra Random Bits Generate a random byte array with L = ceil(((3 * ceil(log2(G.Order()))) / 2) / 8) bytes, and interpret it as an integer; reduce the integer modulo G.Order(), and return the result.
It should say:
4.7.1. Rejection Sampling Generate a random byte array with Ns bytes and attempt to map to a Scalar by calling DeserializeScalar and checking for a nonzero Scalar in constant time. ... 4.7.2. Random Number Generation Using Extra Random Bits Generate a random byte array with L = ceil(((3 * ceil(log2(G.Order()))) / 2) / 8) bytes, and interpret it as an integer; reduce the integer modulo G.Order() - 1, 1, and return the result.
Notes:
Section 2.1 states: "Chooses at random a nonzero element
in GF(p)." So RandomScalar() implementations can't return 0.
For rejection sampling I recommend changing DeserializeScalar()
to check for nonzero Scalar and decline those. My suggested
errata is a compromise to keep the change specific.
For "Random Number Generation Using Extra Random Bits" my
suggestion follows FIPS 186-5 A.2.1.
--VERIFIER NOTE--
Held for document update. The underlying issue (RandomScalar
must exclude zero) is valid and addressed by EID 8392, which
fixes the Section 4 range to [1, G.Order()-1]. This erratum's
proposed text for Section 4.7 is unclear ("modulo G.Order() -
1, 1"). For implementers: the correct approach per FIPS 186-5
A.2.1 is (random mod (G.Order()-1)) + 1, producing scalars in
[1, G.Order()-1].