in src/poprf.rs [615:646]
fn compute_tweak<CS: CipherSuite>(
sk: <CS::Group as Group>::Scalar,
info: Option<&[u8]>,
) -> Result<<CS::Group as Group>::Scalar>
where
<CS::Hash as OutputSizeUser>::OutputSize:
IsLess<U256> + IsLessOrEqual<<CS::Hash as BlockSizeUser>::BlockSize>,
{
// None for info is treated the same as empty bytes
let info = info.unwrap_or_default();
// framedInfo = "Info" || I2OSP(len(info), 2) || info
// m = G.HashToScalar(framedInfo)
// t = skS + m
// if t == 0:
// raise InverseError
let info_len = i2osp_2(info.len()).map_err(|_| Error::Info)?;
let framed_info = [STR_INFO.as_slice(), &info_len, info];
let dst =
GenericArray::from(STR_HASH_TO_SCALAR).concat(create_context_string::<CS>(Mode::Poprf));
// This can't fail, the size of the `input` is known.
let m = CS::Group::hash_to_scalar::<CS>(&framed_info, &dst).unwrap();
let t = sk + &m;
// Check if resulting element is equal to zero
match bool::from(CS::Group::is_zero_scalar(t)) {
true => Err(Error::Protocol),
false => Ok(t),
}
}