fix hashing to scalars for Curve25519 and Edwards25519

group/curve25519/group.go

@@ -53,7 +53,7 @@ func (g Group) HashToGroup(input, dst []byte) internal.Point {
 func (g Group) HashToScalar(input, dst []byte) internal.Scalar {
 	sc := hash2curve.HashToScalarXMD(crypto.SHA512, input, dst, canonicalEncodingLength)
 
-	s, err := edwards25519.NewScalar().SetUniformBytes(sc)
+	s, err := edwards25519.NewScalar().SetCanonicalBytes(sc)
 	if err != nil {
 		panic(err)
 	}

group/edwards25519/group.go

@@ -53,7 +53,7 @@ func (g Group) HashToGroup(input, dst []byte) internal.Point {
 func (g Group) HashToScalar(input, dst []byte) internal.Scalar {
 	sc := hash2curve.HashToScalarXMD(crypto.SHA512, input, dst, canonicalEncodingLength)
 
-	s, err := edwards25519.NewScalar().SetUniformBytes(sc)
+	s, err := edwards25519.NewScalar().SetCanonicalBytes(sc)
 	if err != nil {
 		panic(err)
 	}

group/hash2curve/expand.go

@@ -26,28 +26,25 @@ const (
 )
 
 var errZeroLenDST = errors.New("zero-length DST")
-
 // errShortDST = internal.ParameterError("DST is shorter than recommended length")
 
-// ExpandXMD expands the input and dst using the given fixed length hash function.
-func ExpandXMD(id crypto.Hash, input, dst []byte, length int) []byte {
+func checkDST(dst []byte) {
 	if len(dst) < recommendedMinLength {
 		if len(dst) == minLength {
 			panic(errZeroLenDST)
 		}
 	}
+}
 
+// ExpandXMD expands the input and dst using the given fixed length hash function.
+func ExpandXMD(id crypto.Hash, input, dst []byte, length int) []byte {
+	checkDST(dst)
 	return expandXMD(id, input, dst, length)
 }
 
 // ExpandXOF expands the input and dst using the given extensible output hash function.
 func ExpandXOF(id x.Extensible, input, dst []byte, length int) []byte {
-	if len(dst) < recommendedMinLength {
-		if len(dst) == minLength {
-			panic(errZeroLenDST)
-		}
-	}
-
+	checkDST(dst)
 	return expandXOF(id, input, dst, length)
 }