2022-12-27 05:49:31 +00:00
# Ciphersuite
2022-10-29 08:54:42 +00:00
Ciphersuites for elliptic curves premised on ff/group.
2022-12-24 22:08:22 +00:00
2023-03-16 22:46:48 +00:00
This library, except for the not recommended Ed448 ciphersuite, was
2023-03-21 00:10:00 +00:00
[audited by Cypher Stack in March 2023 ](https://github.com/serai-dex/serai/raw/e1bb2c191b7123fd260d008e31656d090d559d21/audits/Cypher%20Stack%20crypto%20March%202023/Audit.pdf ),
culminating in commit
[669d2dbffc1dafb82a09d9419ea182667115df06 ](https://github.com/serai-dex/serai/tree/669d2dbffc1dafb82a09d9419ea182667115df06 ).
Any subsequent changes have not undergone auditing.
2023-03-16 22:46:48 +00:00
2023-04-22 08:38:47 +00:00
This library is usable under no_std. The `alloc` and `std` features enable
reading from the `io::Read` trait, shimmed by `std-shims` under `alloc` .
2022-12-24 22:08:22 +00:00
### Secp256k1/P-256
Secp256k1 and P-256 are offered via [k256 ](https://crates.io/crates/k256 ) and
[p256 ](https://crates.io/crates/p256 ), two libraries maintained by
[RustCrypto ](https://github.com/RustCrypto ).
Their `hash_to_F` is the
[IETF's hash to curve ](https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html ),
yet applied to their scalar field.
### Ed25519/Ristretto
Ed25519/Ristretto are offered via
[dalek-ff-group ](https://crates.io/crates/dalek-ff-group ), an ff/group wrapper
around [curve25519-dalek ](https://crates.io/crates/curve25519-dalek ).
Their `hash_to_F` is the wide reduction of SHA2-512, as used in
2022-12-25 07:50:10 +00:00
[RFC-8032 ](https://www.rfc-editor.org/rfc/rfc8032 ). This is also compliant with
2022-12-24 22:08:22 +00:00
the draft
2022-12-25 07:50:10 +00:00
[RFC-RISTRETTO ](https://www.ietf.org/archive/id/draft-irtf-cfrg-ristretto255-decaf448-05.html ).
2022-12-24 22:08:22 +00:00
The domain-separation tag is naively prefixed to the message.
### Ed448
Ed448 is offered via [minimal-ed448 ](https://crates.io/crates/minimal-ed448 ), an
2023-02-24 11:03:56 +00:00
explicitly not recommended, unaudited, incomplete Ed448 implementation, limited
to its prime-order subgroup.
2022-12-24 22:08:22 +00:00
Its `hash_to_F` is the wide reduction of SHAKE256, with a 114-byte output, as
2022-12-25 07:50:10 +00:00
used in [RFC-8032 ](https://www.rfc-editor.org/rfc/rfc8032 ). The
2022-12-24 22:08:22 +00:00
domain-separation tag is naively prefixed to the message.