mirror of
https://github.com/serai-dex/serai.git
synced 2024-12-31 16:09:47 +00:00
Add test vectors for Ciphersuite::hash_to_F
This commit is contained in:
parent
da8e7e73e0
commit
bacf31378d
7 changed files with 115 additions and 16 deletions
3
Cargo.lock
generated
3
Cargo.lock
generated
|
@ -911,7 +911,9 @@ dependencies = [
|
|||
"digest 0.10.6",
|
||||
"elliptic-curve",
|
||||
"ff",
|
||||
"ff-group-tests",
|
||||
"group",
|
||||
"hex",
|
||||
"k256",
|
||||
"minimal-ed448",
|
||||
"p256",
|
||||
|
@ -4584,7 +4586,6 @@ dependencies = [
|
|||
"generic-array 0.14.6",
|
||||
"group",
|
||||
"hex",
|
||||
"hex-literal",
|
||||
"lazy_static",
|
||||
"rand_core 0.6.4",
|
||||
"subtle",
|
||||
|
|
|
@ -34,6 +34,8 @@ k256 = { version = "0.11", features = ["arithmetic", "bits", "hash2curve"], opti
|
|||
minimal-ed448 = { path = "../ed448", version = "^0.1.2", optional = true }
|
||||
|
||||
[dev-dependencies]
|
||||
hex = "0.4"
|
||||
|
||||
ff-group-tests = { version = "0.12", path = "../ff-group-tests" }
|
||||
|
||||
[features]
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# Ciphersuite
|
||||
c# Ciphersuite
|
||||
|
||||
Ciphersuites for elliptic curves premised on ff/group.
|
||||
|
||||
|
@ -19,17 +19,17 @@ Ed25519/Ristretto are offered via
|
|||
around [curve25519-dalek](https://crates.io/crates/curve25519-dalek).
|
||||
|
||||
Their `hash_to_F` is the wide reduction of SHA2-512, as used in
|
||||
[RFC 8032](https://www.rfc-editor.org/rfc/rfc8032). This is also compliant with
|
||||
[RFC-8032](https://www.rfc-editor.org/rfc/rfc8032). This is also compliant with
|
||||
the draft
|
||||
[RFC RISTRETTO](https://www.ietf.org/archive/id/draft-rtf-cfrg-ristretto255-decaf448-05.html).
|
||||
[RFC-RISTRETTO](https://www.ietf.org/archive/id/draft-irtf-cfrg-ristretto255-decaf448-05.html).
|
||||
The domain-separation tag is naively prefixed to the message.
|
||||
|
||||
### Ed448
|
||||
|
||||
Ed448 is offered via [minimal-ed448](https://crates.io/crates/minimal-ed448), an
|
||||
explicitly not recommended Ed448 implementation, limited to its prime-order
|
||||
subgroup.
|
||||
explicitly not recommended, unaudited Ed448 implementation, limited to its
|
||||
prime-order subgroup.
|
||||
|
||||
Its `hash_to_F` is the wide reduction of SHAKE256, with a 114-byte output, as
|
||||
used in [RFC 8032](https://www.rfc-editor.org/rfc/rfc8032). The
|
||||
used in [RFC-8032](https://www.rfc-editor.org/rfc/rfc8032). The
|
||||
domain-separation tag is naively prefixed to the message.
|
||||
|
|
|
@ -43,6 +43,21 @@ dalek_curve!("ristretto", Ristretto, RistrettoPoint, b"ristretto");
|
|||
#[test]
|
||||
fn test_ristretto() {
|
||||
ff_group_tests::group::test_prime_group_bits::<RistrettoPoint>();
|
||||
|
||||
assert_eq!(
|
||||
Ristretto::hash_to_F(
|
||||
b"FROST-RISTRETTO255-SHA512-v11nonce",
|
||||
&hex::decode(
|
||||
"\
|
||||
81800157bb554f299fe0b6bd658e4c4591d74168b5177bf55e8dceed59dc80c7\
|
||||
5c3430d391552f6e60ecdc093ff9f6f4488756aa6cebdbad75a768010b8f830e"
|
||||
)
|
||||
.unwrap()
|
||||
)
|
||||
.to_bytes()
|
||||
.as_ref(),
|
||||
&hex::decode("40f58e8df202b21c94f826e76e4647efdb0ea3ca7ae7e3689bc0cbe2e2f6660c").unwrap()
|
||||
);
|
||||
}
|
||||
|
||||
#[cfg(feature = "ed25519")]
|
||||
|
@ -51,4 +66,21 @@ dalek_curve!("ed25519", Ed25519, EdwardsPoint, b"edwards25519");
|
|||
#[test]
|
||||
fn test_ed25519() {
|
||||
ff_group_tests::group::test_prime_group_bits::<EdwardsPoint>();
|
||||
|
||||
// Ideally, a test vector from RFC-8032 (not FROST) would be here
|
||||
// Unfortunately, the IETF draft doesn't provide any vectors for the derived challenges
|
||||
assert_eq!(
|
||||
Ed25519::hash_to_F(
|
||||
b"FROST-ED25519-SHA512-v11nonce",
|
||||
&hex::decode(
|
||||
"\
|
||||
9d06a6381c7a4493929761a73692776772b274236fb5cfcc7d1b48ac3a9c249f\
|
||||
929dcc590407aae7d388761cddb0c0db6f5627aea8e217f4a033f2ec83d93509"
|
||||
)
|
||||
.unwrap()
|
||||
)
|
||||
.to_bytes()
|
||||
.as_ref(),
|
||||
&hex::decode("70652da3e8d7533a0e4b9e9104f01b48c396b5b553717784ed8d05c6a36b9609").unwrap()
|
||||
);
|
||||
}
|
||||
|
|
|
@ -68,6 +68,35 @@ impl Ciphersuite for Ed448 {
|
|||
|
||||
#[test]
|
||||
fn test_ed448() {
|
||||
use ff::PrimeField;
|
||||
|
||||
// TODO: Enable once ed448 passes these tests
|
||||
//ff_group_tests::group::test_prime_group_bits::<Point>();
|
||||
|
||||
// Ideally, a test vector from RFC-8032 (not FROST) would be here
|
||||
// Unfortunately, the IETF draft doesn't provide any vectors for the derived challenges
|
||||
assert_eq!(
|
||||
Ed448::hash_to_F(
|
||||
b"FROST-ED448-SHAKE256-v11nonce",
|
||||
&hex::decode(
|
||||
"\
|
||||
89bf16040081ff2990336b200613787937ebe1f024b8cdff90eb6f1c741d91c1\
|
||||
4a2b2f5858a932ad3d3b18bd16e76ced3070d72fd79ae4402df201f5\
|
||||
25e754716a1bc1b87a502297f2a99d89ea054e0018eb55d39562fd01\
|
||||
00"
|
||||
)
|
||||
.unwrap()
|
||||
)
|
||||
.to_repr()
|
||||
.iter()
|
||||
.cloned()
|
||||
.collect::<Vec<_>>(),
|
||||
hex::decode(
|
||||
"\
|
||||
67a6f023e77361707c6e894c625e809e80f33fdb310810053ae29e28\
|
||||
e7011f3193b9020e73c183a98cc3a519160ed759376dd92c94831622\
|
||||
00"
|
||||
)
|
||||
.unwrap()
|
||||
);
|
||||
}
|
||||
|
|
|
@ -65,18 +65,54 @@ macro_rules! kp_curve {
|
|||
};
|
||||
}
|
||||
|
||||
#[cfg(feature = "p256")]
|
||||
kp_curve!("p256", p256, P256, b"P-256");
|
||||
#[cfg(feature = "p256")]
|
||||
#[test]
|
||||
fn test_p256() {
|
||||
ff_group_tests::group::test_prime_group_bits::<p256::ProjectivePoint>();
|
||||
}
|
||||
|
||||
#[cfg(feature = "secp256k1")]
|
||||
kp_curve!("secp256k1", k256, Secp256k1, b"secp256k1");
|
||||
#[cfg(feature = "secp256k1")]
|
||||
#[test]
|
||||
fn test_secp256k1() {
|
||||
ff_group_tests::group::test_prime_group_bits::<k256::ProjectivePoint>();
|
||||
|
||||
// Ideally, a test vector from hash to field (not FROST) would be here
|
||||
// Unfortunately, the IETF draft only provides vectors for field elements, not scalars
|
||||
assert_eq!(
|
||||
Secp256k1::hash_to_F(
|
||||
b"FROST-secp256k1-SHA256-v11nonce",
|
||||
&hex::decode(
|
||||
"\
|
||||
80cbea5e405d169999d8c4b30b755fedb26ab07ec8198cda4873ed8ce5e16773\
|
||||
08f89ffe80ac94dcb920c26f3f46140bfc7f95b493f8310f5fc1ea2b01f4254c"
|
||||
)
|
||||
.unwrap()
|
||||
)
|
||||
.to_repr()
|
||||
.iter()
|
||||
.cloned()
|
||||
.collect::<Vec<_>>(),
|
||||
hex::decode("acc83278035223c1ba464e2d11bfacfc872b2b23e1041cf5f6130da21e4d8068").unwrap()
|
||||
);
|
||||
}
|
||||
|
||||
#[cfg(feature = "p256")]
|
||||
kp_curve!("p256", p256, P256, b"P-256");
|
||||
#[cfg(feature = "p256")]
|
||||
#[test]
|
||||
fn test_p256() {
|
||||
ff_group_tests::group::test_prime_group_bits::<p256::ProjectivePoint>();
|
||||
|
||||
assert_eq!(
|
||||
P256::hash_to_F(
|
||||
b"FROST-P256-SHA256-v11nonce",
|
||||
&hex::decode(
|
||||
"\
|
||||
f4e8cf80aec3f888d997900ac7e3e349944b5a6b47649fc32186d2f1238103c6\
|
||||
0c9c1a0fe806c184add50bbdcac913dda73e482daf95dcb9f35dbb0d8a9f7731"
|
||||
)
|
||||
.unwrap()
|
||||
)
|
||||
.to_repr()
|
||||
.iter()
|
||||
.cloned()
|
||||
.collect::<Vec<_>>(),
|
||||
hex::decode("f871dfcf6bcd199342651adc361b92c941cb6a0d8c8c1a3b91d79e2c1bf3722d").unwrap()
|
||||
);
|
||||
}
|
||||
|
|
|
@ -30,7 +30,6 @@ crypto-bigint = { version = "0.4", features = ["zeroize"] }
|
|||
dalek-ff-group = { path = "../dalek-ff-group", version = "^0.1.2" }
|
||||
|
||||
[dev-dependencies]
|
||||
hex-literal = "0.3"
|
||||
hex = "0.4"
|
||||
|
||||
ff-group-tests = { path = "../ff-group-tests" }
|
||||
|
|
Loading…
Reference in a new issue