diff --git a/Cargo.lock b/Cargo.lock index 39e8deab..ba3aa9b2 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -911,7 +911,9 @@ dependencies = [ "digest 0.10.6", "elliptic-curve", "ff", + "ff-group-tests", "group", + "hex", "k256", "minimal-ed448", "p256", @@ -4584,7 +4586,6 @@ dependencies = [ "generic-array 0.14.6", "group", "hex", - "hex-literal", "lazy_static", "rand_core 0.6.4", "subtle", diff --git a/crypto/ciphersuite/Cargo.toml b/crypto/ciphersuite/Cargo.toml index 54176d17..f3f12f78 100644 --- a/crypto/ciphersuite/Cargo.toml +++ b/crypto/ciphersuite/Cargo.toml @@ -34,6 +34,8 @@ k256 = { version = "0.11", features = ["arithmetic", "bits", "hash2curve"], opti minimal-ed448 = { path = "../ed448", version = "^0.1.2", optional = true } [dev-dependencies] +hex = "0.4" + ff-group-tests = { version = "0.12", path = "../ff-group-tests" } [features] diff --git a/crypto/ciphersuite/README.md b/crypto/ciphersuite/README.md index a5c28dd3..175987d0 100644 --- a/crypto/ciphersuite/README.md +++ b/crypto/ciphersuite/README.md @@ -1,4 +1,4 @@ -# Ciphersuite +c# Ciphersuite Ciphersuites for elliptic curves premised on ff/group. @@ -19,17 +19,17 @@ Ed25519/Ristretto are offered via around [curve25519-dalek](https://crates.io/crates/curve25519-dalek). Their `hash_to_F` is the wide reduction of SHA2-512, as used in -[RFC 8032](https://www.rfc-editor.org/rfc/rfc8032). This is also compliant with +[RFC-8032](https://www.rfc-editor.org/rfc/rfc8032). This is also compliant with the draft -[RFC RISTRETTO](https://www.ietf.org/archive/id/draft-rtf-cfrg-ristretto255-decaf448-05.html). +[RFC-RISTRETTO](https://www.ietf.org/archive/id/draft-irtf-cfrg-ristretto255-decaf448-05.html). The domain-separation tag is naively prefixed to the message. ### Ed448 Ed448 is offered via [minimal-ed448](https://crates.io/crates/minimal-ed448), an -explicitly not recommended Ed448 implementation, limited to its prime-order -subgroup. +explicitly not recommended, unaudited Ed448 implementation, limited to its +prime-order subgroup. Its `hash_to_F` is the wide reduction of SHAKE256, with a 114-byte output, as -used in [RFC 8032](https://www.rfc-editor.org/rfc/rfc8032). The +used in [RFC-8032](https://www.rfc-editor.org/rfc/rfc8032). The domain-separation tag is naively prefixed to the message. diff --git a/crypto/ciphersuite/src/dalek.rs b/crypto/ciphersuite/src/dalek.rs index e94837d1..ee49459f 100644 --- a/crypto/ciphersuite/src/dalek.rs +++ b/crypto/ciphersuite/src/dalek.rs @@ -43,6 +43,21 @@ dalek_curve!("ristretto", Ristretto, RistrettoPoint, b"ristretto"); #[test] fn test_ristretto() { ff_group_tests::group::test_prime_group_bits::(); + + assert_eq!( + Ristretto::hash_to_F( + b"FROST-RISTRETTO255-SHA512-v11nonce", + &hex::decode( + "\ +81800157bb554f299fe0b6bd658e4c4591d74168b5177bf55e8dceed59dc80c7\ +5c3430d391552f6e60ecdc093ff9f6f4488756aa6cebdbad75a768010b8f830e" + ) + .unwrap() + ) + .to_bytes() + .as_ref(), + &hex::decode("40f58e8df202b21c94f826e76e4647efdb0ea3ca7ae7e3689bc0cbe2e2f6660c").unwrap() + ); } #[cfg(feature = "ed25519")] @@ -51,4 +66,21 @@ dalek_curve!("ed25519", Ed25519, EdwardsPoint, b"edwards25519"); #[test] fn test_ed25519() { ff_group_tests::group::test_prime_group_bits::(); + + // Ideally, a test vector from RFC-8032 (not FROST) would be here + // Unfortunately, the IETF draft doesn't provide any vectors for the derived challenges + assert_eq!( + Ed25519::hash_to_F( + b"FROST-ED25519-SHA512-v11nonce", + &hex::decode( + "\ +9d06a6381c7a4493929761a73692776772b274236fb5cfcc7d1b48ac3a9c249f\ +929dcc590407aae7d388761cddb0c0db6f5627aea8e217f4a033f2ec83d93509" + ) + .unwrap() + ) + .to_bytes() + .as_ref(), + &hex::decode("70652da3e8d7533a0e4b9e9104f01b48c396b5b553717784ed8d05c6a36b9609").unwrap() + ); } diff --git a/crypto/ciphersuite/src/ed448.rs b/crypto/ciphersuite/src/ed448.rs index 9300a4b7..30301ec9 100644 --- a/crypto/ciphersuite/src/ed448.rs +++ b/crypto/ciphersuite/src/ed448.rs @@ -68,6 +68,35 @@ impl Ciphersuite for Ed448 { #[test] fn test_ed448() { + use ff::PrimeField; + // TODO: Enable once ed448 passes these tests //ff_group_tests::group::test_prime_group_bits::(); + + // Ideally, a test vector from RFC-8032 (not FROST) would be here + // Unfortunately, the IETF draft doesn't provide any vectors for the derived challenges + assert_eq!( + Ed448::hash_to_F( + b"FROST-ED448-SHAKE256-v11nonce", + &hex::decode( + "\ +89bf16040081ff2990336b200613787937ebe1f024b8cdff90eb6f1c741d91c1\ +4a2b2f5858a932ad3d3b18bd16e76ced3070d72fd79ae4402df201f5\ +25e754716a1bc1b87a502297f2a99d89ea054e0018eb55d39562fd01\ +00" + ) + .unwrap() + ) + .to_repr() + .iter() + .cloned() + .collect::>(), + hex::decode( + "\ +67a6f023e77361707c6e894c625e809e80f33fdb310810053ae29e28\ +e7011f3193b9020e73c183a98cc3a519160ed759376dd92c94831622\ +00" + ) + .unwrap() + ); } diff --git a/crypto/ciphersuite/src/kp256.rs b/crypto/ciphersuite/src/kp256.rs index 41a7c16a..1de4e652 100644 --- a/crypto/ciphersuite/src/kp256.rs +++ b/crypto/ciphersuite/src/kp256.rs @@ -65,18 +65,54 @@ macro_rules! kp_curve { }; } -#[cfg(feature = "p256")] -kp_curve!("p256", p256, P256, b"P-256"); -#[cfg(feature = "p256")] -#[test] -fn test_p256() { - ff_group_tests::group::test_prime_group_bits::(); -} - #[cfg(feature = "secp256k1")] kp_curve!("secp256k1", k256, Secp256k1, b"secp256k1"); #[cfg(feature = "secp256k1")] #[test] fn test_secp256k1() { ff_group_tests::group::test_prime_group_bits::(); + + // Ideally, a test vector from hash to field (not FROST) would be here + // Unfortunately, the IETF draft only provides vectors for field elements, not scalars + assert_eq!( + Secp256k1::hash_to_F( + b"FROST-secp256k1-SHA256-v11nonce", + &hex::decode( + "\ +80cbea5e405d169999d8c4b30b755fedb26ab07ec8198cda4873ed8ce5e16773\ +08f89ffe80ac94dcb920c26f3f46140bfc7f95b493f8310f5fc1ea2b01f4254c" + ) + .unwrap() + ) + .to_repr() + .iter() + .cloned() + .collect::>(), + hex::decode("acc83278035223c1ba464e2d11bfacfc872b2b23e1041cf5f6130da21e4d8068").unwrap() + ); +} + +#[cfg(feature = "p256")] +kp_curve!("p256", p256, P256, b"P-256"); +#[cfg(feature = "p256")] +#[test] +fn test_p256() { + ff_group_tests::group::test_prime_group_bits::(); + + assert_eq!( + P256::hash_to_F( + b"FROST-P256-SHA256-v11nonce", + &hex::decode( + "\ +f4e8cf80aec3f888d997900ac7e3e349944b5a6b47649fc32186d2f1238103c6\ +0c9c1a0fe806c184add50bbdcac913dda73e482daf95dcb9f35dbb0d8a9f7731" + ) + .unwrap() + ) + .to_repr() + .iter() + .cloned() + .collect::>(), + hex::decode("f871dfcf6bcd199342651adc361b92c941cb6a0d8c8c1a3b91d79e2c1bf3722d").unwrap() + ); } diff --git a/crypto/ed448/Cargo.toml b/crypto/ed448/Cargo.toml index 207d4bde..fe061fc6 100644 --- a/crypto/ed448/Cargo.toml +++ b/crypto/ed448/Cargo.toml @@ -30,7 +30,6 @@ crypto-bigint = { version = "0.4", features = ["zeroize"] } dalek-ff-group = { path = "../dalek-ff-group", version = "^0.1.2" } [dev-dependencies] -hex-literal = "0.3" hex = "0.4" ff-group-tests = { path = "../ff-group-tests" }