mirror of https://github.com/serai-dex/serai.git synced 2024-11-17 01:17:36 +00:00

History

Luke Parker 93f7afec8b 3.5.2 Add more tests to ff-group-tests The audit recommends checking failure cases for from_bytes, from_bytes_unechecked, and from_repr. This isn't feasible. from_bytes is allowed to have non-canonical values. [0xff; 32] may accordingly be a valid point for non-SEC1-encoded curves. from_bytes_unchecked doesn't have a defined failure mode, and by name, unchecked, shouldn't necessarily fail. The audit acknowledges the tests should test for whatever result is 'appropriate', yet any result which isn't a failure on a valid element is appropriate. from_repr must be canonical, yet for a binary field of 2^n where n % 8 == 0, a [0xff; n / 8] repr would be valid.		2023-02-24 06:03:56 -05:00
..
src	3.5.2 Add more tests to ff-group-tests	2023-02-24 06:03:56 -05:00
Cargo.toml	Add test vectors for Ciphersuite::hash_to_F	2022-12-25 02:50:10 -05:00
LICENSE	Create a dedicated crate for the DKG (#141 )	2022-10-29 03:54:42 -05:00
README.md	3.5.2 Add more tests to ff-group-tests	2023-02-24 06:03:56 -05:00

README.md

Ciphersuite

Ciphersuites for elliptic curves premised on ff/group.

Secp256k1/P-256

Secp256k1 and P-256 are offered via k256 and p256, two libraries maintained by RustCrypto.

Their hash_to_F is the IETF's hash to curve, yet applied to their scalar field.

Ed25519/Ristretto

Ed25519/Ristretto are offered via dalek-ff-group, an ff/group wrapper around curve25519-dalek.

Their hash_to_F is the wide reduction of SHA2-512, as used in RFC-8032. This is also compliant with the draft RFC-RISTRETTO. The domain-separation tag is naively prefixed to the message.

Ed448

Ed448 is offered via minimal-ed448, an explicitly not recommended, unaudited, incomplete Ed448 implementation, limited to its prime-order subgroup.

Its hash_to_F is the wide reduction of SHAKE256, with a 114-byte output, as used in RFC-8032. The domain-separation tag is naively prefixed to the message.