The audit recommends checking failure cases for from_bytes, from_bytes_unechecked, and from_repr. This isn't feasible. from_bytes is allowed to have non-canonical values. [0xff; 32] may accordingly be a valid point for non-SEC1-encoded curves. from_bytes_unchecked doesn't have a defined failure mode, and by name, unchecked, shouldn't necessarily fail. The audit acknowledges the tests should test for whatever result is 'appropriate', yet any result which isn't a failure on a valid element is appropriate. from_repr must be canonical, yet for a binary field of 2^n where n % 8 == 0, a [0xff; n / 8] repr would be valid.
1.3 KiB
Ciphersuite
Ciphersuites for elliptic curves premised on ff/group.
Secp256k1/P-256
Secp256k1 and P-256 are offered via k256 and p256, two libraries maintained by RustCrypto.
Their hash_to_F
is the
IETF's hash to curve,
yet applied to their scalar field.
Ed25519/Ristretto
Ed25519/Ristretto are offered via dalek-ff-group, an ff/group wrapper around curve25519-dalek.
Their hash_to_F
is the wide reduction of SHA2-512, as used in
RFC-8032. This is also compliant with
the draft
RFC-RISTRETTO.
The domain-separation tag is naively prefixed to the message.
Ed448
Ed448 is offered via minimal-ed448, an explicitly not recommended, unaudited, incomplete Ed448 implementation, limited to its prime-order subgroup.
Its hash_to_F
is the wide reduction of SHAKE256, with a 114-byte output, as
used in RFC-8032. The
domain-separation tag is naively prefixed to the message.