crypto/ciphersuite/README.md

# Ciphersuite

Ciphersuites for elliptic curves premised on ff/group.

This library, except for the not recommended Ed448 ciphersuite, was
[audited by Cypher Stack in March 2023](https://github.com/serai-dex/serai/raw/e1bb2c191b7123fd260d008e31656d090d559d21/audits/Cypher%20Stack%20crypto%20March%202023/Audit.pdf),
culminating in commit
[669d2dbffc1dafb82a09d9419ea182667115df06](https://github.com/serai-dex/serai/tree/669d2dbffc1dafb82a09d9419ea182667115df06).
Any subsequent changes have not undergone auditing.

This library is usable under no_std. The `alloc` and `std` features enable
reading from the `io::Read` trait, shimmed by `std-shims` under `alloc`.

### Secp256k1/P-256

Secp256k1 and P-256 are offered via [k256](https://crates.io/crates/k256) and
[p256](https://crates.io/crates/p256), two libraries maintained by
[RustCrypto](https://github.com/RustCrypto).

Their `hash_to_F` is the
[IETF's hash to curve](https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html),
yet applied to their scalar field.

Please see the [`ciphersuite-kp256`](https://docs.rs/ciphersuite-kp256) crate for more info.

### Ed25519/Ristretto

Ed25519/Ristretto are offered via
[dalek-ff-group](https://crates.io/crates/dalek-ff-group), an ff/group wrapper
around [curve25519-dalek](https://crates.io/crates/curve25519-dalek).

Their `hash_to_F` is the wide reduction of SHA2-512, as used in
[RFC-8032](https://www.rfc-editor.org/rfc/rfc8032). This is also compliant with
the draft
[RFC-RISTRETTO](https://www.ietf.org/archive/id/draft-irtf-cfrg-ristretto255-decaf448-05.html).
The domain-separation tag is naively prefixed to the message.

Please see the [`dalek-ff-group`](https://docs.rs/dalek-ff-group) crate for more info.

### Ed448

Ed448 is offered via [minimal-ed448](https://crates.io/crates/minimal-ed448), an
explicitly not recommended, unaudited, incomplete Ed448 implementation, limited
to its prime-order subgroup.

Its `hash_to_F` is the wide reduction of SHAKE256, with a 114-byte output, as
used in [RFC-8032](https://www.rfc-editor.org/rfc/rfc8032). The
domain-separation tag is naively prefixed to the message.

Please see the [`minimal-ed448`](https://docs.rs/minimal-ed448) crate for more info.
Have transcripted versions specify their minor version pre-1.0 2022-12-27 00:49:31 -05:00			`# Ciphersuite`
Create a dedicated crate for the DKG (#141) * Add dkg crate * Remove F_len and G_len They're generally no longer used. * Replace hash_to_vec with a provided method around associated type H: Digest Part of trying to minimize this trait so it can be moved elsewhere. Vec, which isn't std, may have been a blocker. * Encrypt secret shares within the FROST library Reduces requirements on callers in order to be correct. * Update usage of Zeroize within FROST * Inline functions in key_gen There was no reason to have them separated as they were. sign probably has the same statement available, yet that isn't the focus right now. * Add a ciphersuite package which provides hash_to_F * Set the Ciphersuite version to something valid * Have ed448 export Scalar/FieldElement/Point at the top level * Move FROST over to Ciphersuite * Correct usage of ff in ciphersuite * Correct documentation handling * Move Schnorr signatures to their own crate * Remove unused feature from schnorr * Fix Schnorr tests * Split DKG into a separate crate * Add serialize to Commitments and SecretShare Helper for buf = vec![]; .write(buf).unwrap(); buf * Move FROST over to the new dkg crate * Update Monero lib to latest FROST * Correct ethereum's usage of features * Add serialize to GeneratorProof * Add serialize helper function to FROST * Rename AddendumSerialize to WriteAddendum * Update processor * Slight fix to processor 2022-10-29 03:54:42 -05:00
			`Ciphersuites for elliptic curves premised on ff/group.`
Re-organize testing strategy and document Ciphersuite::hash_to_F. 2022-12-24 17:08:22 -05:00
Document crypto crates with audit notices 2023-03-16 18:46:48 -04:00			`This library, except for the not recommended Ed448 ciphersuite, was`
Fully document crypto/ 2023-03-20 20:10:00 -04:00			`[audited by Cypher Stack in March 2023](https://github.com/serai-dex/serai/raw/e1bb2c191b7123fd260d008e31656d090d559d21/audits/Cypher%20Stack%20crypto%20March%202023/Audit.pdf),`
			`culminating in commit`
			`[669d2dbffc1dafb82a09d9419ea182667115df06](https://github.com/serai-dex/serai/tree/669d2dbffc1dafb82a09d9419ea182667115df06).`
			`Any subsequent changes have not undergone auditing.`
Document crypto crates with audit notices 2023-03-16 18:46:48 -04:00
Add no_std support to transcript, dalek-ff-group, ed448, ciphersuite, multiexp, schnorr, and monero-generators transcript, dalek-ff-group, ed449, and ciphersuite are all usable with no_std alone. The rest additionally require alloc. Part of #279. 2023-04-22 04:38:47 -04:00			This library is usable under no_std. The `alloc` and `std` features enable
			reading from the `io::Read` trait, shimmed by `std-shims` under `alloc`.

Re-organize testing strategy and document Ciphersuite::hash_to_F. 2022-12-24 17:08:22 -05:00			`### Secp256k1/P-256`

			`Secp256k1 and P-256 are offered via [k256](https://crates.io/crates/k256) and`
			`[p256](https://crates.io/crates/p256), two libraries maintained by`
			`[RustCrypto](https://github.com/RustCrypto).`

			Their `hash_to_F` is the
			`[IETF's hash to curve](https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html),`
			`yet applied to their scalar field.`

Smash Ciphersuite definitions into their own crates Uses dalek-ff-group for Ed25519 and Ristretto. Uses minimal-ed448 for Ed448. Adds ciphersuite-kp256 for Secp256k1 and P-256. 2025-08-20 04:50:37 -04:00			Please see the [`ciphersuite-kp256`](https://docs.rs/ciphersuite-kp256) crate for more info.

Re-organize testing strategy and document Ciphersuite::hash_to_F. 2022-12-24 17:08:22 -05:00			`### Ed25519/Ristretto`

			`Ed25519/Ristretto are offered via`
			`[dalek-ff-group](https://crates.io/crates/dalek-ff-group), an ff/group wrapper`
			`around [curve25519-dalek](https://crates.io/crates/curve25519-dalek).`

			Their `hash_to_F` is the wide reduction of SHA2-512, as used in
Add test vectors for Ciphersuite::hash_to_F 2022-12-25 02:50:10 -05:00			`[RFC-8032](https://www.rfc-editor.org/rfc/rfc8032). This is also compliant with`
Re-organize testing strategy and document Ciphersuite::hash_to_F. 2022-12-24 17:08:22 -05:00			`the draft`
Add test vectors for Ciphersuite::hash_to_F 2022-12-25 02:50:10 -05:00			`[RFC-RISTRETTO](https://www.ietf.org/archive/id/draft-irtf-cfrg-ristretto255-decaf448-05.html).`
Re-organize testing strategy and document Ciphersuite::hash_to_F. 2022-12-24 17:08:22 -05:00			`The domain-separation tag is naively prefixed to the message.`

Smash Ciphersuite definitions into their own crates Uses dalek-ff-group for Ed25519 and Ristretto. Uses minimal-ed448 for Ed448. Adds ciphersuite-kp256 for Secp256k1 and P-256. 2025-08-20 04:50:37 -04:00			Please see the [`dalek-ff-group`](https://docs.rs/dalek-ff-group) crate for more info.

Re-organize testing strategy and document Ciphersuite::hash_to_F. 2022-12-24 17:08:22 -05:00			`### Ed448`

			`Ed448 is offered via [minimal-ed448](https://crates.io/crates/minimal-ed448), an`
3.5.2 Add more tests to ff-group-tests The audit recommends checking failure cases for from_bytes, from_bytes_unechecked, and from_repr. This isn't feasible. from_bytes is allowed to have non-canonical values. [0xff; 32] may accordingly be a valid point for non-SEC1-encoded curves. from_bytes_unchecked doesn't have a defined failure mode, and by name, unchecked, shouldn't necessarily fail. The audit acknowledges the tests should test for whatever result is 'appropriate', yet any result which isn't a failure on a valid element is appropriate. from_repr must be canonical, yet for a binary field of 2^n where n % 8 == 0, a [0xff; n / 8] repr would be valid. 2023-02-24 06:03:56 -05:00			`explicitly not recommended, unaudited, incomplete Ed448 implementation, limited`
			`to its prime-order subgroup.`
Re-organize testing strategy and document Ciphersuite::hash_to_F. 2022-12-24 17:08:22 -05:00
			Its `hash_to_F` is the wide reduction of SHAKE256, with a 114-byte output, as
Add test vectors for Ciphersuite::hash_to_F 2022-12-25 02:50:10 -05:00			`used in [RFC-8032](https://www.rfc-editor.org/rfc/rfc8032). The`
Re-organize testing strategy and document Ciphersuite::hash_to_F. 2022-12-24 17:08:22 -05:00			`domain-separation tag is naively prefixed to the message.`
Smash Ciphersuite definitions into their own crates Uses dalek-ff-group for Ed25519 and Ristretto. Uses minimal-ed448 for Ed448. Adds ciphersuite-kp256 for Secp256k1 and P-256. 2025-08-20 04:50:37 -04:00
			Please see the [`minimal-ed448`](https://docs.rs/minimal-ed448) crate for more info.