Re-organize testing strategy and document Ciphersuite::hash_to_F.

2025-12-08 12:19:24 +00:00 · 2022-12-24 17:08:22 -05:00
parent 35a4f5bf9f
commit da8e7e73e0
13 changed files with 114 additions and 40 deletions
--- a/crypto/ciphersuite/Cargo.toml
+++ b/crypto/ciphersuite/Cargo.toml
@@ -33,6 +33,9 @@ k256 = { version = "0.11", features = ["arithmetic", "bits", "hash2curve"], opti

 minimal-ed448 = { path = "../ed448", version = "^0.1.2", optional = true }

+[dev-dependencies]
+ff-group-tests = { version = "0.12", path = "../ff-group-tests" }
+
 [features]
 std = []

--- a/crypto/ciphersuite/README.md
+++ b/crypto/ciphersuite/README.md
@@ -1,3 +1,35 @@
 # Ciphersuite

 Ciphersuites for elliptic curves premised on ff/group.
+
+### Secp256k1/P-256
+
+Secp256k1 and P-256 are offered via [k256](https://crates.io/crates/k256) and
+[p256](https://crates.io/crates/p256), two libraries maintained by
+[RustCrypto](https://github.com/RustCrypto).
+
+Their `hash_to_F` is the
+[IETF's hash to curve](https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html),
+yet applied to their scalar field.
+
+### Ed25519/Ristretto
+
+Ed25519/Ristretto are offered via
+[dalek-ff-group](https://crates.io/crates/dalek-ff-group), an ff/group wrapper
+around [curve25519-dalek](https://crates.io/crates/curve25519-dalek).
+
+Their `hash_to_F` is the wide reduction of SHA2-512, as used in
+[RFC 8032](https://www.rfc-editor.org/rfc/rfc8032). This is also compliant with
+the draft
+[RFC RISTRETTO](https://www.ietf.org/archive/id/draft-rtf-cfrg-ristretto255-decaf448-05.html).
+The domain-separation tag is naively prefixed to the message.
+
+### Ed448
+
+Ed448 is offered via [minimal-ed448](https://crates.io/crates/minimal-ed448), an
+explicitly not recommended Ed448 implementation, limited to its prime-order
+subgroup.
+
+Its `hash_to_F` is the wide reduction of SHAKE256, with a 114-byte output, as
+used in [RFC 8032](https://www.rfc-editor.org/rfc/rfc8032). The
+domain-separation tag is naively prefixed to the message.
--- a/crypto/ciphersuite/src/dalek.rs
+++ b/crypto/ciphersuite/src/dalek.rs
@@ -39,6 +39,16 @@ macro_rules! dalek_curve {

 #[cfg(any(test, feature = "ristretto"))]
 dalek_curve!("ristretto", Ristretto, RistrettoPoint, b"ristretto");
+#[cfg(any(test, feature = "ristretto"))]
+#[test]
+fn test_ristretto() {
+  ff_group_tests::group::test_prime_group_bits::<RistrettoPoint>();
+}

 #[cfg(feature = "ed25519")]
 dalek_curve!("ed25519", Ed25519, EdwardsPoint, b"edwards25519");
+#[cfg(feature = "ed25519")]
+#[test]
+fn test_ed25519() {
+  ff_group_tests::group::test_prime_group_bits::<EdwardsPoint>();
+}
--- a/crypto/ciphersuite/src/ed448.rs
+++ b/crypto/ciphersuite/src/ed448.rs
@@ -65,3 +65,9 @@ impl Ciphersuite for Ed448 {
    Scalar::wide_reduce(Self::H::digest([dst, data].concat()).as_ref().try_into().unwrap())
  }
 }
+
+#[test]
+fn test_ed448() {
+  // TODO: Enable once ed448 passes these tests
+  //ff_group_tests::group::test_prime_group_bits::<Point>();
+}
--- a/crypto/ciphersuite/src/kp256.rs
+++ b/crypto/ciphersuite/src/kp256.rs
@@ -67,6 +67,16 @@ macro_rules! kp_curve {

 #[cfg(feature = "p256")]
 kp_curve!("p256", p256, P256, b"P-256");
+#[cfg(feature = "p256")]
+#[test]
+fn test_p256() {
+  ff_group_tests::group::test_prime_group_bits::<p256::ProjectivePoint>();
+}

 #[cfg(feature = "secp256k1")]
 kp_curve!("secp256k1", k256, Secp256k1, b"secp256k1");
+#[cfg(feature = "secp256k1")]
+#[test]
+fn test_secp256k1() {
+  ff_group_tests::group::test_prime_group_bits::<k256::ProjectivePoint>();
+}
--- a/crypto/ciphersuite/src/lib.rs
+++ b/crypto/ciphersuite/src/lib.rs
@@ -58,7 +58,14 @@ pub trait Ciphersuite: Clone + Copy + PartialEq + Eq + Debug + Zeroize {
  // While group does provide this in its API, privacy coins may want to use a custom basepoint
  fn generator() -> Self::G;

-  /// Hash the provided dst and message to a scalar.
+  /// Hash the provided domain-separation tag and message to a scalar. Ciphersuites MAY naively
+  /// prefix the tag to the message, enabling transpotion between the two. Accordingly, this
+  /// function should NOT be used in any scheme where one tag is a valid substring of another
+  /// UNLESS the specific Ciphersuite is verified to handle the DST securely.
+  ///
+  /// Verifying specific ciphersuites have secure tag handling is not recommended, due to it
+  /// breaking the intended modularity of ciphersuites. Instead, component-specific tags with
+  /// further purpose tags are recommended ("Schnorr-nonce", "Schnorr-chal").
  #[allow(non_snake_case)]
  fn hash_to_F(dst: &[u8], msg: &[u8]) -> Self::F;