ciphersuite/
dalek.rs

1use zeroize::Zeroize;
2
3use sha2::{Digest, Sha512};
4
5use group::Group;
6use dalek_ff_group::Scalar;
7
8use crate::Ciphersuite;
9
10macro_rules! dalek_curve {
11  (
12    $feature: literal,
13
14    $Ciphersuite: ident,
15    $Point:       ident,
16    $ID:          literal
17  ) => {
18    use dalek_ff_group::$Point;
19
20    impl Ciphersuite for $Ciphersuite {
21      type F = Scalar;
22      type G = $Point;
23      type H = Sha512;
24
25      const ID: &'static [u8] = $ID;
26
27      fn generator() -> Self::G {
28        $Point::generator()
29      }
30
31      fn hash_to_F(dst: &[u8], data: &[u8]) -> Self::F {
32        Scalar::from_hash(Sha512::new_with_prefix(&[dst, data].concat()))
33      }
34    }
35  };
36}
37
38/// Ciphersuite for Ristretto.
39///
40/// hash_to_F is implemented with a naive concatenation of the dst and data, allowing transposition
41/// between the two. This means `dst: b"abc", data: b"def"`, will produce the same scalar as
42/// `dst: "abcdef", data: b""`. Please use carefully, not letting dsts be substrings of each other.
43#[cfg(any(test, feature = "ristretto"))]
44#[derive(Clone, Copy, PartialEq, Eq, Debug, Zeroize)]
45pub struct Ristretto;
46#[cfg(any(test, feature = "ristretto"))]
47dalek_curve!("ristretto", Ristretto, RistrettoPoint, b"ristretto");
48#[cfg(any(test, feature = "ristretto"))]
49#[test]
50fn test_ristretto() {
51  ff_group_tests::group::test_prime_group_bits::<_, RistrettoPoint>(&mut rand_core::OsRng);
52
53  assert_eq!(
54    Ristretto::hash_to_F(
55      b"FROST-RISTRETTO255-SHA512-v11nonce",
56      &hex::decode(
57        "\
5881800157bb554f299fe0b6bd658e4c4591d74168b5177bf55e8dceed59dc80c7\
595c3430d391552f6e60ecdc093ff9f6f4488756aa6cebdbad75a768010b8f830e"
60      )
61      .unwrap()
62    )
63    .to_bytes()
64    .as_ref(),
65    &hex::decode("40f58e8df202b21c94f826e76e4647efdb0ea3ca7ae7e3689bc0cbe2e2f6660c").unwrap()
66  );
67}
68
69/// Ciphersuite for Ed25519, inspired by RFC-8032.
70///
71/// hash_to_F is implemented with a naive concatenation of the dst and data, allowing transposition
72/// between the two. This means `dst: b"abc", data: b"def"`, will produce the same scalar as
73/// `dst: "abcdef", data: b""`. Please use carefully, not letting dsts be substrings of each other.
74#[cfg(feature = "ed25519")]
75#[derive(Clone, Copy, PartialEq, Eq, Debug, Zeroize)]
76pub struct Ed25519;
77#[cfg(feature = "ed25519")]
78dalek_curve!("ed25519", Ed25519, EdwardsPoint, b"edwards25519");
79#[cfg(feature = "ed25519")]
80#[test]
81fn test_ed25519() {
82  ff_group_tests::group::test_prime_group_bits::<_, EdwardsPoint>(&mut rand_core::OsRng);
83
84  // Ideally, a test vector from RFC-8032 (not FROST) would be here
85  // Unfortunately, the IETF draft doesn't provide any vectors for the derived challenges
86  assert_eq!(
87    Ed25519::hash_to_F(
88      b"FROST-ED25519-SHA512-v11nonce",
89      &hex::decode(
90        "\
919d06a6381c7a4493929761a73692776772b274236fb5cfcc7d1b48ac3a9c249f\
92929dcc590407aae7d388761cddb0c0db6f5627aea8e217f4a033f2ec83d93509"
93      )
94      .unwrap()
95    )
96    .to_bytes()
97    .as_ref(),
98    &hex::decode("70652da3e8d7533a0e4b9e9104f01b48c396b5b553717784ed8d05c6a36b9609").unwrap()
99  );
100}
ciphersuite/dalek.rs

ciphersuite/
dalek.rs
