1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
//! # ECVRF Ed25519 SHA-512 TAI suite
//!
//! Configuration inspired by RFC-9381 (ECVRF-EDWARDS25519-SHA512-TAI):
//!
//! * `SUITE_ID` = `b"Ed25519-SHA512-TAI-v1"`.
//!
//! * The EC group G is the edwards25519 elliptic curve, with the finite
//! field and curve parameters as defined in Table 1 in Section 5.1 of
//! `[RFC8032]`. For this group, fLen = qLen = 32 and cofactor = 8.
//!
//! * `cLen` = 16.
//!
//! * The secret key and generation of the secret scalar and the public
//! key are specified in Section 5.1.5 of `[RFC8032]`.
//!
//! * Nonce generation is inspired by Section 5.4.2.2 of RFC-9381,
//! adapted to use the suite's pluggable transcript.
//!
//! * The int_to_string function is implemented as specified in the
//! first paragraph of Section 5.1.2 of `[RFC8032]`. (This is little-
//! endian representation.)
//!
//! * The string_to_int function interprets the string as an integer in
//! little-endian representation.
//!
//! * The point_to_string function converts a point on E to an octet
//! string according to the encoding specified in Section 5.1.2 of
//! `[RFC8032]`. This implies that ptLen = fLen = 32.
//!
//! * The string_to_point function converts an octet string to a point
//! on E according to the encoding specified in Section 5.1.3 of
//! `[RFC8032]`. This function MUST output "INVALID" if the octet
//! string does not decode to a point on the curve E.
//!
//! * The hash function Hash is SHA-512 as specified in `[RFC6234]`, with
//! `hLen = 64`.
//!
//! * The ECVRF_encode_to_curve function uses Try-And-Increment, inspired
//! by Section 5.4.1.1 of RFC-9381.
use crate::;
use MontFp;
/// Ed25519_SHA-512_TAI Suite.
;
type ThisSuite = Ed25519Sha512Tai;
suite_types!;