feat(cryptography): add Wycheproof verification tests for Ed25519#3771
Open
erenyegit wants to merge 1 commit into
Open
feat(cryptography): add Wycheproof verification tests for Ed25519#3771erenyegit wants to merge 1 commit into
erenyegit wants to merge 1 commit into
Conversation
Loads real Project Wycheproof test vectors from ed25519_test.json pinned at upstream commit 6d9d6de30f02e229dfc160323722c3ddac866181 and runs them through the production verifier (core::VerificationKey::verify). The raw core path is used deliberately to bypass Verifier::verify's namespace prefixing, which would invalidate every upstream vector. To stay within CONTRIBUTING.md's "no new external dependency" rule, the JSON is preprocessed offline by regenerate.py into a &[Vector] constant in wycheproof_vectors.rs; the runtime test code therefore has zero JSON parsing burden and zero new dependencies. ZIP215 deviations from strict RFC 8032 are tracked in an explicit ZIP215_DEVIATIONS allow-list; at the pinned commit the list is empty (every Wycheproof-invalid vector is also rejected by ZIP215). Refs commonwarexyz#329.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR addresses #329 for the Ed25519 primitive. Follow-up PRs will add the same pattern for
secp256r1andbls12381.What this adds
A self-contained Project Wycheproof verifier-conformance test suite for Ed25519. Vectors are sourced from
testvectors_v1/ed25519_test.jsonpinned at commit6d9d6de30f02e229dfc160323722c3ddac866181(150 cases across 77 groups).Three new tests live in
cryptography/src/ed25519/wycheproof.rs:wycheproof_valid_vectors_verify— every Wycheproofvalidvector must verify under ZIP215.wycheproof_invalid_vectors_rejected— every Wycheproofinvalidvector must be rejected, except entries on the documentedZIP215_DEVIATIONSallow-list. This is the workhorse negative test: 62 attack vectors asserting "this signature shouldn't verify and doesn't."vector_count_matches_upstream— guards against accidental truncation of the auto-generated vector array.Design choices
No new dependencies. Per
CONTRIBUTING.md, vectors are preprocessed offline bycryptography/test_vectors/wycheproof/regenerate.pyinto aconst VECTORS: &[Vector]array inwycheproof_vectors.rs. The original JSON is committed alongside the generated.rsso reviewers can audit either form, and the regen script pins the upstream commit so the data is fully reproducible.ZIP215-aware. Commonware's verifier follows ZIP215, which is intentionally more permissive than RFC 8032 about non-canonical encodings. Some Wycheproof "invalid" cases are ZIP215-accepted by design; the test framework handles this via a documented
ZIP215_DEVIATIONSallow-list keyed bytcId, each entry citing its deviation class (non-canonical R, low-order point, etc.). At the pinned commit the list is empty — verified empirically: 62/62 invalid vectors are rejected by the ZIP215 verifier.Direct
core::VerificationKey::verifypath. Tests bypass the namespacedVerifier::verify(whichunion_unique-prefixes the message) to feed raw Wycheproof messages into the production verification routine.How tested
cargo test -p commonware-cryptography --lib ed25519::wycheproof→ 3/3 passcargo clippy -p commonware-cryptography --tests --no-deps -- -D warnings→ cleanrustfmt --edition 2021 --checkon all touched files → cleanjust pre-pr→ 5460/5460 tests pass, exit 0Files
cryptography/src/ed25519/mod.rscryptography/src/ed25519/wycheproof.rsZIP215_DEVIATIONSframework, doc commentcryptography/src/ed25519/wycheproof_vectors.rsVECTORSconstantcryptography/test_vectors/wycheproof/ed25519_test.jsoncryptography/test_vectors/wycheproof/regenerate.pyWYCHEPROOF_COMMITconstantScope follow-ups
This PR covers Ed25519. Follow-up PRs will add Wycheproof suites for
secp256r1andbls12381reusing the same offline-regeneration pattern.