Octet String SUITE_ID

src/lib.rs

@@ -55,9 +55,6 @@ pub enum Error {
     VerificationFailure,
 }
 
-/// Flag to identify custom suites (i.e. not specified by RFC-9381).
-pub const CUSTOM_SUITE_ID_FLAG: u8 = 0x80;
-
 /// Defines a cipher suite.
 ///
 /// This trait can be used to easily implement a VRF which follows the guidelines
@@ -66,9 +63,8 @@ pub const CUSTOM_SUITE_ID_FLAG: u8 = 0x80;
 /// Can be easily customized to implement more exotic VRF types by overwriting
 /// the default methods implementations.
 pub trait Suite: Copy + Clone {
-    // TODO: make this a byte array
     /// Suite identifier (aka `suite_string` in RFC-9381)
-    const SUITE_ID: u8;
+    const SUITE_ID: &'static [u8];
 
     /// Challenge encoded length.
     ///
@@ -294,7 +290,7 @@ mod tests {
         let input = Input::from(random_val(None));
         let output = secret.output(input);
 
-        let expected = "08ffdc9d48f6553c0352b92a233a8101a69ac9f4dcb7f9e2c9c43d46a441c331";
+        let expected = "2eaa1a349197bb2b6c455bc5554b331162f0e9b13aea0aab28283cc30e7c6482";
         assert_eq!(expected, hex::encode(output.hash()));
     }
 }

src/suites/bandersnatch.rs

@@ -2,10 +2,12 @@
 //!
 //! Configuration:
 //!
-//! *  `suite_string` = 0x83.
+//! *  `suite_string` = b"bandersnatch-sha512-tai-sw for Short Weierstrass form.
+//! *  `suite_string` = b"bandersnatch-sha512-tai-ed for Twisted Edwards form.
 //!
-//! *  The EC group G is the Bandersnatch elliptic curve, in Twisted Edwards form,
-//!    with the finite field and curve parameters as specified [here](https://neuromancer.sk/std/bls/Bandersnatch)
+//! *  The EC group G is the Bandersnatch elliptic curve, in Short Weierstrass or
+//!    Twisted Edwards form, with the finite field and curve parameters as specified
+//!    [here](https://neuromancer.sk/std/bls/Bandersnatch)
 //!    For this group, `fLen` = `qLen` = 32 and `cofactor` = 4.
 //!
 //! *  `cLen` = 32.
@@ -63,7 +65,7 @@ pub mod weierstrass {
     suite_types!(BandersnatchSha512);
 
     impl Suite for BandersnatchSha512 {
-        const SUITE_ID: u8 = CUSTOM_SUITE_ID_FLAG | 0x03;
+        const SUITE_ID: &'static [u8] = b"bandersnatch-sha512-tai-sw";
         const CHALLENGE_LEN: usize = 32;
 
         type Affine = ark_ed_on_bls12_381_bandersnatch::SWAffine;
@@ -124,7 +126,7 @@ pub mod edwards {
     suite_types!(BandersnatchSha512Edwards);
 
     impl Suite for BandersnatchSha512Edwards {
-        const SUITE_ID: u8 = CUSTOM_SUITE_ID_FLAG | 0x04;
+        const SUITE_ID: &'static [u8] = b"bandersnatch-sha512-tai-te";
         const CHALLENGE_LEN: usize = 32;
 
         type Affine = ark_ed_on_bls12_381_bandersnatch::EdwardsAffine;

src/suites/ed25519.rs

@@ -2,7 +2,9 @@
 //!
 //! Configuration (RFC-9381 with some compromises):
 //!
-//! *  suite_string = 0x83.
+//! *  suite_string = b"ed25519-sha512-tai"
+//!    We slightly deviate from the suite described in RFC-9381, thus
+//!    we prefer to not use suite id [0x03].
 //!
 //! *  The EC group G is the edwards25519 elliptic curve, with the finite
 //!    field and curve parameters as defined in Table 1 in Section 5.1 of
@@ -58,7 +60,7 @@ suite_types!(Ed25519Sha512);
 suite_tests!(Ed25519Sha512);
 
 impl Suite for Ed25519Sha512 {
-    const SUITE_ID: u8 = CUSTOM_SUITE_ID_FLAG | 0x03;
+    const SUITE_ID: &'static [u8] = b"ed25519-sha512-tai";
     const CHALLENGE_LEN: usize = 16;
 
     type Affine = ark_ed25519::EdwardsAffine;

src/suites/secp256.rs

@@ -60,7 +60,7 @@ suite_types!(P256Sha256Tai);
 suite_tests!(P256Sha256Tai);
 
 impl Suite for P256Sha256Tai {
-    const SUITE_ID: u8 = 0x01;
+    const SUITE_ID: &'static [u8] = &[0x01];
     const CHALLENGE_LEN: usize = 16;
 
     type Affine = ark_secp256r1::Affine;

src/testing.rs

@@ -14,7 +14,7 @@ pub(crate) mod suite {
     pub struct TestSuite;
 
     impl Suite for TestSuite {
-        const SUITE_ID: u8 = 0xFF;
+        const SUITE_ID: &'static [u8] = b"ark-ec-vrfs-testing";
         const CHALLENGE_LEN: usize = 16;
 
         type Affine = ark_ed25519::EdwardsAffine;

src/utils.rs

@@ -4,7 +4,7 @@ use ark_ff::PrimeField;
 use digest::Digest;
 
 #[cfg(not(feature = "std"))]
-use ark_std::{vec, vec::Vec};
+use ark_std::vec::Vec;
 
 #[macro_export]
 macro_rules! suite_types {
@@ -78,7 +78,7 @@ pub fn hash_to_curve_tai_rfc_9381<S: Suite>(
         return None;
     }
 
-    let mut buf = [&[S::SUITE_ID, DOM_SEP_FRONT], data, &[0x00, DOM_SEP_BACK]].concat();
+    let mut buf = [S::SUITE_ID, &[DOM_SEP_FRONT], data, &[0x00, DOM_SEP_BACK]].concat();
     let ctr_pos = buf.len() - 2;
 
     for ctr in 0..=255 {
@@ -104,7 +104,7 @@ pub fn hash_to_curve_tai_rfc_9381<S: Suite>(
 pub fn challenge_rfc_9381<S: Suite>(pts: &[&AffinePoint<S>], ad: &[u8]) -> ScalarField<S> {
     const DOM_SEP_START: u8 = 0x02;
     const DOM_SEP_END: u8 = 0x00;
-    let mut buf = vec![S::SUITE_ID, DOM_SEP_START];
+    let mut buf = [S::SUITE_ID, &[DOM_SEP_START]].concat();
     pts.iter().for_each(|p| {
         S::point_encode(p, &mut buf);
     });
@@ -118,7 +118,7 @@ pub fn challenge_rfc_9381<S: Suite>(pts: &[&AffinePoint<S>], ad: &[u8]) -> Scala
 pub fn point_to_hash_rfc_9381<S: Suite>(pt: &AffinePoint<S>) -> HashOutput<S> {
     const DOM_SEP_START: u8 = 0x03;
     const DOM_SEP_END: u8 = 0x00;
-    let mut buf = vec![S::SUITE_ID, DOM_SEP_START];
+    let mut buf = [S::SUITE_ID, &[DOM_SEP_START]].concat();
     S::point_encode(pt, &mut buf);
     buf.push(DOM_SEP_END);
     hash::<S::Hasher>(&buf)