Cosmian / crypto_core

Other
1 stars 1 forks source link

Traits + ECIES + Signature #43

Closed bgrieder closed 1 year ago

bgrieder commented 1 year ago
tbrezot commented 1 year ago

I had no time to go through the ECIES implementations in detail.

About the traits, I am a bit bothered by the confusion between being bytes and being serializable. What about:

/// Cryptographic bytes are bytes that are erased from memory on drop.
trait CBytes: ZeroizeOnDrop {
    /// Cryptographic bytes should be easy to dereference.
    fn as_bytes(&self) -> &[u8];

    /// Cryptographic bytes should be convertible from a slice.
    fn try_from_slice(bytes: &[u8]) -> Result<Self, _>;
}

trait FixedLengthCBytes: CBytes {
    const LENGTH: usize;

    fn to_bytes(&self) -> [u8; Self::LENGTH];

    fn into_bytes(self) -> [u8; Self::LENGTH];

    fn try_from_bytes(bytes: [u8; Self::LENGTH]) -> Result<Self, _>;
}

trait RandomBytes {
    fn random(rng: &mut impl CryptoRngCore) -> Self;
}

trait Serializable {
    fn write(&self, ...);
    fn read(...) -> Self;
}

Then:

bgrieder commented 1 year ago

I have checked that in the https://github.com/dalek-cryptography/x25519-dalek crate The private key Scalar is constructed from a clamped integer:

This method creates the Publick key by first "clamping" the random bytes of the Ephemeral Key: https://github.com/dalek-cryptography/x25519-dalek/blob/f683cf4d501549bbfc7b24a2af7ebafb6dc0267b/src/x25519.rs#L108

The EdwardsPoint::mul_base_clamped() method is implemented here: https://github.com/dalek-cryptography/curve25519-dalek/blob/e111b5d913e8c857acf7589303f655f1fab2d64a/src/edwards.rs#L741

I have also confirmed that libsodium does the same thing, so I reverted all changes to clamping

bgrieder commented 1 year ago

AFAIC - This is ready for merging

tbrezot commented 1 year ago

Okay, I just found the mention of the clamped procedure (without naming it) in the DJB's website about generating random Curve25519 Scalar:

Computing secret keys. Inside your program, to generate a 32-byte Curve25519 secret key,
start by generating 32 secret random bytes from a cryptographically safe source:
mysecret[0], mysecret[1], ..., mysecret[31]. Then do

     mysecret[0] &= 248;
     mysecret[31] &= 127;
     mysecret[31] |= 64;

to create a 32-byte Curve25519 secret key mysecret[0], mysecret[1], ..., mysecret[31].