fastcrypto
is a common cryptography library used in software at Mysten Labs. It contains three individual crates: fastcrypto
, fastcrypto-zkp
and fastcrypto-cli
. They are published as independent crates to encourage reusability across different applications and domains.
fastcrypto
is a wrapper library around several carefully selected crates with the following considerations:
Furthermore, we extend the selected libraries with additional features:
This library will be continuously updated with more schemes and faster implementations based on benchmarking results, RFC updates, new research and auditor inputs.
The fastcrypto
crate contains:
Traits that should be implemented by concrete types representing digital cryptographic materials.
SigningKey
]: Trait implemented by the private key with associated types of its public key and signature.VerifyingKey
]: Trait implemented by the public key with associated types of its private key and signature. It also includes a default implementation of batch verification that fails on empty batch verification.Authenticator
]: Trait implemented by the signature with associated types of its public key and private key.AggregateAuthenticator
]: Trait implemented by the aggregated signature, which allows adding signatures to the aggregated signature and verifying against the public keys with the corresponding messages.KeyPair
]: Trait that represents a public/private keypair, which includes the common get priv/pub key functions and a keypair generation function with seeded randomness.ToFromBytes
]: Trait that aims to minimize the number of steps involved in obtaining a serializable key.EncodeDecodeBase64
]: Trait that extends ToFromBytes
for immediate conversion to/from Base64 strings. This is the format in which cryptographic materials are stored.Concrete signature schemes of type that implement the recommended traits required for cryptographic agility.
ed25519-consensus
crate. Compliant to ZIP-215 that defines the signature validity that is lacking from RFC8032 but critical for consensus algorithms. ed25519-dalek
is fully deprecated due to the recently discovered Chalkias double pub-key api vulnerability.verify_hashed
is provided to accept a pre-hashed message and its signature for verification. Supports public key recovery by providing the Secp256k1 recoverable signature with the corresponding pre-hashed message. An accepted signature must have its s
in the lower half of the curve order. If s is too high, normalize s
to order - s
where curve order is 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
. See more at BIP-0062.p256
crate which is a pure rust implementation of the Secp256r1 (aka NIST P-256 and prime256v1) curve. The functionality from p256
is extended such that, besides standard ECDSA signatures, our implementation can also produce and verify 65 byte recoverable signatures of the form [r, s, v] where v is the recoveryID. Signatures are produced deterministically using the pseudo-random deterministic nonce generation according to RFC6979, without the strong requirement to generate randomness for nonce protection. Uses sha256 as the default hash function for sign and verify. Supports public key recovery by providing the Secp256r1 ECDSA recoverable signature with the corresponding pre-hashed message. An accepted signature must have its s
in the lower half of the curve order. If s is too high, normalize s
to order - s
where curve order is 0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551
defined here.blst
crate written in Assembly and C that optimizes for performance and security. G1 and G2 points are serialized following ZCash specification in compressed format. Provides functions for verifying signatures in the G1 group against public keys in the G2 group (min-sig) or vice versa (min-pk). Provides functions for aggregating signatures and fast verifying aggregated signatures, where public keys are assumed to be verified for proof of possession.Utility functions on cryptographic primitives. Some of them serve as the Rust implementation of the Move smart contract API in Sui.
[0, 2^bits)
. Function to verify that the commitment is a Pedersen commitment of some value with an unsigned bit length, a value is an integer within the range [0, 2^bits)
.Encoding: Base64 and Hex are defined with an encoding trait with its customized serialization and validations, backed by base64ct and hex. Notably, the base64ct crate has been chosen instead of the most popular base64 Rust crate, because (a) it is constant time and (b) mangled encodings are explicitly rejected to prevent malleability attacks when decoding, see paper on in-depth analysis.
Hash functions wrappers: SHA2_256 with 256 bit digests, SHA3_256 with 256 bit digests, SHA2_512 with 512 bit digests, SHA3_512 with 512 bit digests, KECCAK with 256 bit digests, BLAKE2-256 with 256 bit digests.
Multiset Hash: A hash function where the output of the hash function is a point on the elliptic curve. It also allows for efficient computation for the hash of the union of two multiset.
A asynchronous signature service is provided for testing and benchmarking.
The fastcryto-zkp
crate contains APIs to verify a Groth16 proof along with its prepared verifying key and public inputs. BN254 and BLS12381 curves are supported. The verifier is backed Arkworks and blst
libraries.
The fastcrypto-cli
crate includes CLI tools available for debugging. See usages with -h
flag.
$ cargo build --bin encode-cli
$ target/debug/encode-cli -h
$ cargo build --bin sigs-cli
$ target/debug/sigs-cli -h
$ cargo build --bin ecvrf-cli
$ target/debug/ecvrf-cli -h
There exist unit tests for all primitives in all three crates, which can be run by:
$ cargo test
In fastcrypto
, one can compare all currently implemented signature schemes for sign, verify, verify_batch and key-generation by running:
$ cargo bench
A report of the benchmarks is generated for each release, allowing easy comparison of the performance of the different cryptographic primitives and schemes available in fastcrypto
. As an example, we get these timings for signing messages and verifying the signature for the different schemes in fastcrypto
as of revision dd5adb:
Below is another plot made using data from the benchmark report, showing benchmarks for batched signature verification where all signatures are on the same message:
In fastcrypto-zkp
, benchmarks can be ran for Arkworks to blst
representation of field elements, and verifying Groth16 in BN254 and BLS12381:
$ cd fastcrypto-zkp/
$ cargo bench
All crates licensed under either of