search

RustCrypto / hybrid-array

Hybrid typenum/const generic arrays
Apache License 2.0
9 stars 8 forks source link

Optional serde support #73

Closed robinhundt closed 2 months ago

robinhundt commented 7 months ago

generic_array::GenericArray optionally implements serde's Serialize and Deserialize trait if the corresponding feature is enabled.

I tried to update my dependency on blake2 to the current pre-release, but am blocked on the missing serde implementations on Array.

Are these planned for the future?

tarcieri commented 7 months ago

Here's the previous issue on serde support: https://github.com/RustCrypto/utils/pull/979

We can add it, but unfortunately the serde data model lacks proper support for fixed-sized arrays, which is an issue I brought up on the other PR. This makes serializations of [u8; N] often suboptimal, depending on the format.

It might make sense to consider changing the blake2 crate's serde support to use serdect, our crate which wraps up serde impls in a consistent manner: https://github.com/RustCrypto/formats/tree/master/serdect

robinhundt commented 7 months ago

Thanks for the context and the pointer to the serdect crate, I wasn't aware of it yet. The motivating paper on side-channel attacks on ser/de of keys also looks interesting.

We can add it, but unfortunately the serde data model lacks proper support for fixed-sized arrays, which is an issue I brought up on the other PR. This makes serializations of [u8; N] often suboptimal, depending on the format.

This sounds rather annoying :/

It might make sense to consider changing the blake2 crate's serde support to use serdect, our crate which wraps up serde impls in a consistent manner: https://github.com/RustCrypto/formats/tree/master/serdect

The latest pre-release version (0.11.0-pre.3) has no serde feature. Or did you mean the latest stable? But as I understand it, serdect could not be used either in the latest stable or pre-release of of blake2, as the Ser/De traits are needed on either GenericArray or hybrid_array::Array.

From my point of view, an optional serdect based serde support for hybrid-array sounds like the best option. While not ideal, it at least prevents otherwise easy to introduce side-channels. As hybrid-array aims to be a 'largely drop-in replacement for generic-array', I feel like this optional support would be better than no support.

tarcieri commented 7 months ago

But as I understand it, serdect could not be used either in the latest stable or pre-release of of blake2, as the Ser/De traits are needed on either GenericArray or hybrid_array::Array.

serdect can serialize [u8; N] or [u8], and what's more, since it uses Serializer::serialize_bytes, it supports a more compact serialization on formats which can't natively represent homogenously typed arrays/slices but do support a compact encoding specifically for bytestrings, such as MessagePack.

Generic serde support in hybrid-array needs to support [T; N] and thus can't take advantage of compact representations of bytestrings afforded by Serializer::serialize_bytes. So this support is not only needed for serdect, but if we tried to use it it would be suboptimal.