Closed AtropineTears closed 2 years ago
This was previously discussed and rejected here: https://github.com/rustpq/pqcrypto/pull/16. If you have a good argument, I'd be happy to hear it though.
Interesting. Very good explanation on #16. Thank you
How about clear_on_drop
? I am not an expert on this so I may be wrong to suggest it but heres some info on it. Its used in the bulletproofs library.
It can clear temporary values on the stack with clear_stack_on_return
as it overwrites several kilobytes of the stack.
The clear_stack_on_return function calls a closure, and after it returns, overwrites several kilobytes of the stack. This can help overwrite temporary variables used by cryptographic algorithms, and is especially relevant when running on a short-lived thread, since the memory used for the thread stack cannot be easily overwritten after the thread terminates.
Many of the implementations use megabytes of stack space.
Speaking as the author of zeroize
...
We haven't pursued these sorts of "stack bleaching" APIs for a number of reasons. What's really needed for actual assurances when trying to wipe transient secrets from the stack is a way of measuring a sort of "high watermark" in the stack, i.e. the highest address reached as the stack grows downward while executing a set of functions that create transient secrets on the stack. Then when you exit the first "sensitive" function entered, you can zeroize between the current stack pointer and that high watermark.
That's something I really think needs some language-level assistance. I've posted to rust-internals about it before:
Comparatively, what clear_on_drop
is doing is a sort of shot-in-the-dark guess, which may be too big for embedded platforms with small stacks, and much too small for things like PQcrypto algorithms.
Adding zeroize support for keypairs would be a good idea.