search

rustpq / pqcrypto

Rust Post-Quantum cryptography
212 stars 38 forks source link

Add Zeroize Support #28

Closed AtropineTears closed 2 years ago

AtropineTears commented 2 years ago

Adding zeroize support for keypairs would be a good idea.

thomwiggers commented 2 years ago

This was previously discussed and rejected here: https://github.com/rustpq/pqcrypto/pull/16. If you have a good argument, I'd be happy to hear it though.

AtropineTears commented 2 years ago

Interesting. Very good explanation on #16. Thank you

AtropineTears commented 2 years ago

How about clear_on_drop? I am not an expert on this so I may be wrong to suggest it but heres some info on it. Its used in the bulletproofs library.

It can clear temporary values on the stack with clear_stack_on_return as it overwrites several kilobytes of the stack.

The clear_stack_on_return function calls a closure, and after it returns, overwrites several kilobytes of the stack. This can help overwrite temporary variables used by cryptographic algorithms, and is especially relevant when running on a short-lived thread, since the memory used for the thread stack cannot be easily overwritten after the thread terminates.

thomwiggers commented 2 years ago

Many of the implementations use megabytes of stack space.

tarcieri commented 2 years ago

Speaking as the author of zeroize...

We haven't pursued these sorts of "stack bleaching" APIs for a number of reasons. What's really needed for actual assurances when trying to wipe transient secrets from the stack is a way of measuring a sort of "high watermark" in the stack, i.e. the highest address reached as the stack grows downward while executing a set of functions that create transient secrets on the stack. Then when you exit the first "sensitive" function entered, you can zeroize between the current stack pointer and that high watermark.

That's something I really think needs some language-level assistance. I've posted to rust-internals about it before:

https://internals.rust-lang.org/t/annotations-for-zeroing-the-stack-of-sensitive-functions-which-deal-in-transient-secrets/11588

Comparatively, what clear_on_drop is doing is a sort of shot-in-the-dark guess, which may be too big for embedded platforms with small stacks, and much too small for things like PQcrypto algorithms.