X25519 using fiat-crypto Curve25519 field arithmetic (#197)

* ecc: Add fiat-crypto Curve25519 generated Rust code * ecc: Add initial draft of X25519 implementation * ecc: Add basic RFC tests to X25519 * tests: Add Wycheproof test vectors for standard X25519 * tests: Add Wycheproof runner and fix warnings * tests: Setup Wycheproof runner for X25519 * tests: Make separate test_runner for X25519 to follow earlier conventiones * x25519: Rename x25519_with_err -> x25519 * x25519: Only imports from core * x25519: Test that the MSB in final byte of group point U is ignored during key-agreement * x25519: Fix debug_assert sanity check * ecc: Update fiat-crypto Curve25519 arithmetic * ecc: Create raw-byte wrapper newtypes SecretKey, PublicKey and SharedSecret * ecc: key_agreement taking PublicKey, SecretKey and returning SharedSecret * ecc: Handle remaining flags in Wycheproof test vectors * NIT * ecc: Documentation improvements * ecc: Scalar should clamp in from_slice() * ecc: Use FieldElement directly in mont_ladder() * ecc: No unwrap() or expect() calls in Orion nor fiat-crypto so panic-docs have been removed * ecc: Remove unused Neg impl (needed for CT-swap, but this is used directly through fiat-crypto) * ecc: Update 1M RFC iter test * Update README with support for X25519
orion-rs · Oct 4, 2021 · bd92d2a · bd92d2a
1 parent a083f3b
commit bd92d2a
Show file tree

Hide file tree

Showing 10 changed files with 6,790 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -6,10 +6,11 @@ Orion is a cryptography library written in pure Rust. It aims to provide easy an
 
 Currently supports:
 * **AEAD**: (X)ChaCha20Poly1305.
-* **Stream ciphers**: (X)ChaCha20.
+* **Hashing**: BLAKE2b, SHA2.
 * **KDF**: HKDF, PBKDF2, Argon2i.
+* **Key exchange**: X25519.
 * **MAC**: HMAC, Poly1305.
-* **Hashing**: BLAKE2b, SHA2.
+* **Stream ciphers**: (X)ChaCha20.
 
 ### Security
 This library has **not undergone any third-party security audit**. Usage is at **own risk**.

diff --git a/src/hazardous/ecc/fiat_curve25519_u64.rs b/src/hazardous/ecc/fiat_curve25519_u64.rs
diff --git a/src/hazardous/ecc/mod.rs b/src/hazardous/ecc/mod.rs
@@ -0,0 +1,34 @@
+// MIT License
+
+// Copyright (c) 2021 The orion Developers
+
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+// SOFTWARE.
+
+#[allow(
+    dead_code,
+    non_camel_case_types,
+    clippy::unnecessary_cast,
+    clippy::unused_unit
+)]
+/// Formally verified  Curve25519 field arithmetic from: https://github.com/mit-plv/fiat-crypto
+/// Last taken at commit: https://github.com/mit-plv/fiat-crypto/commit/626203aec9fcf5617631fb687d719e5e78dac09f
+mod fiat_curve25519_u64;
+
+/// Diffie-Hellman key exchange over Curve25519 as specified in the [RFC 7748](https://datatracker.ietf.org/doc/html/rfc7748).
+pub mod x25519;