[pull] master from RustCrypto:master #4
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dingelish
force-pushed
the
master
branch
2 times, most recently
from
bdfc1ca to
6447161
Compare
Implementing the idea I had in #1864 (comment), which in hindsight I actually think is better. The new implementation actually *should* take ownership instead of just cloning *for* the user. See [C-CALLER-CONTROL API guidelines](https://rust-lang.github.io/api-guidelines/flexibility.html?highlight=clone#caller-decides-where-to-copy-and-place-data-c-caller-control). This has the advantage of getting rid of the insecure `batch_invert_mut` API where users have to make sure to actually check the returned `Choice` and discard the input slice. I could also quickly add the following for even more control if desirable: ```rust #[cfg(feature = "alloc")] impl<'this, T> BatchInvert<&'this mut [Self]> for T where T: Field, { type Output = &'this mut [Self]; fn batch_invert(field_elements: &'this mut [Self]) -> CtOption<&'this mut [Self]> { let mut field_elements_pad: Vec<Self> = vec![Self::default(); field_elements.len()]; let inversion_succeeded = invert_batch_internal(field_elements, &mut field_elements_pad); CtOption::new(field_elements, inversion_succeeded) } } ```
## Changes to `ExpandMsg` - Move generic parameter `K` from `ExpandMsg` implementers to `trait ExpandMsg` itself. This was necessary to be able to enforce the correct `K` instead of letting users insert an arbitrary one. E.g. `GroupDigest::hash_from_bytes()` can now `where X: ExpandMsg<Self::K>` instead of users calling `hash_from_bytes::<ExpandMsgXmd<Sha256, U0>>()`. However, this made calling `ExpandMsg` implementers directly more difficult. E.g. instead of `ExpandMsgXmd::<Sha256, U32>::expand_msg(...)` users now have to write `<ExpandMsgXmd<Sha256> as ExpandMsg<U32>>::expand_message()`. If we want to address this, I propose adding `RawExpandMsgXmd`. - Add `CollisionResistance` requirement to `ExpandMsgXof`. - Move the lifetime on `ExpandMsg` to the associated `type Expander<'dst>`. - Fix `dst` not actually being checked to be empty, but instead checked for number of slices. - Move `GroupDigest`s `ProjectivePoint: CofactorGroup` bound to super trait bounds. This makes it less "poisoning" so downstream users don't have to write `where ProjectivePoint: CofactorGroup` every time they use `GroupDigest`. - Move `GroupDigest::hash_to_scalar()`s `Scalar: FromOkm` bounds to `GroupDigest`. I believe this was a historical leftover when `FromOkm` wasn't implemented for `Scalar`s yet. - Improved some documentation around hash2curve and updated all mentions of the draft to RFC9380. - Rename parameter names `msgs` and `dsts` to singular `msg` and `dst`. This is to avoid confusion: even though the type is `&[&[u8]]`, it doesn't represent multiple messages or DSTs, but single concated ones. - Remove non-functioning examples. While I don't think the examples are necessary, I'm happy to re-add them if desired, but I would have to add `GroupDigest` to the `Dev` curve. ## Changes to VOPRF While I was at it, I also adjusted a couple of things around `VoprfParameters` (but I'm happy to split this into its own PR): - Renamed all mentions of VOPRF to OPRF. VOPRF was the old name of the draft when it was just a single "mode", the RFC is split into three modes: OPRF, VOPRF and POPRF. The RFC itself is called ["Oblivious Pseudorandom Functions (OPRFs)"](https://www.rfc-editor.org/rfc/rfc9497.html). - Changed associated `const ID` from `&str` to `&[u8]`. - Changed associated `type Hash` from requiring `Digest` to `Default + FixedOutput + Update`. - Updated all mentions of the VOPRF draft to RFC9497. --- Related: RustCrypto/hashes#694. Companion PR: RustCrypto/elliptic-curves#1203.
NOTE: this temporarily disables the `ecdh`, `hash2curve`, and `oprf` features of `elliptic-curve` to make the release possible. They can be re-enabled when the `hmac`, `hkdf`, `sha2`, and `sha3` crates have been updated. Going forward we can remove the `=` from the `digest` version requirement now that we're done making major breaking changes, which should allow for more flexible upgrades.
Due to inter-repo dependency relationships and all of the crates previously using `=` to pin `digest`, some of the features of `elliptic-curve` had to be disabled to complete the `digest` v0.11.0-rc.0 release in #1868. Now that it's been released and there are new compatible versions of the `hkdf`, `sha2`, and `sha3` crates, it's possible to re-enable this functionality.
Bumps `crypto-bigint` to v0.7.0-pre.4
- ~~There's no reason for these tests to be gated on `alloc`~~ (aah, we need it, but can go finer-grained) - Fixes comment on object safety / dyn compatibility test for `Aead` - Adds dyn compatibility test for `AeadInOut`
`AeadInPlace` was removed in #1798, however in migrating some older code I thought it would be really helpful to have backwards compatibility and deprecations in place to help people migrate to the new names, especially as the "in place" -> "inout" migrations aren't entirely intuitive.
This PR adds new traits for multipart messages: `MultipartSigner`, `RandomizedMultipartSigner`, `RandomizedMultipartSignerMut` and `MultipartVerifier`. The idea here is to allow non-contiguous bytes to be passed, which is necessary when the message has to be constructed from multiple sources without wanting to allocate memory for a contiguous message. E.g. for `no_std` environments or when the message is rather big but pre-hashing is not applicable, e.g. PureEdDSA, ML-DSA or SLH-DSA. I know this is a rather big breaking change, so let me know what you think! These new traits can be implemented by a bunch of crates: - [x] `ecdsa`: RustCrypto/signatures#982 - [x] `ml-dsa`: RustCrypto/signatures#982 - [x] `slh-dsa`: RustCrypto/signatures#982 - [x] `bign256`: RustCrypto/elliptic-curves#1221 - [x] `sm2`: RustCrypto/elliptic-curves#1221 - [x] `k256`: RustCrypto/elliptic-curves#1221 - [x] `dsa`: RustCrypto/signatures#982 - [x] `lms`: RustCrypto/signatures#982 - [x] `rsa`: RustCrypto/RSA#525 - [ ] `ed25519-dalek` Resolves RustCrypto/signatures#959.
We've merged the relevant functionality into the `signature` crate proper
Includes `MultipartSigner`/`MultipartVerifier`
Also cuts a `crypto-common` v0.2.0-rc.7
Renames the following `Generate` methods: - `try_from_rng` => `try_generate_from_rng` - `from_rng` => `generate_from_rng` As I was writing impls of the `Generate` trait, I though it would be more consistent if all of the methods had `*generate*` in their name. This isn't too far off from what I had originally proposed in RustCrypto/meta#19.
Releases the following, with `getrandom` v0.4.0-rc.0 and `rand_core` v0.10.0-rc-3 as requirements: - `aead` v0.6.0-rc.5 - `cipher` v0.5.0-rc.3 - `crypto-common` v0.2.0-rc.8 - `digest` v0.11.0-rc.5 - `kem` v0.4.0-rc.1 - `signature` v0.3.0-rc.6 - `universal-hash` v0.6.0-rc.4 The `password-hash` crate has been withheld until we can upgrade the `phc` crate to `getrandom` v0.4.0-rc.0 as well.
This requires `block-padding` v0.4.2 which ensures there aren't any incompatibilities with older, yanked versions
Includes `getrandom` v0.4.0-rc.0 upgrades
This includes a mostly-backwards-compatible migration from `subtle` to `ctutils`.
Names them `array` and `bigint` in `Cargo.toml`, using the `package` field to refer to `hybrid-array` and `crypto-bigint` respectively. This means they're consistently referred to as `array` and `bigint` from within the crate, and should also help diagnostics that sometimes get confused and refer to e.g. `elliptic_curve::crypto_bigint` using the previous approach of `pub use crypto_bigint as bigint`.
…ps group across 1 directory (#2159)
Makes it possible to use the `CtEq` and `CtSelect` traits on the
`CurveArithmetic::{AffinePoint, ProjectivePoint, Scalar}` associated
types.
I was myself confused by the breakages removing these methods caused the other week: RustCrypto/formats#2140 (comment) If it's confusing me as the person who made the changes, no doubt it will confuse others, as it's something of a counterintuitive migration (though ultimately for the best). This adds back the methods trying to mostly preserve the type signatures from `crypto-common` v0.1, and deprecates them, along with providing documentation for what to do instead.
Provides a common API for retrieving the canonical representitive for a given field element
Adds a dependency on `crypto-common` (all curve implementations pretty much have a transitive one already) and replaces all of the RNG functionality with the new `Generate` trait (#2096), for the following types: - `NonZeroScalar` - `ScalarValue` - `SecretKey` - `ecdh::EphemeralSecret` Additionally `Generate` trait bounds have been added to the associated types for `CurveArithmetic`: `AffinePoint`, `ProjectivePoint`, `Scalar`
Impls the newly added trait from `crypto-common`. Also impls its supertrait `KeySizeUser`.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )