AEADs icon indicating copy to clipboard operation
AEADs copied to clipboard
verified publisher icon RustCrypto

xaes: initial implementation

Open SergioBenitez opened this issue 1 year ago • 8 comments

This is an initial implementation of XAES-256-GCM (re: https://github.com/RustCrypto/AEADs/issues/1) which passes the test vectors.

Would love a review, especially as it pertains to constant-time and zeroing (why isn't zeroize used to zero IVs?). I don't see an obvious constant-time byte-slice XOR in use elsewhere in Rust-Crypto, but please point to a canonical reference if possible. I also have not placed this behind any feature flags, yet. Finally, the primary structure XaesGcm256 is not parameterized in any way. If it's desirable to parameterize it in a similar fashion to AesGcm, please let me know.

SergioBenitez avatar Jun 29 '24 05:06 SergioBenitez

gave you few nits - take em if you like :relaxed:

if you feel like it and if worried about non-ct anywhere:

  • https://github.com/Ledger-Donjon/cargo-checkct | https://www.ledger.com/blog-cargo-checkct-our-home-made-tool-guarding-against-timing-attacks-is-now-open-source
  • https://crates.io/crates/dudect-bencher - needs a crafted dataset though crypto-bigint | basic example

pinkforest avatar Jun 29 '24 11:06 pinkforest

@newpavlov @tarcieri Any chance for a review here?

SergioBenitez avatar Jul 02 '24 23:07 SergioBenitez

@SergioBenitez sorry, I've been on vacation. I'll look at this soon.

tarcieri avatar Jul 08 '24 15:07 tarcieri

Checking in. Any chance to push this forward?

SergioBenitez avatar Jul 21 '24 02:07 SergioBenitez

@SergioBenitez haven't had a whole lot of free time lately for code review but I still hope to review it soon

tarcieri avatar Jul 22 '24 21:07 tarcieri

Sorry for the belated review.

On #1 we had discussed an xaes-gcm crate, but I now see there is already an xaes-gcm crate which implements the Derive-Key-AES-GCM construction, and I have not carefully looked at the differences between that and this construction.

I am a bit wary including the construction in the aes-gcm crate itself, which otherwise implements NIST standard constructions.

However, I'd also note the construction in the spec is called XAES-256-GCM, so how about an xaes-256-gcm crate instead, which is currently available?

tarcieri avatar Aug 01 '24 01:08 tarcieri

Sure! Went ahead and published a -pre version to reserve the name. I also added you as an owner; feel free to use that as you wish. Looking forward to a review of the crate.

SergioBenitez avatar Aug 09 '24 11:08 SergioBenitez

@SergioBenitez attempted to do a Cargo.lock merge but it seems it didn't work. Can you take a look?

tarcieri avatar Oct 15 '24 17:10 tarcieri

Merged in #642

tarcieri avatar Oct 25 '24 17:10 tarcieri