Small, wasm-friendly, zero-dependencies Ed25519 implementation for Rust.

Formally-verified Curve25519 field arithmetic no_std-friendly WebAssembly-friendly [email protected] Lightweight Zero dependencies if randomness is provided by the application

Information

Category: Rust / Security tools
Watchers: 1
Star: 14
Fork: 1
Last update: Jul 1, 2020

Resource links

https://github.com/jedisct1/rust-ed25519-compact

README
Issues 8

A compact Ed25519 implementation for Rust

Formally-verified Curve25519 field arithmetic
no_std-friendly
WebAssembly-friendly
[email protected]
Lightweight
Zero dependencies if randomness is provided by the application
Only one portable dependency (getrandom) if not
Safe and simple Rust interface

Example usage

cargo.toml:

[dependencies]
ed25519-compact = "0.1"

Example code:

// A message to sign and verify.
let message = b"test";

// Generates a new key pair using a random seed.
// A given seed will always produce the same key pair.
let key_pair = KeyPair::from_seed(Seed::default());

// Computes a signature for this message using the secret part of the key pair.
let signature = key_pair.sk.sign(message, Some(Noise::default()));

// Verifies the signature using the public part of the key pair.
key_pair
    .pk
    .verify(message, &signature)
    .expect("Signature didn't verify");

// Verification of a different message using the same signature and public key fails.
key_pair
    .pk
    .verify(b"A differnt message", &signature)
    .expect_err("Signature shouldn't verify");

// All these structures can be viewed as raw bytes simply by dereferencing them:
let signature_as_bytes: &[u8] = signature.as_ref();
println!("Signature as bytes: {:?}", signature_as_bytes);

Cargo features

self-verify: after having computed a new signature, verify that is it valid. This is slower, but improves resilience against fault attacks. It is enabled by default on WebAssembly targets.
std: disables no_std compatibility in order to make errors implement the standard Error trait.
random (enabled by default): adds Default implementations to the Seed and Noise objects, in order to securely create random keys and noise.

0 Open More issues

Closed

Declare `new` functions as const

null

opened Dec 30, 2021 by davidlattimore 3

Closed

Build failing

I don't know what's the actual issue, but my build of tor-v3-vanity fails due to an issue in this, I think.

$ cargo install --path .
  Installing tor-v3-vanity v0.1.0 (/home/sm/tor-v3-vanity)
    Updating crates.io index
   Compiling ed25519-compact v0.1.8
   Compiling libc v0.2.79
   Compiling miniz_oxide v0.4.3
   Compiling num-traits v0.2.12
   Compiling num-integer v0.1.43
   Compiling crossbeam-utils v0.7.2
   Compiling proc-macro2 v1.0.24
   Compiling syn v1.0.46
   Compiling generic-array v0.14.4
   Compiling typenum v1.12.0
   Compiling getrandom v0.1.15
   Compiling memchr v2.3.3
   Compiling failure_derive v0.1.8
   Compiling serde v1.0.117
   Compiling addr2line v0.13.0
   Compiling regex v0.2.11
   Compiling byteorder v1.3.4
   Compiling regex-syntax v0.5.6
   Compiling semver v0.9.0
   Compiling bitflags v1.2.1
   Compiling maybe-uninit v2.0.0
   Compiling cuda-sys v0.2.0
   Compiling textwrap v0.11.0
   Compiling ed25519 v1.0.3
error[E0432]: unresolved import `std`
 --> /home/sm/.cargo/registry/src/github.com-1ecc6299db9ec823/ed25519-compact-0.1.8/src/ed25519.rs:5:5
  |
5 | use std::fmt;
  |     ^^^ use of undeclared type or module `std`

error: aborting due to previous error

For more information about this error, try `rustc --explain E0432`.
error: could not compile `ed25519-compact`.

To learn more, run the command again with --verbose.
warning: build failed, waiting for other jobs to finish...
error: failed to compile `tor-v3-vanity v0.1.0 (/home/sm/tor-v3-vanity)`, intermediate artifacts can be found at `/home/sm/tor-v3-vanity/target`

Caused by:
  build failed

Related: https://github.com/dr-bonez/tor-v3-vanity/issues/4

opened Oct 23, 2020 by samip5 3

Closed

Add opt_size feature for embedded environments.

Tracking issue/continuation from https://github.com/jedisct1/rust-hmac-sha256/pull/2.

Things are not going according to plan tonight. Short version; ed25519-compact is very unlikely to fit into the 48kB of easily-accessible flash that I have on my MSP430 part. The microcontroller actually has 128kB of flash (which will barely fit with max size optimizations and the inline changes I've made), but I do not know the linker invocation to accomplish this, nor do I know if LLVM meaningfully supports the 20-bit program counter of MSP430. I'll recompile for an ARM micro I have to test speed at some point soon.

In the meantime, please enjoy this image :D:

opened Feb 20, 2022 by cr1901 2

Closed

Add optional serde feature

Hello, this PR adds an optional serde feature which adds Serialize and Deserialize implementations to KeyPair. In keeping with the compact spirit of the crate those are manual implementations that don't rely on the heavy code generation dependencies of serde_derive.

This might be too much additional complexity for a "compact" crate, but if it's something you'd like to support I'd be happy to push additional Serialize and Deserialize implementations for PublicKey as well.

opened Jul 20, 2020 by wg 2

Closed

Add opt_size feature to reduce .text segment size at the cost of perf…

…ormance.

Analogous to https://github.com/jedisct1/rust-hmac-sha256/pull/2, except several months late :D!

Benchmarks

Benchmarks were done targeting an Adafruit Feather RP2040, running at the default 125 MHz. My rustc info is as follows:

rustc 1.60.0-nightly (51126be1b 2022-01-24)
binary: rustc
commit-hash: 51126be1b260216b41143469086e6e6ee567647e
commit-date: 2022-01-24
host: x86_64-pc-windows-gnu
release: 1.60.0-nightly
LLVM version: 13.0.0

I used the following cargo profiles (dev == Debug) and varied the opt-level:

[profile.dev]
codegen-units = 1
debug = 2
debug-assertions = true
incremental = false
overflow-checks = true

[profile.release]
codegen-units = 1
debug = 2
debug-assertions = false
incremental = false
lto = 'fat'
overflow-checks = false

Results

|Profile|opt-level|opt_size?|.text size| uSecs| cargo bloat|.text diff| uSecs diff| bloat diff| |-------|---------|---------|------------|-------|--------------|------------|-----------|-------------| | Debug| 0| No| 422040| X|68.0% 254.2KiB| | | | | Debug| 0| Yes| 345656| X|60.0% 179.7KiB| -18.1%| X| -29.3%| | Debug| 1| No| 150456| 828569| 68.4% 83.2KiB| | | | | Debug| 1| Yes| 139728| 857174| 65.2% 71.9KiB| -7.13%| +3.45%| -13.6%| | Debug| 2| No| 136508| 717383| 70.6% 79.1KiB| | | | | Debug| 2| Yes| 126848| 771214| 67.6% 69.0KiB| -7.08%| +7.50%| -12.77%| | Debug| 3| No| 196944| 801755|80.8% 138.5KiB| | | | | Debug| 3| Yes| 128576| 852571| 68.4% 71.2KiB| -34.71%| +6.33%| -48.59%| | Debug| "s"| No| 121396| 685952| 64.7% 62.2KiB| | | | | Debug| "s"| Yes| 112180| 732091| 60.9% 52.8KiB| -7.59%| +6.73%| -12.64%| | Debug| "z"| No| 124028| 716984| 63.2% 61.2KiB| | | | | Debug| "z"| Yes| 112532| 859824| 58.3% 49.8KiB| -9.27%| +19.92%| -18.62%| |Release| 1| No| 111640| 694665| 61.8% 59.3KiB| | | | |Release| 1| Yes| 99444| 744662| 56.2% 47.1KiB| -12.26%| +7.20%| -20.57%| |Release| 2| No| 91116| 785331| 71.4% 59.1KiB| | | | |Release| 2| Yes| 79992| 775112| 67.0% 48.1KiB| -12.21%| -1.30%| -18.61%| |Release| 3| No| 149816| 825196|84.5% 118.6KiB| | | | |Release| 3| Yes| 79848| 864777| 69.8% 50.2KiB| -46.70%| +4.80%| -57.67%| |Release| "s"| No| 73420| 659434| 67.3% 44.0KiB| | | | |Release| "s"| Yes| 62788| 703593| 61.1% 33.5KiB| -14.48%| +6.70%| -23.86%| |Release| "z"| No| 84700| 766108| 40.6% 28.6KiB| | | | |Release| "z"| Yes| 72916| 797148| 31.6% 18.6KiB| -13.91%| +4.05%| -34.97%|

An "X" means "USB enumeration timed out, so I couldn't get a measurement".
The cargo bloat field represents the cumulative .text and Size reported by running: cargo bloat --release --example ed22519-bench --filter ed25519_compact [--features=opt_size]".
.text size is in bytes.

Out of curiosity, I also wanted to see what would happen if I used a different opt-level for ed25519_compact compared to the other deps.

`opt-level=3`, `ed25519_compact` `opt-level="s"`

|opt_size?|.text size| uSecs| cargo bloat|.text diff| uSecs diff| bloat diff| |----------|-----------|-------|---------------|----------|------------|------------| | No| 73764| 659047| 66.9% 44.1KiB| | | | | Yes| 63132| 725665| 60.7% 33.7KiB| -14.41%| +10.11%| -23.58%|

`opt-level="s"`, `ed25519_compact` `opt-level="z"`

|opt_size?|.text size| uSecs| cargo bloat|.text diff| uSecs diff| bloat diff| |----------|-----------|-------|---------------|----------|------------|------------| | No| 72272| 672932| 66.1% 42.2KiB| | | | | Yes| 60504| 803764| 58.6% 30.6KiB| -16.28%| +19.44%| -27.49%|

My takeaway from these results is that the opt-size feature can be a net-win for time and space, but you need to do benchmarks to be sure. opt-level=3 does not appear to be a good idea for constrained environments period.

Benchmark Code

I provide this for completeness only, I suggest using a project template and paste the below code into it.

Source

#![no_std]
#![no_main]

use core::fmt::{self, Write};

use adafruit_feather_rp2040 as bsp;
use bsp::hal::{self,
    clocks::init_clocks_and_plls,
    pac,
    watchdog::Watchdog,
};
use cortex_m_rt::entry;
use defmt::*;
use defmt_rtt as _;
use ed25519_compact::{KeyPair, Seed, Noise};
use getrandom::register_custom_getrandom;
use panic_probe as _;
use usb_device::{class_prelude::*, prelude::*};
use usbd_serial::SerialPort;

static mut STATE: u8 = 0;
// Safety: No interrupts are used in this demo- single-threaded.
pub fn dummy_rng(buf: &mut [u8]) -> Result<(), getrandom::Error> {
    let mut iter_u8 = unsafe { STATE };

    for b in buf {
        *b = iter_u8;
        iter_u8 += 1;
    }

    // Doesn't work... why?
    // (unsafe { STATE }) = iter_u8;
    unsafe { STATE = iter_u8 };
    Ok(())
}

register_custom_getrandom!(dummy_rng);

// Slices don't implement fmt::Write, so use a newtype just for this application.
struct NumFormatter32([u8; 10]);

impl fmt::Write for NumFormatter32 {
    fn write_str(&mut self, s: &str) -> fmt::Result {
        if s.len() > 10 {
            Err(fmt::Error)
        } else {
            let bytes = s.as_bytes();
            let correct_size_slice = &mut self.0[..s.len()];

            correct_size_slice.copy_from_slice(bytes);
            Ok(())
        }
    }
}

#[entry]
fn main() -> ! {
    // info!("Program start");
    let mut pac = pac::Peripherals::take().unwrap();
    let mut watchdog = Watchdog::new(pac.WATCHDOG);

    // External high-speed crystal on the pico board is 12Mhz
    let external_xtal_freq_hz = 12_000_000u32;
    let clocks = init_clocks_and_plls(
        external_xtal_freq_hz,
        pac.XOSC,
        pac.CLOCKS,
        pac.PLL_SYS,
        pac.PLL_USB,
        &mut pac.RESETS,
        &mut watchdog,
    )
    .ok()
    .unwrap();

    // Set up the USB driver
    let usb_bus = UsbBusAllocator::new(hal::usb::UsbBus::new(
        pac.USBCTRL_REGS,
        pac.USBCTRL_DPRAM,
        clocks.usb_clock,
        true,
        &mut pac.RESETS,
    ));

    // Set up the USB Communications Class Device driver
    let mut serial = SerialPort::new(&usb_bus);

    // Create a USB device with a fake VID and PID
    let mut usb_dev = UsbDeviceBuilder::new(&usb_bus, UsbVidPid(0x16c0, 0x27dd))
        .manufacturer("Fake company")
        .product("Serial port")
        .serial_number("TEST")
        .device_class(2) // from: https://www.usb.org/defined-class-codes
        .build();

    let timer = hal::Timer::new(pac.TIMER, &mut pac.RESETS);
    let start = timer.get_counter();

    // A message to sign and verify.
    let message = b"test";

    // Generates a new key pair using a random seed.
    // A given seed will always produce the same key pair.
    let key_pair = KeyPair::from_seed(Seed::default());

    // Computes a signature for this message using the secret part of the key pair.
    let signature = key_pair.sk.sign(message, Some(Noise::default()));

    // Verifies the signature using the public part of the key pair.
    crate::assert!(key_pair.pk.verify(message, &signature).is_ok());

    let end = timer.get_counter();

    let mut formatted_num = NumFormatter32([0; 10]);
    let _ = core::write!(&mut formatted_num, "{}", end - start);

    // We are done! Init USB and write results. Yes, this is a hack!
    let mut wrote_msg = false;
    loop {
        usb_dev.poll(&mut [&mut serial]);

        if !wrote_msg && timer.get_counter() >= 2_000_000 {
            wrote_msg = true;
            serial.write(b"ed22519 test took ").unwrap();
            serial.write(&formatted_num.0).unwrap();
            serial.write(b" cycles \r\n").unwrap();
        }
    }
}

`Cargo.toml` Deps

[dependencies]
cortex-m = "0.7.3"
cortex-m-rt = "0.7.0"
embedded-hal = { version = "0.2.5", features=["unproven"] }
embedded-time = "0.12.0"

defmt = "0.3.0"
defmt-rtt = "0.3.0"
panic-probe = { version = "0.3.0", features = ["print-defmt"] }
adafruit-feather-rp2040  = "0.1.0"
usb-device= "0.2.8"
usbd-serial = "0.1.1"
usbd-hid = "0.5.1"
getrandom = { version = "0.2.4", features=["custom"] }
ed25519-compact = { version = "1.0.11", default_features = false, features=["random"], path = "C:\\msys64\\home\\William\\Projects\\MSP430\\rust-ed25519-compact"}

[features]
opt_size = ["ed25519-compact/opt_size"]

opened Feb 24, 2022 by cr1901 1

Closed

Fixed a recursive invocation of Debug::fmt

The implementation of Debug::fmt in Signature was recursive, since format_args!("{:x?}", self) calls fmt.

This can be tested by running

let kp = ed25519_compact::KeyPair::from_seed([42u8; 32].into());
let message = b"Hello, World!";
let signature = kp.sk.sign(message, None);
dbg!(&signature);

opened Jan 18, 2022 by raphaelahrens 1

Open

Added the serde_support feature

This change adds the serde_support feature, which when enabled adds Serialize and Deserialize implementations for

KeyPair,
SecretKey,
PublicKey, and
Signature

The Serialization is done manual, because of the of the large Size of the bytes array in SecretKey (64) and Signature (64) and for consistency also for PublicKey. All these Types are serialized to a NeytypeStruct holding a bytes array. While the NewtypeStruct should be ignored by the Serializer implementations

Serializers are encouraged to treat newtype structs as insignificant wrappers around the data they contain. A reasonable implementation would be to forward to value.serialize(self).

But not all do.

Only KeyPair uses the derive macro.

opened Jan 24, 2022 by raphaelahrens 1

Open

Adding a serde feature for PublicKey, SecretKey and KeyPair

Hi,

would you be open to the idea of adding a feature for serde serialization to the crate?

opened Jan 16, 2022 by raphaelahrens 2

ed25519-dalek - Fast and efficient ed25519 EdDSA key generations, signing, and verification in pure Rust

A simple boilerplate to get WebAssembly (WASM) code generated by Rust and bundled by Webpack!

wasm-pack — 📦 ✨ pack up the wasm and publish it to npm!

An SSH key pair generator. Supports generating RSA and Ed25519 keys.

swc node binding use wasm

wasm-tracing-allocator - A global allocator for Wasm that traces allocations and deallocations for debugging purposes

:sparkles: WASM webpack loader

wasm-bindgen — A project for facilitating high-level interactions between wasm modules and JS.

serde-wasm-bindgen - Native Serde adapter for wasm-bindgen

The Rocket game, now compiling to WASM

WASM-PDF – Generates PDF files with JavaScript and WASM (WebAssembly)

📦✨ your favorite rust -> wasm workflow tool!

small demo using OPA's Wasm modules in the browser

An Experimental WASM Virtual Machine for Gophers

yubihsm - Pure Rust client for YubiHSM2 devices with support for HTTP and USB-based access to the device. Supports most HSM functionality including ECDSA, Ed25519, HMAC, and RSA.

A toy Fuzzer for wasm fuzzing based on fuzzilli

zero — zero-allocation parsing of binary data

Vim editor embedded in your React web application

An example of how you can fully integrate wasm into a webpage. No need for fetching or any of that jazz.

Experimental wasm linker

🗜 WebAssembly compiled Brotli library

Share this repo

Related Repos

Security tools

115

Cross platform community web fingerprint identification tool

Security tools

175

A fast and secure multi protocol honeypot.

A fast and secure multi protocol honeypot that can mimic realistic devices running ssh, telnet, http, https or any other tcp and udp servers.

Security tools

179

A fast tool to scan client-side prototype pollution vulnerability written in Rust. 🦀

Security tools

🔐 Encrypts all the Serialize.

Security tools

Sealed boxes implementation for Rust/WebAssembly.

Security tools

465

Source project for the Internet Computer software

The Internet Computer is the world’s first blockchain that runs at web speed and can increase its capacity without bound. Like the Internet (which is composed of many machines adhering to TCP/IP protocol) and blockchain protocols (such as Bitcoin and Ethereum).

Security tools

648

Bloom is an open source and privacy-focused productivity suite

Bloom is an open source and privacy-focused productivity suite: Inbox, Calendar, Files, Contacts & much more. It's literally the easiest way to de-Google your life and business.

Security tools

Windows shellcode development in Rust

Windows shellcode project is located in shellcode/, it can build into a PE file with only .text section and has no external dependencies.

Security tools

A tool that uses the credentials stored in 1password as an environment variable.

Security tools

Veracruz: privacy-preserving collaborative compute

Veracruz is a framework for defining and deploying collaborative, privacy-preserving computations amongst a group of mutually mistrusting individuals.

Security tools

stegbrute is a fast steganography brute force tool written in Rust

stegbrute is a fast steganography brute force tool written in Rust using also threads to achieve a faster execution

Security tools

Rye is a minimal, x86-64-only experiment into adding fibers to Rust.

Security tools

Concrete is a fully homomorphic encryption (FHE) library that implements Zama's variant of...

Concrete is a fully homomorphic encryption (FHE) library that implements Zama's variant of TFHE. Concrete is based on the Learning With Errors (LWE) problem and on the Ring Learning With Errors (RLWE) problem, which are well studied cryptographic hardness assumptions believed to be secure even against quantum computers.