General Improvements (facebook#268)

* Move `elliptic-curve` implementation to points to allow `Zeroize`

* Simplify `Ristretto255::random_scalar` implementation

* Fix `Ristretto255` deserialization

* Remove unnecessary check in `Ristretto255::random_scalar`

* Base `X25519` implementation on `curve25519-dalek`

* Constrain public and secret key to `Copy`

* Replace manual `ZeroizeOnDrop` implementation with `derive`

* Update dependencies

* Add `warn(unused_crate_dependencies)`

* Sync crate feature naming with `voprf`

* Remove unnecessary dependency crate features

* Never produce a zero scalar

* Rename `OprfGroup` to `OprfCs`

* Rename `TripleDH` to `TripleDh`

* Remove `slow-hash` crate feature

* Rename `NoOpHash` to `Identity`

* Rename `SlowHash` to `Ksf`

* Move `KeyExchange` type definitions down

* Deserialize secret and public keys from slices

* Remove `PrivateKey::from_bytes`

* Rename `From/ToBytes` to `De/Serialize`

* Re-export `serde_` as `serde`

* Custom `De/Serialize` implementation for keys

* Remove custom `De/Serialize` implementation

* Run Taplo v0.6

Author: daxpedda

.github/workflows/main.yml

@@ -13,16 +13,16 @@ jobs:
       fail-fast: false
       matrix:
         backend_feature:
-          - --features ristretto255_u64,ristretto255_voprf
-          - --features ristretto255_u32,ristretto255_voprf
-          - 
-          - --features x25519_u64,ristretto255_u64,ristretto255_voprf
-          - --features x25519_u32,ristretto255_u32,ristretto255_voprf
-          - --features x25519_u64
-          - --features x25519_u32
+          - --features ristretto255-u64,ristretto255-voprf
+          - --features ristretto255-u32,ristretto255-voprf
+          -
+          - --features x25519-u64,ristretto255-u64,ristretto255-voprf
+          - --features x25519-u32,ristretto255-u32,ristretto255-voprf
+          - --features x25519-u64
+          - --features x25519-u32
         frontend_feature:
-          - 
-          - --features slow-hash
+          -
+          - --features argon2
           - --features serde
         toolchain:
           - stable
@@ -61,13 +61,13 @@ jobs:
           # 32-bit x86
           - i686-unknown-linux-gnu
         backend_feature:
-          - --features ristretto255_u64,ristretto255_voprf
-          - --features ristretto255_u32,ristretto255_voprf
-          - 
-          - x25519_u64,ristretto255_u64,ristretto255_voprf
-          - x25519_u32,ristretto255_u64,ristretto255_voprf
-          - x25519_u64
-          - x25519_u32
+          - --features ristretto255-u64,ristretto255-voprf
+          - --features ristretto255-u32,ristretto255-voprf
+          -
+          - x25519-u64,ristretto255-u64,ristretto255-voprf
+          - x25519-u32,ristretto255-u64,ristretto255-voprf
+          - x25519-u64
+          - x25519-u32
     steps:
       - uses: actions/checkout@v2
       - uses: hecrj/setup-rust-action@v1
@@ -135,15 +135,15 @@ jobs:
           # for any no_std target
           - thumbv6m-none-eabi
         backend_feature:
-          - ristretto255_u64,ristretto255_voprf
-          - ristretto255_u32,ristretto255_voprf
-          - 
-          - x25519_u64,ristretto255_u64,ristretto255_voprf
-          - x25519_u32,ristretto255_u32,ristretto255_voprf
-          - x25519_u64
-          - x25519_u32
+          - ristretto255-u64,ristretto255-voprf
+          - ristretto255-u32,ristretto255-voprf
+          -
+          - x25519-u64,ristretto255-u64,ristretto255-voprf
+          - x25519-u32,ristretto255-u32,ristretto255-voprf
+          - x25519-u64
+          - x25519-u32
         frontend_feature:
-          - slow-hash
+          - argon2
           - serde
     steps:
       - uses: actions/checkout@v2
@@ -158,13 +158,13 @@ jobs:
       fail-fast: false
       matrix:
         backend_feature:
-          - --features ristretto255_u64,ristretto255_voprf
-          - --features ristretto255_u32,ristretto255_voprf
-          - 
-          - --features x25519_u64,ristretto255_u64,ristretto255_voprf
-          - --features x25519_u32,ristretto255_u32,ristretto255_voprf
-          - --features x25519_u32
-          - --features x25519_u32
+          - --features ristretto255-u64,ristretto255-voprf
+          - --features ristretto255-u32,ristretto255-voprf
+          -
+          - --features x25519-u64,ristretto255-u64,ristretto255-voprf
+          - --features x25519-u32,ristretto255-u32,ristretto255-voprf
+          - --features x25519-u32
+          - --features x25519-u32
     steps:
       - name: Checkout sources
         uses: actions/checkout@v2
@@ -201,15 +201,15 @@ jobs:
         uses: actions-rs/cargo@v1
         with:
           command: clippy
-          args: --all-targets --features slow-hash,std,x25519_u64 -- -D warnings
+          args: --all-targets --features argon2,std,x25519-u64 -- -D warnings
 
       - name: Run cargo doc
         uses: actions-rs/cargo@v1
         env:
           RUSTDOCFLAGS: -D warnings
         with:
           command: doc
-          args: --no-deps --document-private-items --features slow-hash,std,x25519_u64
+          args: --no-deps --document-private-items --features argon2,std,x25519-u64
 
   format:
     name: cargo fmt

Cargo.toml

@@ -12,42 +12,33 @@ rust-version = "1.57"
 version = "2.0.0-pre.1"
 
 [features]
-default = ["ristretto255_u64", "ristretto255_voprf", "serde"]
+default = ["ristretto255-u64", "ristretto255-voprf", "serde"]
 ristretto255 = ["curve25519-dalek", "voprf/ristretto255"]
-ristretto255_fiat_u32 = ["curve25519-dalek/fiat_u32_backend", "ristretto255"]
-ristretto255_fiat_u64 = ["curve25519-dalek/fiat_u64_backend", "ristretto255"]
-ristretto255_simd = ["curve25519-dalek/simd_backend", "ristretto255"]
-ristretto255_u32 = ["curve25519-dalek/u32_backend", "ristretto255"]
-ristretto255_u64 = ["curve25519-dalek/u64_backend", "ristretto255"]
-ristretto255_voprf = ["ristretto255", "voprf/ristretto255-ciphersuite"]
+ristretto255-fiat-u32 = ["curve25519-dalek/fiat_u32_backend", "ristretto255"]
+ristretto255-fiat-u64 = ["curve25519-dalek/fiat_u64_backend", "ristretto255"]
+ristretto255-simd = ["curve25519-dalek/simd_backend", "ristretto255"]
+ristretto255-u32 = ["curve25519-dalek/u32_backend", "ristretto255"]
+ristretto255-u64 = ["curve25519-dalek/u64_backend", "ristretto255"]
+ristretto255-voprf = ["ristretto255", "voprf/ristretto255-ciphersuite"]
 serde = ["serde_", "generic-array/serde", "voprf/serde"]
-slow-hash = ["argon2"]
-std = ["getrandom", "rand/std", "rand/std_rng", "voprf/std"]
-x25519 = ["curve25519-dalek-3"]
-x25519_fiat_u32 = ["x25519", "x25519-dalek/fiat_u32_backend"]
-x25519_fiat_u64 = ["x25519", "x25519-dalek/fiat_u64_backend"]
-# x25519-dalek isn't properly re-exposing `simd_backend`.
-x25519_simd = [
-  "curve25519-dalek-3/simd_backend",
-  "x25519",
-  "x25519-dalek/nightly",
-]
-x25519_u32 = ["x25519", "x25519-dalek/u32_backend"]
-x25519_u64 = ["x25519", "x25519-dalek/u64_backend"]
+std = ["getrandom"]
+x25519 = ["curve25519-dalek"]
+x25519-fiat-u32 = ["curve25519-dalek/fiat_u32_backend", "x25519"]
+x25519-fiat-u64 = ["curve25519-dalek/fiat_u64_backend", "x25519"]
+x25519-simd = ["curve25519-dalek/simd_backend", "x25519"]
+x25519-u32 = ["curve25519-dalek/u32_backend", "x25519"]
+x25519-u64 = ["curve25519-dalek/u64_backend", "x25519"]
 
 [dependencies]
-argon2 = { version = "0.3", default-features = false, features = [
+argon2 = { version = "0.4", default-features = false, features = [
   "alloc",
 ], optional = true }
-constant_time_eq = "0.1"
 curve25519-dalek = { version = "=4.0.0-pre.1", default-features = false, optional = true }
-curve25519-dalek-3 = { version = "3", package = "curve25519-dalek", default-features = false, optional = true }
 derive-where = { version = "=1.0.0-rc.3", features = ["zeroize-on-drop"] }
 digest = "0.10"
 displaydoc = { version = "0.2", default-features = false }
 elliptic-curve = { version = "0.12.0-pre.1", features = ["hash2curve", "sec1"] }
 generic-array = "0.14"
-getrandom = { version = "0.2", optional = true }
 hkdf = "0.12"
 hmac = "0.12"
 rand = { version = "0.8", default-features = false }
@@ -56,20 +47,17 @@ serde_ = { version = "1", package = "serde", default-features = false, features
 ], optional = true }
 subtle = { version = "2.3", default-features = false }
 voprf = { version = "0.3", default-features = false, features = ["danger"] }
-x25519-dalek = { version = "=2.0.0-pre.1", default-features = false, optional = true }
-zeroize = { version = "1", features = ["zeroize_derive"] }
+zeroize = { version = "1.5", features = ["zeroize_derive"] }
 
 [target.'cfg(target_arch = "wasm32")'.dependencies]
 getrandom = { version = "0.2", features = ["js"], optional = true }
 
 [dev-dependencies]
-base64 = "0.13"
 bincode = "1"
-chacha20poly1305 = "0.9"
+chacha20poly1305 = "=0.10.0-pre"
 criterion = "0.3"
 hex = "0.4"
 json = "0.12"
-lazy_static = "1"
 p256 = { version = "=0.11.0-pre.0", default-features = false, features = [
   "hash2curve",
   "voprf",
@@ -79,19 +67,14 @@ rand = "0.8"
 regex = "1"
 rustyline = "9"
 serde_json = "1"
-sha2 = "0.10"
 
 [[bench]]
 harness = false
 name = "opaque"
 
 [package.metadata.docs.rs]
-features = ["std", "slow-hash", "x25519_u64"]
+features = ["argon2", "std", "x25519-u64"]
 targets = []
 
 [patch.crates-io]
-chacha20 = { git = "https://github.com/RustCrypto/stream-ciphers" }
-chacha20poly1305 = { git = "https://github.com/khonsulabs/aeads", branch = "update-dependencies" }
-derive-where = { git = "https://github.com/ModProg/derive-where" }
-poly1305 = { git = "https://github.com/RustCrypto/universal-hashes" }
 voprf = { git = "https://github.com/khonsulabs/voprf", branch = "v08" }

benches/opaque.rs

@@ -12,33 +12,33 @@ use criterion::Criterion;
 use opaque_ke::*;
 use rand::rngs::OsRng;
 
-#[cfg(feature = "ristretto255_u64")]
-static SUFFIX: &str = "ristretto255_u64";
-#[cfg(feature = "ristretto255_u32")]
-static SUFFIX: &str = "ristretto255_u32";
-#[cfg(feature = "ristretto255_fiat_u64")]
-static SUFFIX: &str = "ristretto255_fiat_u64";
-#[cfg(feature = "ristretto255_fiat_u32")]
-static SUFFIX: &str = "ristretto255_fiat_u32";
+#[cfg(feature = "ristretto255-u64")]
+static SUFFIX: &str = "ristretto255-u64";
+#[cfg(feature = "ristretto255-u32")]
+static SUFFIX: &str = "ristretto255-u32";
+#[cfg(feature = "ristretto255-fiat-u64")]
+static SUFFIX: &str = "ristretto255-fiat-u64";
+#[cfg(feature = "ristretto255-fiat-u32")]
+static SUFFIX: &str = "ristretto255-fiat-u32";
 #[cfg(all(not(feature = "ristretto255")))]
 static SUFFIX: &str = "p256";
 
 struct Default;
 
 #[cfg(feature = "ristretto255")]
 impl CipherSuite for Default {
-    type OprfGroup = opaque_ke::Ristretto255;
+    type OprfCs = opaque_ke::Ristretto255;
     type KeGroup = opaque_ke::Ristretto255;
-    type KeyExchange = opaque_ke::key_exchange::tripledh::TripleDH;
-    type SlowHash = opaque_ke::slow_hash::NoOpHash;
+    type KeyExchange = opaque_ke::key_exchange::tripledh::TripleDh;
+    type Ksf = opaque_ke::ksf::Identity;
 }
 
 #[cfg(not(feature = "ristretto255"))]
 impl CipherSuite for Default {
-    type OprfGroup = p256::NistP256;
+    type OprfCs = p256::NistP256;
     type KeGroup = p256::NistP256;
-    type KeyExchange = opaque_ke::key_exchange::tripledh::TripleDH;
-    type SlowHash = opaque_ke::slow_hash::NoOpHash;
+    type KeyExchange = opaque_ke::key_exchange::tripledh::TripleDh;
+    type Ksf = opaque_ke::ksf::Identity;
 }
 
 fn server_setup(c: &mut Criterion) {

examples/digital_locker.rs

@@ -49,18 +49,18 @@ struct Default;
 
 #[cfg(feature = "ristretto255")]
 impl CipherSuite for Default {
-    type OprfGroup = opaque_ke::Ristretto255;
+    type OprfCs = opaque_ke::Ristretto255;
     type KeGroup = opaque_ke::Ristretto255;
-    type KeyExchange = opaque_ke::key_exchange::tripledh::TripleDH;
-    type SlowHash = opaque_ke::slow_hash::NoOpHash;
+    type KeyExchange = opaque_ke::key_exchange::tripledh::TripleDh;
+    type Ksf = opaque_ke::ksf::Identity;
 }
 
 #[cfg(not(feature = "ristretto255"))]
 impl CipherSuite for Default {
-    type OprfGroup = p256::NistP256;
+    type OprfCs = p256::NistP256;
     type KeGroup = p256::NistP256;
-    type KeyExchange = opaque_ke::key_exchange::tripledh::TripleDH;
-    type SlowHash = opaque_ke::slow_hash::NoOpHash;
+    type KeyExchange = opaque_ke::key_exchange::tripledh::TripleDh;
+    type Ksf = opaque_ke::ksf::Identity;
 }
 
 struct Locker {

examples/simple_login.rs

@@ -43,18 +43,18 @@ struct Default;
 
 #[cfg(feature = "ristretto255")]
 impl CipherSuite for Default {
-    type OprfGroup = opaque_ke::Ristretto255;
+    type OprfCs = opaque_ke::Ristretto255;
     type KeGroup = opaque_ke::Ristretto255;
-    type KeyExchange = opaque_ke::key_exchange::tripledh::TripleDH;
-    type SlowHash = opaque_ke::slow_hash::NoOpHash;
+    type KeyExchange = opaque_ke::key_exchange::tripledh::TripleDh;
+    type Ksf = opaque_ke::ksf::Identity;
 }
 
 #[cfg(not(feature = "ristretto255"))]
 impl CipherSuite for Default {
-    type OprfGroup = p256::NistP256;
+    type OprfCs = p256::NistP256;
     type KeGroup = p256::NistP256;
-    type KeyExchange = opaque_ke::key_exchange::tripledh::TripleDH;
-    type SlowHash = opaque_ke::slow_hash::NoOpHash;
+    type KeyExchange = opaque_ke::key_exchange::tripledh::TripleDh;
+    type Ksf = opaque_ke::ksf::Identity;
 }
 
 // Password-based registration between a client and server

src/ciphersuite.rs

@@ -15,17 +15,14 @@ use generic_array::typenum::{IsLess, IsLessOrEqual, Le, NonZero, U256};
 use crate::hash::{Hash, ProxyHash};
 use crate::key_exchange::group::KeGroup;
 use crate::key_exchange::traits::KeyExchange;
-use crate::slow_hash::SlowHash;
+use crate::ksf::Ksf;
 
 /// Configures the underlying primitives used in OPAQUE
-/// * `OprfGroup`: a finite cyclic group along with a point representation,
-///   along with an extension trait PasswordToCurve that allows some
-///   customization on how to hash a password to a curve point. See
-///   `group::Group`.
+/// * `OprfCs`: A VOPRF ciphersuite, see [`voprf::CipherSuite`].
 /// * `KeGroup`: A `Group` used for the `KeyExchange`.
 /// * `KeyExchange`: The key exchange protocol to use in the login step
 /// * `Hash`: The main hashing function to use
-/// * `SlowHash`: A slow hashing function, typically used for password hashing
+/// * `Ksf`: A key stretching function, typically used for password hashing
 pub trait CipherSuite
 where
     <OprfHash<Self> as OutputSizeUser>::OutputSize:
@@ -35,17 +32,15 @@ where
     <<OprfHash<Self> as CoreProxy>::Core as BlockSizeUser>::BlockSize: IsLess<U256>,
     Le<<<OprfHash<Self> as CoreProxy>::Core as BlockSizeUser>::BlockSize, U256>: NonZero,
 {
-    /// A finite cyclic group along with a point representation along with an
-    /// extension trait PasswordToCurve that allows some customization on how to
-    /// hash a password to a curve point. See `group::Group`.
-    type OprfGroup: voprf::CipherSuite;
+    /// A VOPRF ciphersuite, see [`voprf::CipherSuite`].
+    type OprfCs: voprf::CipherSuite;
     /// A `Group` used for the `KeyExchange`.
     type KeGroup: KeGroup;
     /// A key exchange protocol
     type KeyExchange: KeyExchange<OprfHash<Self>, Self::KeGroup>;
-    /// A slow hashing function, typically used for password hashing
-    type SlowHash: SlowHash;
+    /// A key stretching function, typically used for password hashing
+    type Ksf: Ksf;
 }
 
-pub(crate) type OprfGroup<CS> = <<CS as CipherSuite>::OprfGroup as voprf::CipherSuite>::Group;
-pub(crate) type OprfHash<CS> = <<CS as CipherSuite>::OprfGroup as voprf::CipherSuite>::Hash;
+pub(crate) type OprfGroup<CS> = <<CS as CipherSuite>::OprfCs as voprf::CipherSuite>::Group;
+pub(crate) type OprfHash<CS> = <<CS as CipherSuite>::OprfCs as voprf::CipherSuite>::Hash;