Bump k256 version and use the new functionality

.github/workflows/umbral-pre.yml

@@ -25,7 +25,7 @@ jobs:
  strategy:
  matrix:
  rust:
- - 1.51.0 # MSRV
+ - 1.56.0 # MSRV
  - stable
  target:
  - wasm32-unknown-unknown
@@ -45,7 +45,7 @@ jobs:
  strategy:
  matrix:
  rust:
- - 1.51.0 # MSRV
+ - 1.56.0 # MSRV
  - stable
  target:
  - thumbv7em-none-eabi
@@ -65,7 +65,7 @@ jobs:
  strategy:
  matrix:
  rust:
- - 1.51.0 # MSRV
+ - 1.56.0 # MSRV
  - stable
  steps:
  - uses: actions/checkout@v2
@@ -81,7 +81,7 @@ jobs:
  matrix:
  include:
  - target: x86_64-unknown-linux-gnu
- rust: 1.51.0 # MSRV
+ rust: 1.56.0 # MSRV
  - target: x86_64-unknown-linux-gnu
  rust: stable
 

.github/workflows/workspace.yml

@@ -23,7 +23,7 @@ jobs:
  - uses: actions/checkout@v1
  - uses: actions-rs/toolchain@v1
  with:
- toolchain: 1.51.0 # MSRV
+ toolchain: 1.56.0 # MSRV
  components: clippy
  override: true
  profile: minimal

CHANGELOG.md

@@ -6,7 +6,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-Nothing here yet.
+### Changed
+
+- `k256` dependency bumped to 0.10 (and to match it, `chacha20poly1305` to 0.9, `elliptic-curve` to 0.11, `ecdsa` to 0.13, `signature` to 1.4, MSRV to 1.56, and Rust edition to 2021). ([#87])
+- ABI changed because of the internal change in hashing to scalars (we can hash to non-zero scalars now). Correspondingly, `OpenReencryptedError::ZeroHash` and `SecretKeyFactoryError` have been removed, and `SecretKeyFactory::make_key()` was made infallible. ([#87])
+
+
+### Fixed
+
+- Some previously missed potentially secret values are zeroized in drop. ([#87])
+
+
+[#87]: https://github.com/nucypher/rust-umbral/pull/87
 
 
 ## [0.4.0] - 2021-12-24

Cargo.toml

@@ -4,7 +4,3 @@ members = [
  "umbral-pre-wasm",
  "umbral-pre-python",
 ]
-
-# Prevents feature conflicts between [dependencies] and [dev-dependencies]
-# Will be the default in 2021 edition.
-resolver = "2"

umbral-pre-python/Cargo.toml

@@ -2,7 +2,7 @@
 name = "umbral-pre-python"
 authors = ["Bogdan Opanchuk <bogdan@opanchuk.net>"]
 version = "0.4.0"
-edition = "2018"
+edition = "2021"
 
 [lib]
 crate-type = ["cdylib"]

umbral-pre-wasm/Cargo.toml

@@ -2,7 +2,7 @@
 name = "umbral-pre-wasm"
 version = "0.4.0"
 authors = ["Bogdan Opanchuk <bogdan@opanchuk.net>"]
-edition = "2018"
+edition = "2021"
 license = "GPL-3.0-only"
 description = "Implementation of Umbral proxy reencryption algorithm"
 repository = "https://github.com/nucypher/rust-umbral/tree/master/umbral-pre-wasm"

umbral-pre-wasm/src/lib.rs

@@ -84,8 +84,8 @@ impl SecretKeyFactory {
  }
 
  #[wasm_bindgen(js_name = makeKey)]
- pub fn make_key(&self, label: &[u8]) -> Result<SecretKey, JsValue> {
- self.0.make_key(label).map(SecretKey).map_err(map_js_err)
+ pub fn make_key(&self, label: &[u8]) -> SecretKey {
+ SecretKey(self.0.make_key(label))
  }
 
  #[wasm_bindgen(js_name = makeFactory)]

umbral-pre/Cargo.toml

@@ -2,17 +2,17 @@
 name = "umbral-pre"
 version = "0.4.0"
 authors = ["Bogdan Opanchuk <bogdan@opanchuk.net>"]
-edition = "2018"
+edition = "2021"
 license = "GPL-3.0-only"
 description = "Implementation of Umbral proxy reencryption algorithm"
 repository = "https://github.com/nucypher/rust-umbral/tree/master/umbral-pre"
 readme = "README.md"
 categories = ["cryptography", "no-std"]
 
 [dependencies]
-k256 = { version = "0.9", default-features = false, features = ["ecdsa", "arithmetic", "zeroize"] }
+k256 = { version = "0.10.1", default-features = false, features = ["ecdsa", "arithmetic"] }
 sha2 = { version = "0.9", default-features = false }
-chacha20poly1305 = { version = "0.8", features = ["xchacha20poly1305"] }
+chacha20poly1305 = { version = "0.9" }
 hkdf = { version = "0.11", default-features = false }
 hex = { version = "0.4", default-features = false, features = ["alloc"] }
 serde = { version = "1", default-features = false, optional = true }
@@ -21,12 +21,12 @@ pyo3 = { version = "0.15", optional = true }
 
 # These packages are among the dependencies of the packages above.
 # Their versions should be updated when the main packages above are updated.
-elliptic-curve = { version = "0.10", features = ["zeroize"] }
+elliptic-curve = { version = "0.11" }
 digest = "0.9"
 generic-array = "0.14"
-aead = { version = "0.4", features = ["heapless"] }
-ecdsa = { version = "0.12.2", features = ["zeroize"] }
-signature = { version = "1.3", default-features = false }
+aead = { version = "0.4", default-features = false }
+ecdsa = { version = "0.13" }
+signature = { version = "1.4", default-features = false }
 rand_core = { version = "0.6", default-features = false }
 typenum = "1.13" # typenum is a 2018-edition crate starting from 1.13
 getrandom = { version = "0.2", optional = true, default-features = false, features = ["js"] }

umbral-pre/src/bindings_python.rs

@@ -194,13 +194,10 @@ impl SecretKeyFactory {
  .map_err(|err| PyValueError::new_err(format!("{}", err)))
  }
 
- pub fn make_key(&self, label: &[u8]) -> PyResult<SecretKey> {
- self.backend
- .make_key(label)
- .map(|backend_sk| SecretKey {
- backend: backend_sk,
- })
- .map_err(|err| PyValueError::new_err(format!("{}", err)))
+ pub fn make_key(&self, label: &[u8]) -> SecretKey {
+ SecretKey {
+ backend: self.backend.make_key(label),
+ }
  }
 
  pub fn make_factory(&self, label: &[u8]) -> Self {

umbral-pre/src/capsule.rs

@@ -10,7 +10,7 @@ use typenum::op;
 use crate::serde::{serde_deserialize, serde_serialize, Representation};
 
 use crate::capsule_frag::CapsuleFrag;
-use crate::curve::{CurvePoint, CurveScalar};
+use crate::curve::{CurvePoint, CurveScalar, NonZeroCurveScalar};
 use crate::hashing_ds::{hash_capsule_points, hash_to_polynomial_arg, hash_to_shared_secret};
 use crate::keys::{PublicKey, SecretKey};
 use crate::params::Parameters;
@@ -33,9 +33,6 @@ pub enum OpenReencryptedError {
  MismatchedCapsuleFrags,
  /// Some of the given capsule fragments are repeated.
  RepeatingCapsuleFrags,
- /// An internally hashed value is zero.
- /// See [rust-umbral#39](https://github.com/nucypher/rust-umbral/issues/39).
- ZeroHash,
  /// Internal validation of the result has failed.
  /// Can be caused by an incorrect (possibly modified) capsule
  /// or some of the capsule fragments.
@@ -48,8 +45,6 @@ impl fmt::Display for OpenReencryptedError {
  Self::NoCapsuleFrags => write!(f, "Empty CapsuleFrag sequence"),
  Self::MismatchedCapsuleFrags => write!(f, "CapsuleFrags are not pairwise consistent"),
  Self::RepeatingCapsuleFrags => write!(f, "Some of the CapsuleFrags are repeated"),
- // Will be removed when #39 is fixed
- Self::ZeroHash => write!(f, "An internally hashed value is zero"),
  Self::ValidationFailed => write!(f, "Internal validation failed"),
  }
  }
@@ -163,17 +158,18 @@ impl Capsule {
  ) -> (Capsule, SecretBox<KeySeed>) {
  let g = CurvePoint::generator();
 
- let priv_r = CurveScalar::random_nonzero(rng);
- let pub_r = &g * &priv_r;
+ let priv_r = SecretBox::new(NonZeroCurveScalar::random(rng));
+ let pub_r = &g * priv_r.as_secret();
 
- let priv_u = CurveScalar::random_nonzero(rng);
- let pub_u = &g * &priv_u;
+ let priv_u = SecretBox::new(NonZeroCurveScalar::random(rng));
+ let pub_u = &g * priv_u.as_secret();
 
  let h = hash_capsule_points(&pub_r, &pub_u);
 
- let s = &priv_u + &(&priv_r * &h);
+ let s = priv_u.as_secret() + &(priv_r.as_secret() * &h);
 
- let shared_key = SecretBox::new(&delegating_pk.to_point() * &(&priv_r + &priv_u));
+ let shared_key =
+ SecretBox::new(&delegating_pk.to_point() * &(priv_r.as_secret() + priv_u.as_secret()));
 
  let capsule = Self::new(pub_r, pub_u, s);
 
@@ -209,7 +205,7 @@ impl Capsule {
  let dh_point = &precursor * receiving_sk.to_secret_scalar().as_secret();
 
  // Combination of CFrags via Shamir's Secret Sharing reconstruction
- let mut lc = Vec::<CurveScalar>::with_capacity(cfrags.len());
+ let mut lc = Vec::<NonZeroCurveScalar>::with_capacity(cfrags.len());
  for cfrag in cfrags {
  let coeff = hash_to_polynomial_arg(&precursor, &pub_key, &dh_point, &cfrag.kfrag_id);
  lc.push(coeff);
@@ -234,13 +230,7 @@ impl Capsule {
 
  let orig_pub_key = delegating_pk.to_point();
 
- // Have to convert from subtle::CtOption here.
- let inv_d_opt: Option<CurveScalar> = d.invert().into();
- // At the moment we cannot guarantee statically that the digest `d` is non-zero.
- // Technically, it is supposed to be non-zero by the choice of `precursor`,
- // but if is was somehow replaced by an incorrect value,
- // we'd rather fail gracefully than panic.
- let inv_d = inv_d_opt.ok_or(OpenReencryptedError::ZeroHash)?;
+ let inv_d = d.invert();
 
  if &orig_pub_key * &(&s * &inv_d) != &(&e_prime * &h) + &v_prime {
  return Err(OpenReencryptedError::ValidationFailed);
@@ -251,7 +241,7 @@ impl Capsule {
  }
 }
 
-fn lambda_coeff(xs: &[CurveScalar], i: usize) -> Option<CurveScalar> {
+fn lambda_coeff(xs: &[NonZeroCurveScalar], i: usize) -> Option<CurveScalar> {
  let mut res = CurveScalar::one();
  for j in 0..xs.len() {
  if j != i {

umbral-pre/src/capsule_frag.rs

@@ -9,10 +9,11 @@ use typenum::op;
 use serde::{Deserialize, Deserializer, Serialize, Serializer};
 
 use crate::capsule::Capsule;
-use crate::curve::{CurvePoint, CurveScalar};
+use crate::curve::{CurvePoint, CurveScalar, NonZeroCurveScalar};
 use crate::hashing_ds::{hash_to_cfrag_verification, kfrag_signature_message};
 use crate::key_frag::{KeyFrag, KeyFragID};
 use crate::keys::{PublicKey, Signature};
+use crate::secret_box::SecretBox;
 use crate::traits::{
  fmt_public, ConstructionError, DeserializableFromArray, DeserializationError, HasTypeName,
  RepresentableAsArray, SerializableToArray,
@@ -84,7 +85,7 @@ impl CapsuleFragProof {
  let params = capsule.params;
 
  let rk = kfrag.key;
- let t = CurveScalar::random_nonzero(rng);
+ let t = SecretBox::new(NonZeroCurveScalar::random(rng));
 
  // Here are the formulaic constituents shared with `CapsuleFrag::verify()`.
 
@@ -97,15 +98,15 @@ impl CapsuleFragProof {
  let u = params.u;
  let u1 = kfrag.proof.commitment;
 
- let e2 = &e * &t;
- let v2 = &v * &t;
- let u2 = &u * &t;
+ let e2 = &e * t.as_secret();
+ let v2 = &v * t.as_secret();
+ let u2 = &u * t.as_secret();
 
  let h = hash_to_cfrag_verification(&[e, *e1, e2, v, *v1, v2, u, u1, u2]);
 
  ////////
 
- let z3 = &t + &(&rk * &h);
+ let z3 = &(&rk * &h) + t.as_secret();
 
  Self {
  point_e2: e2,