use std::time::Instant;
use lib_q_aead::security::constant_time::constant_time_eq;
use lib_q_aead::security::memory::secure_zero_slice;
use lib_q_aead::security::timing::{
TimingProtection,
protect_timing,
};
use lib_q_aead::security::validation::{
validate_key,
validate_nonce,
};
use lib_q_aead::security::{
SecurityConfig,
SecurityContext,
};
use lib_q_aead::{
AeadKey,
Algorithm,
Nonce,
create_aead,
};
fn main() -> Result<(), Box<dyn std::error::Error>> {
println!("lib-q-aead Security Features Example");
println!("====================================");
let aead = create_aead(Algorithm::Shake256Aead)
.map_err(|e| format!("Failed to create AEAD: {}", e))?;
let key_data = vec![
0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32,
0x10, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE,
0xFF, 0x00,
];
let nonce_data = vec![
0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32,
0x10,
];
let key = AeadKey::new(key_data);
let nonce = Nonce::new(nonce_data);
let plaintext = b"Secure message with constant-time primitives";
let associated_data = b"security metadata";
println!("✓ Created AEAD instance and test data");
println!("\n1. Constant-Time Operation Wrapper");
println!("----------------------------------");
let timing_protection = TimingProtection::strict();
let start = Instant::now();
let protected_result = timing_protection.protect(|| {
std::thread::sleep(std::time::Duration::from_millis(1));
42u8
});
let protected_time = start.elapsed();
assert_eq!(protected_result, 42u8);
println!(
"✓ Local constant-time wrapper elapsed: {:?}",
protected_time
);
println!("\n2. Global Constant-Time Wrapper");
println!("-------------------------------");
let start = Instant::now();
let result = protect_timing(|| {
std::thread::sleep(std::time::Duration::from_millis(1));
7u8
});
let global_protected_time = start.elapsed();
assert_eq!(result, 7u8);
println!(
"✓ Global constant-time wrapper elapsed: {:?}",
global_protected_time
);
let ciphertext = aead.encrypt(&key, &nonce, plaintext, Some(associated_data))?;
let decrypted = aead.decrypt(&key, &nonce, &ciphertext, Some(associated_data))?;
assert_eq!(decrypted, plaintext);
println!("\n3. Security Context");
println!("-------------------");
let security_config = SecurityConfig::strict();
let security_ctx = SecurityContext::with_config(security_config);
println!("✓ Security context created with strict configuration");
println!(
" - Constant time operations: {}",
security_ctx.constant_time_enabled()
);
println!(
" - Side channel protection: {}",
security_ctx.side_channel_protection_enabled()
);
println!(
" - Secure memory: {}",
security_ctx.secure_memory_enabled()
);
println!("\n4. Constant-Time Operations");
println!("---------------------------");
let tag1 = vec![0x01, 0x02, 0x03, 0x04];
let tag2 = vec![0x01, 0x02, 0x03, 0x04];
let tag3 = vec![0x01, 0x02, 0x03, 0x05];
let is_equal = constant_time_eq(&tag1, &tag2);
let is_different = constant_time_eq(&tag1, &tag3);
println!("✓ Constant-time comparison results:");
println!(" - tag1 == tag2: {}", is_equal);
println!(" - tag1 == tag3: {}", is_different);
println!("\n5. Input Validation");
println!("-------------------");
validate_key(key.as_bytes())?;
validate_nonce(nonce.as_bytes())?;
println!("✓ Valid key and nonce passed validation");
let zero_key = vec![0u8; 32];
let all_ones_key = vec![0xFFu8; 32];
let repeated_key = vec![0xABu8; 32];
println!("✓ Testing invalid key rejection:");
match validate_key(&zero_key) {
Ok(_) => println!(" ❌ Zero key should have been rejected"),
Err(_) => println!(" ✓ Zero key correctly rejected"),
}
match validate_key(&all_ones_key) {
Ok(_) => println!(" ❌ All-ones key should have been rejected"),
Err(_) => println!(" ✓ All-ones key correctly rejected"),
}
match validate_key(&repeated_key) {
Ok(_) => println!(" ❌ Repeated pattern key should have been rejected"),
Err(_) => println!(" ✓ Repeated pattern key correctly rejected"),
}
println!("\n6. Secure Memory Handling");
println!("-------------------------");
let mut sensitive_data = vec![0x42u8; 64];
println!("✓ Created sensitive data: {} bytes", sensitive_data.len());
secure_zero_slice(&mut sensitive_data);
let is_zeroed = sensitive_data.iter().all(|&b| b == 0);
println!("✓ Sensitive data securely zeroed: {}", is_zeroed);
println!("\n7. Performance with Security Features");
println!("-------------------------------------");
let iterations = 1000;
let mut total_time = std::time::Duration::new(0, 0);
for _ in 0..iterations {
let start = Instant::now();
let _ = protect_timing(|| aead.encrypt(&key, &nonce, plaintext, Some(associated_data)))?;
total_time += start.elapsed();
}
let avg_time = total_time / iterations as u32;
println!(
"✓ Average time per operation ({} iterations): {:?}",
iterations, avg_time
);
println!(
" - Operations per second: {:.0}",
1_000_000_000.0 / avg_time.as_nanos() as f64
);
println!("\n8. Security Configuration Comparison");
println!("------------------------------------");
let configs = [
("Permissive", SecurityConfig::permissive()),
("Balanced", SecurityConfig::balanced()),
("Strict", SecurityConfig::strict()),
];
for (name, config) in configs.iter() {
let ctx = SecurityContext::with_config(*config);
println!("✓ {} Configuration:", name);
println!(" - Constant time: {}", ctx.constant_time_enabled());
println!(
" - Side channel protection: {}",
ctx.side_channel_protection_enabled()
);
println!(" - Secure memory: {}", ctx.secure_memory_enabled());
println!(
" - Constant-time wrapper: {}",
ctx.timing_protection_enabled()
);
}
println!("\n🎉 All security features demonstrated successfully!");
println!("lib-q-aead provides post-quantum AEAD with constant-time primitives.");
Ok(())
}