libsmx 0.3.0

Pure-Rust, no_std, constant-time SM2/SM3/SM4/SM9 Chinese cryptography (GB/T 32918/32905/32907/38635)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152

# Changelog

All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [0.3.0] - 2025-03-09

### Added

- **rustls CryptoProvider** (`rustls_provider` module, requires `rustls` feature)
  - Full rustls 0.23.x `CryptoProvider` implementation for TLCP (Chinese TLS)
  - `hash.rs`: SM3 `Hash` and `Context` trait implementations
  - `hmac.rs`: SM3 HMAC trait implementation
  - `tls13.rs`: SM4-GCM/CCM AEAD cipher suites (TLS13_SM4_GCM_SM3, TLS13_SM4_CCM_SM3)
  - `kx.rs`: SM2 ECDHE key exchange
  - `sign.rs`: SM2 signing algorithm
  - `verify.rs`: SM2 signature verification
  - `mod.rs`: `crypto_provider()` function returning complete `CryptoProvider`
- **SM3 streaming HMAC** (`HmacSm3`)
  - `update()`: Streaming data input
  - `finalize()`: Final HMAC computation
- **SM2 SPKI DER encoding**
  - `public_key_to_spki_der()`: Encode public key as RFC 5480 SubjectPublicKeyInfo
- **SM2 DEFAULT_ID constant**
  - `DEFAULT_ID`: Default user ID "1234567812345678" (16 bytes)

### Changed

- `Cargo.toml`: Added `rustls` optional feature with dependencies

## [0.2.1] - 2025-03-08

### Added

- **SM2 key exchange** (`sm2::key_exchange` module)
  - `exchange_a` / `exchange_b`: GB/T 32918.3 full key exchange protocol with confirmation hash
  - `ecdh`: Simple SM2-ECDH shared secret computation (TLS/rustls compatible)
  - `ecdh_from_slice`: Slice-based ECDH for TLS integration
  - `EphemeralKey`: Ephemeral key pair with `ZeroizeOnDrop`
- **SM2 DER codec** (`sm2::der` module)
  - `sig_to_der` / `sig_from_der`: Signature DER encoding/decoding
  - `private_key_from_sec1_der`: RFC 5915 SEC1 private key parsing
  - `private_key_from_pkcs8_der`: RFC 5958 PKCS#8 private key parsing
- **SM2 convenience API** (`sm2` module)
  - `sign_message` / `verify_message`: One-step sign/verify with automatic Z-value computation
- **HKDF-SM3** (`sm3::hkdf` module)
  - `hkdf_extract` / `hkdf_expand` / `hkdf`: RFC 5869 compatible
- **SM3 Hasher enhancements**
  - `reset()` / `finalize_reset()`: Streaming hasher reuse
- **SM4 AEAD combined format**
  - `sm4_encrypt_gcm_combined` / `sm4_decrypt_gcm_combined`: TLS format (ciphertext||tag)
  - `sm4_encrypt_ccm_combined` / `sm4_decrypt_ccm_combined`: Same format for CCM
- **BLS signatures** (`bls` module, requires `alloc` feature)
  - `bls_keygen` / `bls_sign` / `bls_verify`: minimal-signature-size variant (sig ∈ G1, pk ∈ G2)
  - `bls_aggregate` / `bls_aggregate_verify`: multi-message aggregate signatures
  - `bls_fast_aggregate_verify`: fast aggregate verification for same-message multi-signer
  - `BlsSignature::to_bytes` / `from_bytes`: 65-byte serialization (uncompressed G1 point)
  - `BlsPubKey::to_bytes` / `from_bytes`: 128-byte serialization (uncompressed G2 point)
- **BLS threshold signatures** (`bls::threshold` module)
  - `bls_threshold_keygen`: Trusted Dealer mode, Shamir polynomial secret sharing
  - `bls_partial_sign` / `bls_combine_signatures`: Lagrange interpolation based aggregation
  - Supports (t+1, n) threshold configurations
- **Hash-to-Curve** (`bls::hash_to_curve` module)
  - `hash_to_g1`: RFC 9380 compliant, maps arbitrary message to BN256 G1 point
  - `expand_message_xmd`: RFC 9380 §5.3.1, message expansion using SM3 as hash
  - `map_to_curve_svdw`: Shallue-van de Woestijne mapping for BN256 (a=0 curve)
- **`fp_sqrt`** in `sm9::fields::fp`
  - Tonelli-Shanks modular square root for SM9 BN256 Fp (p ≡ 1 mod 4)
  - `fp_is_square`: Euler criterion based quadratic residue test
- **FPE format-preserving encryption** (`fpe` module)
  - `FpeKey`: 7-round Luby-Rackoff Feistel cipher based on SM4
  - Supports 1~128 bit plaintext/ciphertext domains
  - `expand_tweak`: arbitrary-length tweak via SM4 hash
  - Automatic key zeroization on drop (`ZeroizeOnDrop`)

### Security

- BLS signature DST separation: signing uses `BLS_SIG_SM9G1_XMD:SM3_SVDW_RO_NUL_`, PoP uses a different tag
- BN256 security note: ~100-bit actual security level documented in API docs

## [0.1.1] - 2025-03-07

### Fixed

- Fixed `cargo test --no-default-features --lib` compilation error
  - SM3 tests: removed alloc dependency, use manual hex parsing
  - SM4 modes tests: added `#[cfg(feature = "alloc")]`

### Changed

- MSRV raised to 1.83.0 (required by crypto-bigint 0.6.x for ConstMontyForm constant-time Montgomery arithmetic)
- Use Rust 1.83+ built-in `div_ceil` method instead of manual implementation

### CI

- Optimized sanity_check.sh to skip test code, avoiding false positives

## [0.1.0] - 2025-03-07

### Added

- SM2 elliptic curve cryptography (GB/T 32918.1-5-2016)
  - Key generation, digital signature (with Z-value), public key encryption/decryption
  - Complete addition formulas for constant-time point operations
  - Fixed-window (w=4) base point scalar multiplication with precomputed table
  - Mixed Jacobian-Affine addition for optimized verification (Shamir's trick)
  - Point compression/decompression (GB/T 32918.1 section 4.2.10)
- SM3 cryptographic hash (GB/T 32905-2016)
  - Streaming and one-shot hashing API
  - HMAC-SM3 with automatic key material zeroization
- SM4 block cipher (GB/T 32907-2016)
  - Boolean circuit bitslice S-box (cache-timing resistant)
  - 8 modes of operation: ECB, CBC, OFB, CFB, CTR, GCM, CCM, XTS
  - GCM/CCM authenticated encryption with constant-time tag verification
- SM9 identity-based cryptography (GB/T 38635.1-2-2020)
  - BN256 pairing (optimal Ate with Miller loop + final exponentiation)
  - Fp12 tower extension: Fp -> Fp2(u^2+2) -> Fp6(v^3-u) -> Fp12(w^2-v)
  - Identity-based signing and verification
  - Identity-based encryption and decryption
- Unified `Error` enum with `Display` and conditional `std::error::Error` impl
- `no_std` support with optional `alloc` and `std` features
- `#![forbid(unsafe_code)]` enforced at crate level
- Automatic private key zeroization via `zeroize::ZeroizeOnDrop`
- GB/T standard test vectors for all algorithms
- Criterion benchmarks for all algorithms with baseline performance data:
  - SM3: 374 MiB/s throughput (64 KiB)
  - SM4-ECB: 27 MiB/s throughput (64 KiB)
  - SM2 sign: 258 µs, verify: 316 µs
  - SM9 sign: 3.44 ms, verify: 5.50 ms

### Changed

- MSRV raised to 1.83.0 (required by crypto-bigint 0.6.x for ConstMontyForm constant-time Montgomery arithmetic)

### Security

- GCM `gf128_mul`: replaced secret-dependent `if` branches with mask arithmetic
- SM2 `is_infinity`: replaced short-circuit `Iterator::all` with `ConstantTimeEq`
- SM2 `add`: replaced 3 conditional branches with complete addition formulas + `conditional_select`
- SM2 `double`: replaced `if is_infinity()` with `conditional_select`
- HMAC-SM3: added `zeroize` for `k_pad`/`ipad`/`opad` key material on stack
- CCM: reject AAD > 510 bytes instead of silently skipping
- XTS: reject non-16-byte-aligned input instead of silently truncating
- SM9 `hash_to_range`: replaced variable-iteration `while` loop with constant-time conditional select

[0.3.0]: https://github.com/kintaiW/libsmx/releases/tag/v0.3.0
[0.2.1]: https://github.com/kintaiW/libsmx/releases/tag/v0.2.1
[0.2.0]: https://github.com/kintaiW/libsmx/releases/tag/v0.2.0
[0.1.1]: https://github.com/kintaiW/libsmx/releases/tag/v0.1.1
[0.1.0]: https://github.com/kintaiW/libsmx/releases/tag/v0.1.0