rscrypto 0.3.0

Pure Rust cryptography: RSA, Ed25519, X25519, SHA-2/3, BLAKE3, AES-GCM, ChaCha20-Poly1305, Argon2, HMAC/HKDF, CRC. no_std, WASM, hardware acceleration.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90

//! Linux x86-64 Ed25519 signing assembly backend.
//!
//! The embedded routine is adapted from the s2n-bignum x86-64 Ed25519
//! fixed-base multiplication backend. This module owns the ABI boundary;
//! `ed25519.rs` owns signing semantics.

#![allow(unsafe_code)]

use core::arch::global_asm;

use super::constants::{PUBLIC_KEY_LENGTH, SECRET_KEY_LENGTH};
use crate::platform::{self, caps::x86};

const AFFINE_POINT_LIMBS: usize = 8;
const FIELD_LIMBS: usize = 4;

global_asm!(
  include_str!("asm/rscrypto_ed25519_scalarmulbase_x86_64_unknown_linux.s"),
  options(att_syntax)
);
global_asm!(
  include_str!("asm/rscrypto_ed25519_scalarmulbase_alt_x86_64_unknown_linux.s"),
  options(att_syntax)
);

unsafe extern "C" {
  fn rscrypto_edwards25519_scalarmulbase(out: *mut u64, scalar: *const u64);
  fn rscrypto_edwards25519_scalarmulbase_alt(out: *mut u64, scalar: *const u64);
}

#[inline]
fn has_bmi2_adx() -> bool {
  platform::caps().has(x86::BMI2.union(x86::ADX))
}

/// Compute `[s]B` and return the compressed Ed25519 point.
#[inline]
pub(super) fn basepoint_mul_encoded(s: &[u8; SECRET_KEY_LENGTH]) -> [u8; PUBLIC_KEY_LENGTH] {
  let s_words = words_from_le_bytes(s);
  let mut out = [0u64; AFFINE_POINT_LIMBS];

  if has_bmi2_adx() {
    // SAFETY: BMI2/ADX fixed-base scalar multiplication call because:
    // 1. This module is compiled only for Linux x86-64 System V, matching the embedded assembly ABI.
    // 2. `out` has space for eight `u64` affine limbs.
    // 3. `s_words` has four little-endian `u64` scalar limbs, matching the s2n-bignum ABI.
    // 4. Runtime capabilities prove BMI2 and ADX before selecting this backend.
    // 5. The assembly routine is constant-time with respect to the scalar; signing uses secret nonce
    //    material.
    unsafe { rscrypto_edwards25519_scalarmulbase(out.as_mut_ptr(), s_words.as_ptr()) };
  } else {
    // SAFETY: baseline fixed-base scalar multiplication call because:
    // 1. This module is compiled only for Linux x86-64 System V, matching the embedded assembly ABI.
    // 2. `out` has space for eight `u64` affine limbs.
    // 3. `s_words` has four little-endian `u64` scalar limbs, matching the s2n-bignum ABI.
    // 4. The `_alt` routine is the baseline x86-64 backend and does not require BMI2 or ADX.
    // 5. The assembly routine is constant-time with respect to the scalar; signing uses secret nonce
    //    material.
    unsafe { rscrypto_edwards25519_scalarmulbase_alt(out.as_mut_ptr(), s_words.as_ptr()) };
  }

  encode_affine_point(&out)
}

#[inline]
fn words_from_le_bytes(bytes: &[u8; SECRET_KEY_LENGTH]) -> [u64; FIELD_LIMBS] {
  let mut words = [0u64; FIELD_LIMBS];
  for (word, chunk) in words.iter_mut().zip(bytes.chunks_exact(8)) {
    let mut limb = [0u8; 8];
    limb.copy_from_slice(chunk);
    *word = u64::from_le_bytes(limb);
  }
  words
}

#[inline]
fn encode_affine_point(point: &[u64; AFFINE_POINT_LIMBS]) -> [u8; PUBLIC_KEY_LENGTH] {
  let mut encoded = [0u8; PUBLIC_KEY_LENGTH];

  for (dst, word) in encoded
    .chunks_exact_mut(8)
    .zip(point[FIELD_LIMBS..AFFINE_POINT_LIMBS].iter().copied())
  {
    dst.copy_from_slice(&word.to_le_bytes());
  }

  encoded[PUBLIC_KEY_LENGTH - 1] &= 0x7f;
  encoded[PUBLIC_KEY_LENGTH - 1] |= ((point[0] & 1) as u8) << 7;
  encoded
}