shortcake 0.1.0-pre.4

A generic Rust implementation of the Pasini-Vaudenay 3-move SAS-based authenticated key agreement protocol
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168

// Copyright (c) Meta Platforms, Inc. and affiliates.
//
// This source code is dual-licensed under either the MIT license found in the
// LICENSE-MIT file in the root directory of this source tree or the Apache
// License, Version 2.0 found in the LICENSE-APACHE file in the root directory
// of this source tree. You may select, at your option, one of the above-listed
// licenses.

//! Initiator protocol implementation.
//!
//! The Initiator starts the 3-move SAS protocol by generating a KEM keypair,
//! creating a commitment, and sending the first message.

use core::marker::PhantomData;

use digest::Output;
use rand_core::CryptoRng;
use subtle::ConstantTimeEq;
use zeroize::Zeroize;

use crate::ciphersuite::{CipherSuite, Kem};
use crate::commitment;
use crate::error::Error;
use crate::responder::MessageTwo;
use crate::sas::{compute_sas, derive_session_key};
use crate::verification::ProtocolOutput;
use crate::Nonce;

/// The first protocol message (Initiator -> Responder).
#[derive(Clone)]
#[cfg_attr(
    feature = "serde",
    derive(serde::Serialize, serde::Deserialize),
    serde(bound(
        serialize = "<CS::Kem as Kem>::EncapsulationKey: serde::Serialize",
        deserialize = "<CS::Kem as Kem>::EncapsulationKey: serde::Deserialize<'de>",
    ))
)]
pub struct MessageOne<CS: CipherSuite> {
    /// The Initiator's encapsulation (public) key.
    pub(crate) ek: <CS::Kem as Kem>::EncapsulationKey,
    /// Commitment to the encapsulation key and nonce.
    pub(crate) commitment: Output<CS::Hash>,
}

/// The third protocol message (Initiator -> Responder).
#[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
pub struct MessageThree {
    /// The Initiator's nonce, opening the commitment.
    pub(crate) initiator_nonce: Nonce,
}

/// Initiator state in the 3-move SAS protocol.
///
/// Created by [`Initiator::start`], which generates a KEM keypair internally
/// and produces the first protocol message. Call [`Initiator::finish`] after
/// receiving the responder's reply to obtain a [`ProtocolOutput`] and the
/// final protocol message.
#[cfg_attr(
    feature = "serde",
    derive(serde::Serialize, serde::Deserialize),
    serde(bound(
        serialize = "<CS::Kem as Kem>::DecapsulationKey: serde::Serialize, <CS::Kem as Kem>::EncapsulationKey: serde::Serialize",
        deserialize = "<CS::Kem as Kem>::DecapsulationKey: serde::Deserialize<'de>, <CS::Kem as Kem>::EncapsulationKey: serde::Deserialize<'de>",
    ))
)]
pub struct Initiator<CS: CipherSuite> {
    dk: <CS::Kem as Kem>::DecapsulationKey,
    ek: <CS::Kem as Kem>::EncapsulationKey,
    initiator_nonce: Nonce,
    _marker: PhantomData<CS>,
}

impl<CS: CipherSuite> Drop for Initiator<CS> {
    fn drop(&mut self) {
        self.initiator_nonce.zeroize();
        self.dk.zeroize();
        self.ek.zeroize();
    }
}

impl<CS: CipherSuite> Initiator<CS> {
    /// Start the protocol as Initiator.
    ///
    /// Generates a KEM keypair internally and produces the first protocol
    /// message to send to the Responder.
    ///
    /// # Arguments
    ///
    /// * `rng` - A cryptographically secure random number generator.
    ///
    /// # Returns
    ///
    /// A tuple of (initiator_state, first_message).
    pub fn start(rng: &mut impl CryptoRng) -> (Self, MessageOne<CS>) {
        let (dk, ek) = CS::Kem::generate(rng);

        let mut initiator_nonce = [0u8; 32];
        rng.fill_bytes(&mut initiator_nonce);

        let commitment = commitment::commit::<CS::Hash>(ek.as_ref(), &initiator_nonce);

        let state = Self {
            dk,
            ek: ek.clone(),
            initiator_nonce,
            _marker: PhantomData,
        };

        let message = MessageOne { ek, commitment };

        (state, message)
    }

    /// Process the responder's message and produce the protocol output.
    ///
    /// This decapsulates the ciphertext to recover the shared secret,
    /// checks for reflection attacks, and computes the SAS.
    ///
    /// # Arguments
    ///
    /// * `msg2` - The second protocol message from the Responder.
    ///
    /// # Returns
    ///
    /// A tuple of (protocol_output, third_message) on success.
    pub fn finish(self, msg2: MessageTwo<CS>) -> Result<(ProtocolOutput<CS>, MessageThree), Error> {
        // Check for reflection attack: ek must not equal ct.
        // For KEMs where ek and ct have different sizes (e.g., X-Wing),
        // this check is always false and acts as defense-in-depth.
        if self.ek.as_ref().ct_eq(msg2.ct.as_ref()).into() {
            return Err(Error::ReflectionDetected);
        }

        // Decapsulate to get KEM shared secret
        let mut kem_ss =
            CS::Kem::decaps(&self.dk, &msg2.ct).map_err(|_| Error::DecapsulationFailed)?;

        // Derive session key from full transcript
        let session_key = derive_session_key::<CS::Hash>(
            self.ek.as_ref(),
            msg2.ct.as_ref(),
            &msg2.responder_nonce,
            &self.initiator_nonce,
            kem_ss.as_ref(),
        );
        kem_ss.zeroize();

        // Compute SAS
        let sas = compute_sas::<CS::Hash>(
            &msg2.responder_nonce,
            &self.initiator_nonce,
            msg2.ct.as_ref(),
        );

        let output = ProtocolOutput {
            sas,
            session_key,
            _marker: PhantomData,
        };

        let message = MessageThree {
            initiator_nonce: self.initiator_nonce,
        };

        Ok((output, message))
    }
}