# [−][src]Crate salty

Mashup of TweetNaCl with ed25519-dalek, aimed towards embedded use cases on microcontrollers.

Originally, this library was a transliteration of the C implementation of Ed25519 signatures in TweetNaCl to Rust, "with helpful explanations". One reason the current ed25519-dalek library in its current state is not usable for microcontrollers is that it includes ~40kB of pre-computed data to speed things up. Moreover, the implementatons are optimized for PC.

Iterating over the not-very-nice API surface of NaCl, we ended up with a close relative of the "dalek" APIs anyway, where things are modeled as, for instance, "compressed y-coordinate of Edwards25519 curve point", instead of raw bytes.

The main entry point of the API is either a keypair, or a public key.

For keypairs, an external trusted source of entropy is assumed, letting us construct a keypair as:

let seed: [u8; 32] = <some entropic input>; let keypair: salty::Keypair = salty::Keypair::from(&seed);

Any byte slice that fits in memory can then be signed (without new entropic input) deterministically via

let data: &[u8] = <some data>; let signature: salty::Signature = keypair.sign(data);

Thereafter, the signature can be checked:

let public_key = &keypair.pubic; assert!(public_key.verify(data, &signature).is_ok());

Please note that `Ed25519`

signatures are *not* init-update-finalize signatures,
since two passes over the data are made, sequentially (the output of the first pass
is an input to the second pass).
For cases where the data to be signed does not fit in memory, as explained in
RFC 8032 an alternative algorithm `Ed25519ph`

("ph" for prehashed) is
defined. This is *not* the same as applying Ed25519 signature to the SHA512 hash of
the data; it is is exposed via `Keypair::sign_prehashed`

and
`PublicKey::verify_prehashed`

.

Future plans include:

- rigorous correctness checks
- rigorous checks against timing side-channels, using the DWT cycle count of ARM MCUs
- optimize the field operations for Cortex-M4 and above, by using the
implementation provided by Bjoern Haase which is based on the the UMAAL instruction
`(u32, u32, u32, u32) -> u64, (a, b, c, d) -> a*b + c + d`

. - add the authenticated encryption part of NaCl
- add more lightweight cryptography as alternative

Current numbers on an NXP LPC55S69 running at 96Mhz:

- signing prehashed message: 52,632,954 cycles
- verifying said message: 100,102,158 cycles
- code size for this: 19,724 bytes Obviously, this needs to improve :))

## Modules

constants |

## Structs

CompressedY | "Compressed" form of a |

CurvePoint | These represent the (X,Y,T,Z) coordinates |

Keypair | pair of secret and corresponding public keys |

PublicKey | a public key, consisting internally of both its defining point (the secret scalar times the curve base point) and the compression of that point. |

Scalar | Since the curve is an abelian group, it has a module structure, consisting of these scalars. They are the integers modulo "ell", where "ell" is 2**252 + something something. |

SecretKey | a secret key, consisting internally of the seed and its expansion into a scalar and a "nonce". |

Sha512 | |

Signature | a signature: pair consisting of a curve point "R" in compressed form and a scalar "s". |

## Enums

Error | Extensible error type for all |

## Type Definitions

Result | Result type for all |