[Haskell-cafe] ANNOUNCE: eccrypto 0.1.0, timing attack safe cryptography in Haskell
haskell at marcelfourne.de
Tue Feb 19 14:25:40 UTC 2019
Dear Haskell Community!
I'd like to introduce some new cryptographic code, containing a
verified[*] timing-attack safe pure Haskell[**] implementation of
Ed25519 and as of yet unverified implementations of textbook ECDH and
ECDSA on the NIST prime curves.
Install it by
$ cabal install eccrypto
or download it from Hackage.
Also contained are test vectors, usable by the trusty
$ cabal test
as well as benchmarking code which you can invoke by
$ cabal bench
if you want to try my code before using it. Please note that this is a
one person project, so there is still much room for optimization.
The intended focus groups are implementors of cryptographic protocols as
well as other cryptographers and interested third parties.
My code uses no[**] embedded C code or assembly to achieve timing
attack resistance, only careful Haskell constructions in the internal
modules, the obligatory hackers footgun included only in those. ;-)
Security sketch: The timing attack safety is built on the constant time
criterion, namely, that no branches or memory access indices may be
based on the content of the secret key bits. The name of this criterion
is from the strict evaluation world of cryptography, but does not
prohibit non-strict evaluation semantics per se.
The API is only slightly different from contemporary libraries like
"ed25519", but the content of the signatures is just the same.
The number of dependencies are also in the same ballpark, if you'd like
to use the code for infrastructure - but in that case, please talk to me
to not use unverified/insecure operations!
Best of wishes to a thriving community,
[*]: paper upcoming but as of now it only exists in my notes; analysis
was done "by hand" on assembly generated by GHC 8.4.4, mechanization
based on established proofs is planned
[**]: using integer-gmp, might change in the future to low-level Haskell
More information about the Haskell-Cafe