• Stars
    star
    236
  • Rank 170,480 (Top 4 %)
  • Language
    Rust
  • License
    Apache License 2.0
  • Created over 2 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Common cryptographic library used in software at Mysten Labs.

fastcrypto

crate Docs Build status Update the fastcrypto pointer Sui Apache2/MIT licensed Rust Version codecov

fastcrypto is a common cryptography library used in software at Mysten Labs. It contains three individual crates: fastcrypto, fastcrypto-zkp and fastcrypto-cli. They are published as independent crates to encourage reusability across different applications and domains.

fastcrypto is a wrapper library around several carefully selected crates with the following considerations:

  • Security: Whether the libraries are vulnerable to known attack vectors or possible misuses.
  • Performance: Whether the crate performs cryptographic operations with speed after extensive benchmarking. This is critical for the Sui Network to be performant when signing and verifying large amounts of transactions and certificates.
  • Determinism: Whether the signature is non-malleable.
  • Popularity: Whether the library is used by other consensus critical systems.

Furthermore, we extend the selected libraries with additional features:

  • Robust testing framework: Wycheproof tests and prop tests are added when possible to protect against arbitrary inputs and crafted edge cases.
  • Zeroization: Sensitive private key materials are cleared from memory when it goes out of scope using the zeroize trait. Note that this is best effort and does not guarantee that all sensitive data is cleared from memory as data may be copied or moved around by the compiler, FFI, etc.
  • Serialization: Effective and standardized serialization are required.

This library will be continuously updated with more schemes and faster implementations based on benchmarking results, RFC updates, new research and auditor inputs.

The fastcrypto crate contains:

  • Traits that should be implemented by concrete types representing digital cryptographic materials.

    • [SigningKey]: Trait implemented by the private key with associated types of its public key and signature.
    • [VerifyingKey]: Trait implemented by the public key with associated types of its private key and signature. It also includes a default implementation of batch verification that fails on empty batch verification.
    • [Authenticator]: Trait implemented by the signature with associated types of its public key and private key.
    • [AggregateAuthenticator]: Trait implemented by the aggregated signature, which allows adding signatures to the aggregated signature and verifying against the public keys with the corresponding messages.
    • [KeyPair]: Trait that represents a public/private keypair, which includes the common get priv/pub key functions and a keypair generation function with seeded randomness.
    • [ToFromBytes]: Trait that aims to minimize the number of steps involved in obtaining a serializable key.
    • [EncodeDecodeBase64]: Trait that extends ToFromBytes for immediate conversion to/from Base64 strings. This is the format in which cryptographic materials are stored.
  • Concrete signature schemes of type that implement the recommended traits required for cryptographic agility.

    • Ed25519: Backed by ed25519-consensus crate. Compliant to ZIP-215 that defines the signature validity that is lacking from RFC8032 but critical for consensus algorithms. ed25519-dalek is fully deprecated due to the recently discovered Chalkias double pub-key api vulnerability.
    • Secp256k1: ECDSA signatures over the secp256k1 curve. Backed by Secp256k1 FFI wrapper that binds to C library and provides performance faster than the native Rust implementation k256 library by ~30% on verification. Produces either a standard ECDSA signature or a 65-byte recoverable signature of shape [r, s, v] where v can be 0 or 1 representing the recovery Id. Produces deterministic signatures using the pseudo-random deterministic nonce generation according to RFC6979, without the strong requirement to generate randomness for nonce protection. Uses sha256 as the default hash function for sign and verify. An interface for verify_hashed is provided to accept a pre-hashed message and its signature for verification. Supports public key recovery by providing the Secp256k1 recoverable signature with the corresponding pre-hashed message. An accepted signature must have its s in the lower half of the curve order. If s is too high, normalize s to order - s where curve order is 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141. See more at BIP-0062.
    • Secp256r1: ECDSA signatures over the secp256r1 curve backed by the p256 crate which is a pure rust implementation of the Secp256r1 (aka NIST P-256 and prime256v1) curve. The functionality from p256 is extended such that, besides standard ECDSA signatures, our implementation can also produce and verify 65 byte recoverable signatures of the form [r, s, v] where v is the recoveryID. Signatures are produced deterministically using the pseudo-random deterministic nonce generation according to RFC6979, without the strong requirement to generate randomness for nonce protection. Uses sha256 as the default hash function for sign and verify. Supports public key recovery by providing the Secp256r1 ECDSA recoverable signature with the corresponding pre-hashed message. An accepted signature must have its s in the lower half of the curve order. If s is too high, normalize s to order - s where curve order is 0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551 defined here.
    • BLS12-381: Backed by blst crate written in Assembly and C that optimizes for performance and security. G1 and G2 points are serialized following ZCash specification in compressed format. Provides functions for verifying signatures in the G1 group against public keys in the G2 group (min-sig) or vice versa (min-pk). Provides functions for aggregating signatures and fast verifying aggregated signatures, where public keys are assumed to be verified for proof of possession.
    • RSA: Backed by crate rsa. Provides functions to sign and verify RSA signature according to RFC 8017
  • Utility functions on cryptographic primitives. Some of them serve as the Rust implementation of the Move smart contract API in Sui.

    • HKDF: An HMAC-based key derivation function based on RFC-5869, to derive keypairs with a salt and an optional domain for the given keypair. This requires choosing an HMAC function that expands precisely to the byte length of a private key for the chosen KeyPair parameter.
    • Pedersen Commitment: Function to create a Pedersen commitment with a value and a blinding factor. Add or subtract Ristretto points that represent Pedersen commitments.
    • Bulletproofs Range Proof: Function to prove that a committed value is an unsigned integer that is within the range [0, 2^bits). Function to verify that the commitment is a Pedersen commitment of some value with an unsigned bit length, a value is an integer within the range [0, 2^bits).
    • Elliptic Curve VRF (ECVRF): A verifiable random function implementation using the Ristretto255 group. Function to create a proof based on a given input and verify a proof for a given output, based on specification in draft-irtf-cfrg-vrf-15.
  • Encoding: Base64 and Hex are defined with an encoding trait with its customized serialization and validations, backed by base64ct and hex. Notably, the base64ct crate has been chosen instead of the most popular base64 Rust crate, because (a) it is constant time and (b) mangled encodings are explicitly rejected to prevent malleability attacks when decoding, see paper on in-depth analysis.

  • Hash functions wrappers: SHA2_256 with 256 bit digests, SHA3_256 with 256 bit digests, SHA2_512 with 512 bit digests, SHA3_512 with 512 bit digests, KECCAK with 256 bit digests, BLAKE2-256 with 256 bit digests.

  • Multiset Hash: A hash function where the output of the hash function is a point on the elliptic curve. It also allows for efficient computation for the hash of the union of two multiset.

  • A asynchronous signature service is provided for testing and benchmarking.

The fastcryto-zkp crate contains APIs to verify a Groth16 proof along with its prepared verifying key and public inputs. BN254 and BLS12381 curves are supported. The verifier is backed Arkworks and blst libraries.

The fastcrypto-cli crate includes CLI tools available for debugging. See usages with -h flag.

$ cargo build --bin encode-cli
$ target/debug/encode-cli -h
$ cargo build --bin sigs-cli
$ target/debug/sigs-cli -h
$ cargo build --bin ecvrf-cli
$ target/debug/ecvrf-cli -h

Tests

There exist unit tests for all primitives in all three crates, which can be run by:

$ cargo test

Benchmarks

In fastcrypto, one can compare all currently implemented signature schemes for sign, verify, verify_batch and key-generation by running:

$ cargo bench

A report of the benchmarks is generated for each release, allowing easy comparison of the performance of the different cryptographic primitives and schemes available in fastcrypto. As an example, we get these timings for signing messages and verifying the signature for the different schemes in fastcrypto as of revision a6e3e8:

Signature schemes comparison.

Below is another plot made using data from the benchmark report, showing benchmarks for batched signature verification where all signatures are on the same message:

Batched signature verification with all signatures on same message.

In fastcrypto-zkp, benchmarks can be ran for Arkworks to blst representation of field elements, and verifying Groth16 in BN254 and BLS12381:

$ cd fastcrypto-zkp/
$ cargo bench

License

All crates licensed under either of

More Repositories

1

sui

Sui, a next-generation smart contract platform with high throughput, low latency, and an asset-oriented programming model powered by the Move programming language
Rust
5,992
star
2

awesome-move

Code and content from the Move community.
1,355
star
3

ed25519-unsafe-libs

List of unsafe ed25519 signature libs
Rust
194
star
4

narwhal

Narwhal & Tusk are a high throughput mempool & consensus, used in the Sui smart contract platform
Rust
153
star
5

move-book

The Move Book and The Move Reference
Move
122
star
6

capybot

Automated trading bot
TypeScript
58
star
7

mysticeti

Mysticeti: Low-Latency DAG Consensus with Fast Commit Path
Rust
45
star
8

apps

Home for applications created by MystenLabs
Move
45
star
9

mysten-infra

Common infrastructure used by multiple Mysten projects
Rust
36
star
10

sui-genesis

Genesis state for various sui networks
29
star
11

truncator

Compress cryptographic outputs via mining
Rust
23
star
12

deepbookv3

Deepbook V3
Move
21
star
13

walrus-sites

Walrus Sites: Decentralized Websites using Sui and Walrus.
Rust
19
star
14

blackjack-sui

BlackJack with Sui and Move!
TypeScript
17
star
15

satoshi-coin-flip

A Move implementation of a time locked Satoshi coin flip game.
Move
16
star
16

dapol

DAPOL+ Proof of Liabilities using Bulletproofs and Sparse Merkle trees
Rust
16
star
17

research

Research papers
Python
15
star
18

suins-contracts

The SuiNS Smart Contracts & Documentation repository
Move
14
star
19

capybot-monitor

A Jupyter Notebook to monitor the status of a Capybot
Python
13
star
20

evm-sui-bridge

Solidity
12
star
21

solvency-proofs

Cryptographic Solvency Proofs (schemes, standards, links, edu material)
11
star
22

Sui-Unity

Unity project to test SuiDotnet interface
C#
10
star
23

sui-axelar

Move
9
star
24

example-walrus-sites

A demo for a dApp on Walrus Sites, with minting and per-NFT sites.
HTML
9
star
25

mysten-sim

Deterministic executor + network sim for tokio-based systems.
Rust
6
star
26

polydiv

Faster Polynomial Division
Rust
6
star
27

sui-fantasy

Move
5
star
28

sui-doctor

Tool for automatic diagnosis of configuration problems
Python
5
star
29

sui-circulation-api

Simple API returning info about SUI circulation amounts
CSS
4
star
30

controlled-treasury

An example smart contract to manage a controlled treasury with flexible risk-management controls
Move
4
star
31

multisig-move

Move
4
star
32

sui-dev-newsletter

The Sui developer newsletter repository
Python
4
star
33

plinko-poc

TypeScript
3
star
34

sui-native-randomness

Move
3
star
35

telemetry-subscribers

Common utilities for Tokio-based application telemetry, including tracing, logging, spans
Rust
2
star
36

react-native-zklogin-poc

TypeScript
2
star
37

sui-nft-rental

Move
1
star
38

suifrens-display-system

Library that demonstrates how SuiFren images are constructed and rendered 🦈
TypeScript
1
star
39

BugPub

The First Web3 Bug Bounty Marketplace
TypeScript
1
star
40

historical-jwks-zklogin

Rust
1
star