-
Notifications
You must be signed in to change notification settings - Fork 198
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Define a Encapsulate::encapsulate_in_place
method
#1596
Conversation
Also if this gets merged I can remove the |
…ce to one unit test
One issue: it’s not clear to me if there is any
So it seems this API is a little constraining if we want to support no-alloc. Solution 1: Keep this as it is, with the knowledge that it only makes sense for Solution 2: Remove Solution 3: Make a separate generic parameter I kinda like solution 2. I always forget what’s possible in current Rust. I’ll see if I hit a barrier here. |
You could always define an |
Hmm, I think the blanket impl doesn't quite work for two reasons. Firstly, it can't be overridden, so anything that's But yeah, I'm not opposed to |
Do you happen to have an opinion @bifurcation? |
I'll note I'm a big fan of NOT having blanket impls unless they completely make sense 100% of the time |
Update on solution 2: It appears that this requires pub trait Encapsulate<SS> {
type Error: Debug;
const ENCAPSULATED_KEY_LENGTH: usize;
fn encapsulate(
&self,
rng: &mut impl CryptoRngCore,
) -> Result<([u8; Self::ENCAPSULATED_KEY_LENGTH], SS), Self::Error>;
} which is not possible because it uses an associated const in a type signature (classic tracking issue). So we'd either have to use |
Would recommend |
Couple of quick reactions:
Overall, no strong opinions here, other than a slight impression of premature optimization. |
Thank you for looking at this! In order:
|
Ready for review |
Actually I think maybe this needs some more thinking. I feel like I'm missing something very simple here. Especially wrt the request for more simplicity in #1559. I think I'll close for now. We can discuss more in the Zulip, I think. |
I have an issue in my Saber impl rozbb/saber-rs#6 that relates to this.
encapsulate
performs a stack allocation for its encapsulated key. This is not an issue for DH-based KEMs, but it's certainly more of an issue with, e.g., Kyber1024 or Firesaber, whose ciphertexts are ~1.5kB.So I've added an
encapsulate_in_place
method toEncapsulate
that lets the user provide their own ciphertext buffer. One nontrivial choice I made is documenting that "If this errors, the final value ofencapsulated_key
MUST equal its original value". I think this is probably fine: if the ciphertext is small then you can just do an allocation anyway, and if the ciphertext is large then it's probably a PQC scheme, and all of those are infallible, so you'll always overwrite anyway. In the absolute worst case, you can make a self-zeroizing copy of the buffer before you start working on it.Happy to get feedback.