a58fe8275e
新增功能: - BLS 签名:基于 BN256 配对的最小签名尺寸变体 - BLS 门限签名:Shamir 秘密分享 + Lagrange 插值聚合 - Hash-to-Curve:RFC 9380 兼容,SM3 消息扩展 - FPE 格式保留加密:基于 SM4 的 Feistel 密码 - SM9 Fp 平方根:Tonelli-Shanks 算法 文档更新: - README 添加 BLS/FPE 算法描述 - CHANGELOG 添加 v0.2.0 变更记录 - SECURITY 更新版本支持表
5.1 KiB
5.1 KiB
Changelog
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
[Unreleased] - v0.2.0
Added
- BLS signatures (
blsmodule, requiresallocfeature)bls_keygen/bls_sign/bls_verify: minimal-signature-size variant (sig ∈ G1, pk ∈ G2)bls_aggregate/bls_aggregate_verify: multi-message aggregate signaturesbls_fast_aggregate_verify: fast aggregate verification for same-message multi-signerBlsSignature::to_bytes/from_bytes: 65-byte serialization (uncompressed G1 point)BlsPubKey::to_bytes/from_bytes: 128-byte serialization (uncompressed G2 point)
- BLS threshold signatures (
bls::thresholdmodule)bls_threshold_keygen: Trusted Dealer mode, Shamir polynomial secret sharingbls_partial_sign/bls_combine_signatures: Lagrange interpolation based aggregation- Supports (t+1, n) threshold configurations
- Hash-to-Curve (
bls::hash_to_curvemodule)hash_to_g1: RFC 9380 compliant, maps arbitrary message to BN256 G1 pointexpand_message_xmd: RFC 9380 §5.3.1, message expansion using SM3 as hashmap_to_curve_svdw: Shallue-van de Woestijne mapping for BN256 (a=0 curve)
fp_sqrtinsm9::fields::fp- Tonelli-Shanks modular square root for SM9 BN256 Fp (p ≡ 1 mod 4)
fp_is_square: Euler criterion based quadratic residue test
- FPE format-preserving encryption (
fpemodule)FpeKey: 7-round Luby-Rackoff Feistel cipher based on SM4- Supports 1~128 bit plaintext/ciphertext domains
expand_tweak: arbitrary-length tweak via SM4 hash- Automatic key zeroization on drop (
ZeroizeOnDrop)
Security
- BLS signature DST separation: signing uses
BLS_SIG_SM9G1_XMD:SM3_SVDW_RO_NUL_, PoP uses a different tag - BN256 security note: ~100-bit actual security level documented in API docs
0.1.1 - 2025-03-07
Fixed
- Fixed
cargo test --no-default-features --libcompilation error- SM3 tests: removed alloc dependency, use manual hex parsing
- SM4 modes tests: added
#[cfg(feature = "alloc")]
Changed
- MSRV raised to 1.83.0 (required by crypto-bigint 0.6.x for ConstMontyForm constant-time Montgomery arithmetic)
- Use Rust 1.83+ built-in
div_ceilmethod instead of manual implementation
CI
- Optimized sanity_check.sh to skip test code, avoiding false positives
0.1.0 - 2025-03-07
Added
- SM2 elliptic curve cryptography (GB/T 32918.1-5-2016)
- Key generation, digital signature (with Z-value), public key encryption/decryption
- Complete addition formulas for constant-time point operations
- Fixed-window (w=4) base point scalar multiplication with precomputed table
- Mixed Jacobian-Affine addition for optimized verification (Shamir's trick)
- Point compression/decompression (GB/T 32918.1 section 4.2.10)
- SM3 cryptographic hash (GB/T 32905-2016)
- Streaming and one-shot hashing API
- HMAC-SM3 with automatic key material zeroization
- SM4 block cipher (GB/T 32907-2016)
- Boolean circuit bitslice S-box (cache-timing resistant)
- 8 modes of operation: ECB, CBC, OFB, CFB, CTR, GCM, CCM, XTS
- GCM/CCM authenticated encryption with constant-time tag verification
- SM9 identity-based cryptography (GB/T 38635.1-2-2020)
- BN256 pairing (optimal Ate with Miller loop + final exponentiation)
- Fp12 tower extension: Fp -> Fp2(u^2+2) -> Fp6(v^3-u) -> Fp12(w^2-v)
- Identity-based signing and verification
- Identity-based encryption and decryption
- Unified
Errorenum withDisplayand conditionalstd::error::Errorimpl no_stdsupport with optionalallocandstdfeatures#![forbid(unsafe_code)]enforced at crate level- Automatic private key zeroization via
zeroize::ZeroizeOnDrop - GB/T standard test vectors for all algorithms
- Criterion benchmarks for all algorithms with baseline performance data:
- SM3: 374 MiB/s throughput (64 KiB)
- SM4-ECB: 27 MiB/s throughput (64 KiB)
- SM2 sign: 258 µs, verify: 316 µs
- SM9 sign: 3.44 ms, verify: 5.50 ms
Changed
- MSRV raised to 1.83.0 (required by crypto-bigint 0.6.x for ConstMontyForm constant-time Montgomery arithmetic)
Security
- GCM
gf128_mul: replaced secret-dependentifbranches with mask arithmetic - SM2
is_infinity: replaced short-circuitIterator::allwithConstantTimeEq - SM2
add: replaced 3 conditional branches with complete addition formulas +conditional_select - SM2
double: replacedif is_infinity()withconditional_select - HMAC-SM3: added
zeroizefork_pad/ipad/opadkey material on stack - CCM: reject AAD > 510 bytes instead of silently skipping
- XTS: reject non-16-byte-aligned input instead of silently truncating
- SM9
hash_to_range: replaced variable-iterationwhileloop with constant-time conditional select