index.xml

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
    <channel>
        <title>Dr Franziskus Kiefer</title>
        <link>https://www.franziskuskiefer.de/</link>
        <description>Recent content on Dr Franziskus Kiefer</description>
        <generator>Hugo -- gohugo.io</generator>
        <language>en-us</language>
        <lastBuildDate>Mon, 02 May 2022 00:00:00 +0000</lastBuildDate><atom:link href="https://www.franziskuskiefer.de/index.xml" rel="self" type="application/rss+xml" /><item>
        <title>What is High Assurance Cryptography?</title>
        <link>https://www.franziskuskiefer.de/p/what-is-high-assurance-cryptography/</link>
        <pubDate>Mon, 02 May 2022 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/what-is-high-assurance-cryptography/</guid>
        <description>&lt;img src="https://www.franziskuskiefer.de/p/what-is-high-assurance-cryptography/header.jpg" alt="Featured image of post What is High Assurance Cryptography?" /&gt;&lt;p&gt;With my company &lt;a class=&#34;link&#34; href=&#34;https://www.cryspen.com&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Cryspen&lt;/a&gt; we build high assurance cryptography.
But what does this actually mean?&lt;/p&gt;
&lt;p&gt;Before focusing on cryptography it is interesting to look at high assurance
software in general.
How is high assurance software different from other software?&lt;/p&gt;
&lt;p&gt;High assurance software is usually seen as being more trustworthy than other
software.
This is especially interesting in high-risk/high-stakes environments such as
financial institutions or governments.
There are different ways to achieve better guarantees for software.
Today the most commonly used technique to increase trust into software is using
certifications like &lt;a class=&#34;link&#34; href=&#34;https://en.wikipedia.org/wiki/Common_Criteria&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;common criteria&lt;/a&gt;
or &lt;a class=&#34;link&#34; href=&#34;https://en.wikipedia.org/wiki/FIPS_140-2&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;FIPS&lt;/a&gt;.
While these certifications offer a certain level of additional guarantees, only
the highest levels require some form of formal verification of the production
source code.
As such certification usually reaches only up to a certain level of high assurance.&lt;/p&gt;
&lt;p&gt;Instead, using formal methods to increase trust in software offers real tangible
guarantees on a software artifact.
But in order to get actual guarantees we have to define the properties that are
guaranteed and put it into perspective by defining different assurance levels.
Before doing this we look at the different techniques used in high assurance
software engineering.&lt;/p&gt;
&lt;h2 id=&#34;techniques&#34;&gt;Techniques&lt;/h2&gt;
&lt;p&gt;There are a number of different techniques used in (high assurance) software engineering.
Some are simply good engineering practice while others go beyond what is done for most software.
The following picture gives a high-level overview of the different techniques.
(The list is of course not exhaustive and some grouping might be arbitrary.)&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 200; flex-basis: 480px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/what-is-high-assurance-cryptography/overview1.png&#34; data-size=&#34;1440x720&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/what-is-high-assurance-cryptography/overview1.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/what-is-high-assurance-cryptography/overview1_hu3cede752948e24ef3b92606ea47496ec_569899_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/what-is-high-assurance-cryptography/overview1_hu3cede752948e24ef3b92606ea47496ec_569899_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;1440&#34;
				height=&#34;720&#34;
				loading=&#34;lazy&#34;
				alt=&#34;High assurance tools - an overview&#34;&gt;
		&lt;/a&gt;
		
		&lt;figcaption&gt;High assurance tools - an overview&lt;/figcaption&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;On the left side we have safe programming languages and engineering processes
that are the bedrock of high assurance software engineering.
Processes ensure that the development and maintenance process is safe while
using a safe programming language such as Rust that gives memory safety
guarantees provides a safety baseline for the software.&lt;/p&gt;
&lt;p&gt;The engineering infrastructure in the center is used to enforce policies and link
everything together.
It is the glue that implements engineering processes and ensures safe operations
of the code at all times.
On the right hand side we have engineering practices divided into dynamic and
static tools, or testing and formal methods.
There are a lot of different testing techniques from fuzzing to known answer
tests that ensure that the code is operating correctly and safely for a certain
set of inputs.
With static analysis and formal methods we can go a step further and ensure that
the code is correct and safe for all inputs.&lt;/p&gt;
&lt;h2 id=&#34;assurance-levels&#34;&gt;Assurance Levels&lt;/h2&gt;
&lt;p&gt;Speaking about “high assurance” is so vague that it can be considered meaningless.
When speaking about high assurance software it is paramount to define a set of
properties the software guarantees.
To this end we define a set of assurance levels a software artifact can achieve
and a set of techniques used to get there.
The following picture sorts the previously defined techniques according to the
level of assurance they provide and the complexity required to use them.&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 192; flex-basis: 462px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/what-is-high-assurance-cryptography/overview2.png&#34; data-size=&#34;2018x1047&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/what-is-high-assurance-cryptography/overview2.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/what-is-high-assurance-cryptography/overview2_hu6645ebbbb45afaa59acb0d3491403de9_661764_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/what-is-high-assurance-cryptography/overview2_hu6645ebbbb45afaa59acb0d3491403de9_661764_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;2018&#34;
				height=&#34;1047&#34;
				loading=&#34;lazy&#34;
				alt=&#34;High assurance - an overview&#34;&gt;
		&lt;/a&gt;
		
		&lt;figcaption&gt;High assurance - an overview&lt;/figcaption&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;h3 id=&#34;ca-1&#34;&gt;CA-1&lt;/h3&gt;
&lt;p&gt;The first level of high assurance software is what I’d flippantly call “well
written software”.
At this level no complex tools are required. Instead good engineering principles
are applied.&lt;/p&gt;
&lt;p&gt;Note that this level must not be used for cryptographic software.
&lt;strong&gt;Cryptography requires at least CA-2.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;The programming language and how it is used is the first important point.
A programming language like Rust that is memory safe and has a lot of additional
features that allow to ensure that the code is “safe” is paramount.
It is well known that memory safety is the root cause for most security issues
with about 70% (see what &lt;a class=&#34;link&#34; href=&#34;https://www.chromium.org/Home/chromium-security/memory-safety/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Google&lt;/a&gt;, &lt;a class=&#34;link&#34; href=&#34;https://msrnd-cdn-stor.azureedge.net/bluehat/bluehatil/2019/assets/doc/Trends%2C%20Challenges%2C%20and%20Strategic%20Shifts%20in%20the%20Software%20Vulnerability%20Mitigation%20Landscape.pdf&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Microsoft&lt;/a&gt;, or the &lt;a class=&#34;link&#34; href=&#34;https://www.memorysafety.org/docs/memory-safety/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;ISRG&lt;/a&gt; say about this).
They are only possible because languages like C and C++ are not memory safe.&lt;/p&gt;
&lt;p&gt;The code requires a sufficient amount of tests. It is difficult and arbitrary to
define an exact number for test coverage.
But I think it is safe to say that a test coverage of less than 70% is not
acceptable.
Defining test coverage, quantitatively and qualitatively, is part of the
engineering process.&lt;/p&gt;
&lt;p&gt;Because testing against itself is not sufficient, test vectors with known answer
tests must be used.
If the implementation does not have a generally accepted specification or
(de-facto) reference implementation that can be used to get test vectors, a
reference implementation (specification) must be written to produce test vectors.&lt;/p&gt;
&lt;p&gt;Engineering processes must be implemented that ensure that the code can be safely
maintained in the long-run.
An engineering infrastructure must be in place to enforce processes and help the engineering process.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Properties:&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Memory safety&lt;/li&gt;
&lt;li&gt;Adequate test coverage&lt;/li&gt;
&lt;li&gt;Known answer tests&lt;/li&gt;
&lt;li&gt;Engineering best practices
&lt;ul&gt;
&lt;li&gt;Review guidelines&lt;/li&gt;
&lt;li&gt;Continuous integration&lt;/li&gt;
&lt;li&gt;Documentation&lt;/li&gt;
&lt;li&gt;(Security) bug reporting&lt;/li&gt;
&lt;li&gt;Release management&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id=&#34;ca-2&#34;&gt;CA-2&lt;/h3&gt;
&lt;p&gt;The second level includes everything from the first level but adds properties
specific to cryptographic code and more advanced testing methods.&lt;/p&gt;
&lt;p&gt;In cryptographic code it is important that no decisions are made based on secret
information.
It is therefore necessary to avoid any branching on secret data or memory access
based on secret data.
There is research tooling out there that tries to ensure this and a lot of good
practices to avoid it. But there’s no comprehensive way of doing this right now.
With Cryspen we develop a set of tools to ensure secret independent computation that we use and maintain.&lt;/p&gt;
&lt;p&gt;On this level more advanced testing such as fuzzing and property based testing
is required as well to make sure that the code is not only safe in well defined
states but can handle any input.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Properties:&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Secret independent computation
&lt;ul&gt;
&lt;li&gt;No secret-dependent branching&lt;/li&gt;
&lt;li&gt;No secret-dependent memory access&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;Advanced testing
&lt;ul&gt;
&lt;li&gt;Fuzzing&lt;/li&gt;
&lt;li&gt;Sanitizer builds&lt;/li&gt;
&lt;li&gt;Property based testing&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h4 id=&#34;ca-2-1&#34;&gt;CA-2+&lt;/h4&gt;
&lt;p&gt;The secret independent computation properties in CA-2 can be shown on different
levels.
Often this is done only on the programming language level rather than the machine
code.
If the secret independent computation is ensured on the machine code level, we
call this CA-2+.
Higher levels are augmented with the + in the same way if the secret independence
is given after compilation.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Properties:&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Secret independent computation ensured on the machine code level&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id=&#34;ca-3a&#34;&gt;CA-3a&lt;/h3&gt;
&lt;p&gt;The third assurance level includes the first two but requires formal methods.
This is what we will always aim for. But because of the complexity and real world
constraints it is not always feasible to achieve this level for all code.&lt;/p&gt;
&lt;p&gt;Cryptographic primitives are one building block used to build cryptographic
protocols.
Because they require highly efficient implementations but usually have a rather
succinct mathematical definition, functional and semantic correctness are the
properties we are interested in.
In particular, the efficient implementation of a cryptographic primitive must be
shown equivalent to a self-evidently correct specification.
Additionally semantic properties such as “decryption is the inverse of encryption”
can be shown.
The exact properties proven must be clearly stated for every artifact.&lt;/p&gt;
&lt;p&gt;Data structures and other building blocks are needed to build cryptographic
protocols in addition to the primitives.
They must be similarly shown to be correct and safe to use by using functional
and semantic correctness proofs.&lt;/p&gt;
&lt;p&gt;On this level the cryptographic protocols themselves are written in a succinct
way such that they can be inspected by hand and compared to a general
specification if available.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Properties:&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Functional and semantic security proofs&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id=&#34;ca-3b&#34;&gt;CA-3b&lt;/h3&gt;
&lt;p&gt;The third level can be extended to require formal proofs on the protocol layer.
While cryptographic protocols can often be written in a way that they are
self-evidently correct and efficient, this is not enough if the protocol is not
standardized or is too complex to inspect manually.&lt;/p&gt;
&lt;p&gt;Security models and properties are defined for a protocol and they are proven on
the implementation of the cryptographic protocols using formal methods.
These properties are very specific to each protocol and can range from the
correctness of a state machine to the security against a certain type of attacker.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Properties:&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Security proofs&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&#34;high-assurance&#34;&gt;High-Assurance?&lt;/h2&gt;
&lt;p&gt;&lt;a class=&#34;link&#34; href=&#34;https://highassurance.rs&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;https://highassurance.rs&lt;/a&gt; has some great documentation on writing good Rust code.
However, it also has a good example of what I &lt;em&gt;don’t&lt;/em&gt; consider high assurance software
and exemplifies why it is so important to specify all claims precisely instead of
simply claiming high assurance.
&lt;em&gt;(Note that this is just an example to show why it is so important to exactly specify what assurances are given. This is not supposed to bash the &lt;a class=&#34;link&#34; href=&#34;https://highassurance.rs&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;https://highassurance.rs&lt;/a&gt; folks. I think it&amp;rsquo;s a great effort.)&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;Let’s take a look at chapters &lt;a class=&#34;link&#34; href=&#34;https://highassurance.rs/chp2/dynamic_assurance_1.html&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;2.4-2.6&lt;/a&gt; that describe a high assurance
implementation of the RC4 stream cipher. At the end of the section the authors
state the following:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;You&amp;rsquo;ve now built your first piece of high assurance software (sans the RC4 algorithm itself). Your RC4 library is:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Fully memory-safe, hence &lt;code&gt;#![forbid(unsafe_code)]&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Stand-alone and capable for running almost anywhere, hence &lt;code&gt;#![no_std]&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Functionally validated, using official IETF test vectors&lt;/li&gt;
&lt;/ul&gt;
&lt;/blockquote&gt;
&lt;p&gt;While these points are all on the list above they are what I would consider good
engineering principles (known answer tests with test vectors, and memory safety).
In particular, they lay the foundation for high assurance software but don’t
constitute high assurance in itself. As is, the code itself would be CA-1 but
additional mechanisms in the form of engineering processes and infrastructure
are needed for full CA-1 compliance.
(Similar additional mechanisms are mentioned in &lt;a class=&#34;link&#34; href=&#34;https://highassurance.rs/chp2/_index.html&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Chapter 2&lt;/a&gt;.)&lt;/p&gt;
&lt;p&gt;However, CA-1 is not sufficient for cryptographic primitives as stated above.
To reach CA-2 the code needs to be rewritten though because &lt;strong&gt;it has secret
dependent memory access&lt;/strong&gt;.
After doing this property based testing, fuzzing, and techniques ensuring secret
independent computation have to be added.&lt;/p&gt;
&lt;p&gt;Because the code can be seen as a spec one can argue that it reaches CA-3a now
as well.
CA-3b is not applicable.
However it is not very efficient but rather a specification.
In order to use the algorithm in a real application one might want to implement
an efficient version that would then require an equivalence proof with the
specification.&lt;/p&gt;
&lt;p&gt;&lt;em&gt;RC4 itself is of course not secure and must not be used! This is just taking the example from &lt;a class=&#34;link&#34; href=&#34;https://highassurance.rs&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;https://highassurance.rs&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;
&lt;h2 id=&#34;cryspen-high-assurance-cryptography&#34;&gt;Cryspen High Assurance Cryptography&lt;/h2&gt;
&lt;p&gt;At Cryspen we consider CA-1 regular software.
Cryptographic code at Cryspen must always be CA-2 or higher.&lt;/p&gt;
&lt;p&gt;We are working on different high assurance cryptographic primitives and
protocols right now.&lt;/p&gt;
&lt;h3 id=&#34;hacl&#34;&gt;HACL&lt;/h3&gt;
&lt;p&gt;The &lt;a class=&#34;link&#34; href=&#34;https://github.com/cryspen/hacl-packages&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HACL packages&lt;/a&gt; wrap the HACL* research artifacts and constitute a high
assurance cryptographic library.
The library is CA-3a because it is proven to be memory safe, has correctness
proofs with respect to a specification and ensures secret independent computation
on a programming language level.&lt;/p&gt;
&lt;h3 id=&#34;hpke&#34;&gt;HPKE&lt;/h3&gt;
&lt;p&gt;The &lt;a class=&#34;link&#34; href=&#34;https://github.com/cryspen/hpke-spec/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HPKE implementation&lt;/a&gt; is a specification of the &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/rfc9180/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HPKE RFC&lt;/a&gt; and as such is CA-3a
because it is self-evidently correct as a specification and uses formally
verified cryptography with CA-3a.
In a next step the &lt;a class=&#34;link&#34; href=&#34;https://github.com/cryspen/hpke-spec/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HPKE implementation&lt;/a&gt; will be connected to the &lt;a class=&#34;link&#34; href=&#34;https://www.benjaminlipp.de/p/hpke-cryptographic-standard/#pre&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Cryptoverif&lt;/a&gt;
models to prove security properties and thus reach the highest assurance
level CA-3b.&lt;/p&gt;
&lt;h3 id=&#34;tls-13&#34;&gt;TLS 1.3&lt;/h3&gt;
&lt;p&gt;In an &lt;a class=&#34;link&#34; href=&#34;https://www.assure.ngi.eu/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;NGI Assure&lt;/a&gt; project we develop the first formally verified, production
ready TLS 1.3 implementation.&lt;/p&gt;
&lt;hr&gt;
&lt;p&gt;&lt;a class=&#34;link&#34; href=&#34;https://www.cryspen.com&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Cryspen&lt;/a&gt; offers high assurance cryptographic implementations.
&lt;a class=&#34;link&#34; href=&#34;mailto:franziskus@cryspen.com&#34; &gt;Get in touch for more information.&lt;/a&gt;&lt;/p&gt;
</description>
        </item>
        <item>
        <title>An Executable HPKE Specification</title>
        <link>https://www.franziskuskiefer.de/p/an-executable-hpke-specification/</link>
        <pubDate>Thu, 24 Feb 2022 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/an-executable-hpke-specification/</guid>
        <description>&lt;img src="https://www.franziskuskiefer.de/p/an-executable-hpke-specification/header.png" alt="Featured image of post An Executable HPKE Specification" /&gt;&lt;p&gt;&lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HPKE&lt;/a&gt;, published as &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;RFC 9180&lt;/a&gt;, describes a scheme for hybrid public key encryption.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;📚 Please go and read our &lt;a class=&#34;link&#34; href=&#34;https://www.franziskuskiefer.de/p/tldr-hybrid-public-key-encryption/&#34; &gt;TL;DR on HPKE&lt;/a&gt; if you nee more background on HPKE.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;In this I describe the first executable HPKE specification using &lt;a class=&#34;link&#34; href=&#34;https://hacspec.org&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;hacspec&lt;/a&gt;.
It is not only an executable specification of &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HPKE&lt;/a&gt;, it is also an annotated version
of the RFC that can be read instead of (or in addition to) the RFC.
While the &lt;a class=&#34;link&#34; href=&#34;https://www.franziskuskiefer.de/p/tldr-hybrid-public-key-encryption/&#34; &gt;TL;DR on HPKE&lt;/a&gt; was intended for consumers or potential users of HPKE,
this blog post is aimed at implementators that want to implement HPKE or understand
it better.&lt;/p&gt;
&lt;p&gt;It is a showcase for Cryspen&amp;rsquo;s technology stack.
In a follow up blog post we will describe how to connect the &lt;a class=&#34;link&#34; href=&#34;https://hacspec.org&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;hacspec&lt;/a&gt; specification
to efficient cryptographic primitives and formal proofs.&lt;/p&gt;
&lt;p&gt;&lt;em&gt;This blog post focuses on the Base and Auth mode with DHKEM to demonstrate the capabilities
of hacspec.
For the full specification please read the full &lt;a class=&#34;link&#34; href=&#34;https://tech.cryspen.com/hpke-spec&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;documentation&lt;/a&gt;, or look at the
&lt;a class=&#34;link&#34; href=&#34;https://github.com/cryspen/hpke-spec&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Github repository&lt;/a&gt; for the HPKE hacspec source code.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;Recall that HPKE provides a variant of public-key encryption of arbitrary-sized plaintexts for a recipient public key.
It works for any combination of an asymmetric key encapsulation mechanism (KEM), key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function.&lt;/p&gt;
&lt;p&gt;In the following I&amp;rsquo;ll first show the high-level API of HPKE works before giving
details on the core functions within HPKE.
All code examples are in hacspec.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;💡 Go ahead and &lt;a class=&#34;link&#34; href=&#34;https://www.franziskuskiefer.de/p/tldr-hybrid-public-key-encryption/#try-it-out-now&#34; &gt;run the hacspec HPKE in the browser&lt;/a&gt;.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h2 id=&#34;encrypting-to-a-public-key&#34;&gt;Encrypting to a Public Key&lt;/h2&gt;
&lt;p&gt;This is the most basic functionality HPKE offers; encrypting a payload to a public key.
So how does this look on the outside?&lt;/p&gt;
&lt;p&gt;The process consists of two steps.
&lt;em&gt;First&lt;/em&gt; a random &lt;code&gt;shared_secret&lt;/code&gt; is generated that can be used for
symmetric encryption with an AEAD, and an encapsulation that can be used by the
receiver in combination with their private key to compute the same &lt;code&gt;shared_secret&lt;/code&gt;.
This function is denoted &lt;code&gt;SetupBaseS&lt;/code&gt; below (because this is setting up the sender
in the HPKE base mode).
Note that the setup function expands the &lt;code&gt;shared_secret&lt;/code&gt; to a key schedule that
is used by the AEAD.
More details in the &lt;a class=&#34;link&#34; href=&#34;#setup&#34; &gt;Setup&lt;/a&gt; section.
&lt;em&gt;Then&lt;/em&gt; the &lt;code&gt;shared_secret&lt;/code&gt; is used to encrypt the payload with an AEAD.
This function is denoted &lt;code&gt;AeadSeal&lt;/code&gt; below.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-rust&#34; data-lang=&#34;rust&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;kd&#34;&gt;let&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;enc&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;key&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;nonce&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;_&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;_&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;))&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;SetupBaseS&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;config&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;pkR&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;info&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;randomness&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;?&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;&lt;/span&gt;&lt;span class=&#34;kd&#34;&gt;let&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;cipher_text&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;AeadSeal&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;aead_id&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;key&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;nonce&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;aad&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;payload&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;?&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The receiver gets &lt;code&gt;cipher_text&lt;/code&gt; and &lt;code&gt;enc&lt;/code&gt; that it can use to retrieve the &lt;code&gt;payload&lt;/code&gt;.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-rust&#34; data-lang=&#34;rust&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;kd&#34;&gt;let&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;key&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;nonce&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;_&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;_&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;SetupBaseR&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;config&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;enc&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;skR&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;info&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;?&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;&lt;/span&gt;&lt;span class=&#34;kd&#34;&gt;let&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;payload&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;AeadOpen&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;aead&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;key&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;nonce&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;aad&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;ct&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;?&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;In the remainder of this blog post we&amp;rsquo;ll show how &lt;code&gt;SetupBaseS&lt;/code&gt; is defined.
For a description of the receiver please check out the &lt;a class=&#34;link&#34; href=&#34;https://tech.cryspen.com/hpke-spec&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;documentation&lt;/a&gt;.
We will not define &lt;code&gt;AeadSeal&lt;/code&gt; and &lt;code&gt;AeadOpen&lt;/code&gt; here as they follow the definition
of &lt;a class=&#34;link&#34; href=&#34;https://www.rfc-editor.org/info/rfc5116&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;RFC 5116&lt;/a&gt;.&lt;/p&gt;
&lt;details&gt;
&lt;summary&gt;💡  Background on hacspec Syntax&lt;/summary&gt;
In case you are not familiar with hacspec (Rust) syntax, here are some short explainers
to understand the hacspec code.
&lt;p&gt;&lt;strong&gt;The Question mark &lt;code&gt;?&lt;/code&gt;&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;The question mark &lt;code&gt;?&lt;/code&gt; at the end of most lines in the hacspec code is the
way Rust performs error propagation.
If the function that is called before the &lt;code&gt;?&lt;/code&gt; does not return an error result,
the program continues as expected.
But if the function returns an error, the function stops and returns with the error
instead.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;The Result Type&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;hacspec (and Rust) uses a &lt;code&gt;Result&lt;/code&gt; type such as &lt;code&gt;Result&amp;lt;OkType, ErrorType&amp;gt;&lt;/code&gt; to return errors.
In hacspec result types are often wrapped into type aliases.
For example the &lt;code&gt;SenderContextResult&lt;/code&gt; type in the code snippet for &lt;code&gt;SetupBaseS&lt;/code&gt;
below is a type alias for &lt;code&gt;Result&amp;lt;(Encapsulation, KeySchedule), Error&amp;gt;&lt;/code&gt;.
If the function is successful and we reach line 10, the function returns success,
which is written as &lt;code&gt;SenderContextResult::Ok(...)&lt;/code&gt;.&lt;/p&gt;
&lt;/details&gt;
&lt;h3 id=&#34;the-auth-mode&#34;&gt;The Auth Mode&lt;/h3&gt;
&lt;p&gt;In the Auth mode HPKE requires additional input to the &lt;code&gt;Setup&lt;/code&gt; functions.
The sender needs to provide their private key &lt;code&gt;skS&lt;/code&gt; to authenticate themselves.
The receiver uses the sender&amp;rsquo;s public key &lt;code&gt;pkS&lt;/code&gt; in addition to authenticate the sender.
The two functions are defined as follows.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-rust&#34; data-lang=&#34;rust&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;n&#34;&gt;SetupAuthS&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;config&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;pkR&lt;/span&gt;:&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;info&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;skS&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;randomness&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;);&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;SetupAuthR&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;config&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;enc&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;skR&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;info&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;pkS&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;);&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id=&#34;setup&#34;&gt;Setup&lt;/h3&gt;
&lt;p&gt;In order to set up the KEM and key schedule the sender uses the following &lt;code&gt;SetupBaseS&lt;/code&gt;
function.
Recall that the &lt;code&gt;BaseS&lt;/code&gt; refers to the HPKE base mode and sender.&lt;/p&gt;
&lt;p&gt;The function takes the receiver&amp;rsquo;s public key &lt;code&gt;pkR&lt;/code&gt; and context information &lt;code&gt;info&lt;/code&gt;
(a sequence of bytes to bind the setup to a specific context).
In addition we need to pass in the &lt;code&gt;configuration&lt;/code&gt; that contains the mode as well
as the algorithm identifiers for the KEM.
Because hacspec can&amp;rsquo;t draw its own &lt;code&gt;randomness&lt;/code&gt;, as explained &lt;a class=&#34;link&#34; href=&#34;#randomness&#34; &gt;below&lt;/a&gt;,
it is passed in as well.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-rust&#34; data-lang=&#34;rust&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;pub&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;k&#34;&gt;fn&lt;/span&gt; &lt;span class=&#34;nf&#34;&gt;SetupBaseS&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;configuration&lt;/span&gt;: &lt;span class=&#34;nc&#34;&gt;HPKEConfig&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;pkR&lt;/span&gt;: &lt;span class=&#34;kp&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;nc&#34;&gt;HpkePublicKey&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;info&lt;/span&gt;: &lt;span class=&#34;kp&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;nc&#34;&gt;Info&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;randomness&lt;/span&gt;: &lt;span class=&#34;nc&#34;&gt;Randomness&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;-&amp;gt; &lt;span class=&#34;nc&#34;&gt;SenderContextResult&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;p&#34;&gt;{&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;kd&#34;&gt;let&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;shared_secret&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;enc&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;Encap&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;kem&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;configuration&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;),&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;pkR&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;randomness&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;?&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;kd&#34;&gt;let&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;key_schedule&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;KeySchedule&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;config&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;shared_secret&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;info&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;default_psk&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(),&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;default_psk_id&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(),&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;?&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;SenderContextResult&lt;/span&gt;::&lt;span class=&#34;nb&#34;&gt;Ok&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;((&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;enc&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;key_schedule&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;))&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;}&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;For comparison you can find the RFC pseudocode definition of &lt;code&gt;SetupBaseS&lt;/code&gt; below
(which is not well defined as is because it is missing the algorithm identifiers).
The main difference between the two functions is the explicit configuration and
randomness required in hacspec.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-text&#34; data-lang=&#34;text&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;def SetupBaseS(pkR, info):
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;  shared_secret, enc = Encap(pkR)
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;  return enc, KeyScheduleS(mode_base, shared_secret, info,
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;                           default_psk, default_psk_id)
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The setup function calls the two functions &lt;a class=&#34;link&#34; href=&#34;#encap&#34; &gt;&lt;code&gt;Encap&lt;/code&gt;&lt;/a&gt; and &lt;a class=&#34;link&#34; href=&#34;#keyschedule&#34; &gt;&lt;code&gt;KeySchedule&lt;/code&gt;&lt;/a&gt;.&lt;/p&gt;
&lt;h3 id=&#34;encap&#34;&gt;Encap&lt;/h3&gt;
&lt;p&gt;&lt;em&gt;(Reminder: For demonstration purposes we use the DHKEM defined in the RFC.)&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;The &lt;code&gt;Encap&lt;/code&gt; function takes the receiver&amp;rsquo;s public key &lt;code&gt;pkR&lt;/code&gt; and generates a &lt;code&gt;shared_secret&lt;/code&gt; as well
as an &lt;code&gt;encapsulation&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;It is necessary to pass in the algorithm identifier to know
which KEM to use and the randomness to generate a new ephemeral key pair for the
KEM.
See the &lt;a class=&#34;link&#34; href=&#34;#implementation-considerations&#34; &gt;discussion section below&lt;/a&gt; on the necessity of the API changes.
Because the function can fail it returns a result instead of simply the computed
values as described in the RFC pseudocode.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-text&#34; data-lang=&#34;text&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;def Encap(pkR):
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;  skE, pkE = GenerateKeyPair()
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;  dh = DH(skE, pkR)
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;  enc = SerializePublicKey(pkE)
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;  pkRm = SerializePublicKey(pkR)
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;  kem_context = concat(enc, pkRm)
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;  shared_secret = ExtractAndExpand(dh, kem_context)
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;  return shared_secret, enc
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;All these changes make it much clearer what can happen within the function and
in particular which error states might occur.&lt;/p&gt;
&lt;p&gt;The &lt;code&gt;Encap&lt;/code&gt; function generates a fresh DH key pair and computes the DH between the
receivers public key and the ephemeral private key $\text{dh}=\text{skE}*\text{pkR}$.
The &lt;code&gt;shared_secret&lt;/code&gt; is then computed as the output of a key derivation function (HKDF)
on input of the &lt;code&gt;dh&lt;/code&gt; value and the context that binds the key derivation to the
parameters and public values.
The encapsulation &lt;code&gt;enc&lt;/code&gt; is the serialized public key &lt;code&gt;pkE&lt;/code&gt; generated in the first
step.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-rust&#34; data-lang=&#34;rust&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;pub&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;k&#34;&gt;fn&lt;/span&gt; &lt;span class=&#34;nf&#34;&gt;Encap&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;pkR&lt;/span&gt;: &lt;span class=&#34;kp&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;nc&#34;&gt;PublicKey&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;alg&lt;/span&gt;: &lt;span class=&#34;nc&#34;&gt;KEM&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;rand&lt;/span&gt;: &lt;span class=&#34;nc&#34;&gt;Randomness&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;-&amp;gt; &lt;span class=&#34;nc&#34;&gt;EncapResult&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;p&#34;&gt;{&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;kd&#34;&gt;let&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;skE&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;pkE&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;GenerateKeyPair&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;alg&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;rand&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;?&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;kd&#34;&gt;let&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;dh&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;DH&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;alg&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;skE&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;pkR&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;?&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;kd&#34;&gt;let&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;encapsulation&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;SerializePublicKey&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;alg&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;pkE&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;?&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;kd&#34;&gt;let&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;pkRm&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;SerializePublicKey&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;alg&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;pkR&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;?&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;kd&#34;&gt;let&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;kem_context&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;enc&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;.&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;concat&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;pkRm&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;);&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;kd&#34;&gt;let&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;shared_secret&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;ExtractAndExpand&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;alg&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;suite_id&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;alg&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;),&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;dh&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;kem_context&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;?&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;EncapResult&lt;/span&gt;::&lt;span class=&#34;nb&#34;&gt;Ok&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;((&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;shared_secret&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;encapsulation&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;))&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;}&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id=&#34;keyschedule&#34;&gt;KeySchedule&lt;/h3&gt;
&lt;p&gt;In order to use the &lt;code&gt;shared_secret&lt;/code&gt; with an AEAD and allow exporting additional
key material, the following &lt;code&gt;KeySchedule&lt;/code&gt; derives the &lt;code&gt;key&lt;/code&gt; and &lt;code&gt;base_nonce&lt;/code&gt; for the
AEAD and an &lt;code&gt;exporter_secret&lt;/code&gt; to export other keys.
The key schedule is essentially a series of HKDF calls to extract different keys
from the shared secret.&lt;/p&gt;
&lt;p&gt;The main difference to the RFC here is again that it is necessary to pass in algorithm
identifiers and the &lt;code&gt;suite_id&lt;/code&gt; to &lt;code&gt;LabeledExtract&lt;/code&gt; and &lt;code&gt;LabeledExpand&lt;/code&gt;.
The &lt;code&gt;suite_id&lt;/code&gt; binds the KDF extract and expand functions to the specific context
and is implicit in the RFC.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-rust&#34; data-lang=&#34;rust&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;pub&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;k&#34;&gt;fn&lt;/span&gt; &lt;span class=&#34;nf&#34;&gt;KeySchedule&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;config&lt;/span&gt;: &lt;span class=&#34;nc&#34;&gt;HPKEConfig&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;shared_secret&lt;/span&gt;: &lt;span class=&#34;kp&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;nc&#34;&gt;SharedSecret&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;info&lt;/span&gt;: &lt;span class=&#34;kp&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;nc&#34;&gt;Info&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;psk&lt;/span&gt;: &lt;span class=&#34;kp&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;nc&#34;&gt;Psk&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;psk_id&lt;/span&gt;: &lt;span class=&#34;kp&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;nc&#34;&gt;PskId&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;-&amp;gt; &lt;span class=&#34;nc&#34;&gt;ContextResult&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;p&#34;&gt;{&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;VerifyPSKInputs&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;config&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;psk&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;psk_id&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;?&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;kd&#34;&gt;let&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;HPKEConfig&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;mode&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;_kem&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;kdf&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;aead&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;config&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;kd&#34;&gt;let&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;psk_id_hash&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;LabeledExtract&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;kdf&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;suite_id&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;config&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;),&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;empty_bytes&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(),&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;psk_id_hash_label&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(),&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;psk_id&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;?&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;kd&#34;&gt;let&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;info_hash&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;LabeledExtract&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;kdf&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;suite_id&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;config&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;),&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;empty_bytes&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(),&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;info_hash_label&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(),&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;info&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;?&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;kd&#34;&gt;let&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;key_schedule_context&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;hpke_mode_label&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;mode&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;p&#34;&gt;.&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;concat_owned&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;psk_id_hash&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;p&#34;&gt;.&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;concat_owned&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;info_hash&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;);&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;kd&#34;&gt;let&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;secret&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;LabeledExtract&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;kdf&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;suite_id&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;config&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;),&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;shared_secret&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;secret_label&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(),&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;psk&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;?&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;kd&#34;&gt;let&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;key&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;LabeledExpand&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;kdf&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;suite_id&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;config&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;),&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;secret&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;key_label&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(),&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;key_schedule_context&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;Nk&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;aead&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;),&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;?&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;kd&#34;&gt;let&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;base_nonce&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;LabeledExpand&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;kdf&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;suite_id&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;config&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;),&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;secret&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;base_nonce_label&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(),&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;key_schedule_context&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;Nn&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;aead&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;),&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;?&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;kd&#34;&gt;let&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;exporter_secret&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;LabeledExpand&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;kdf&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;suite_id&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;config&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;),&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;secret&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;exp_label&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(),&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;key_schedule_context&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;Nh&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;kdf&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;),&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;?&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;}&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;For comparison you can find the RFC pseudocode definition of &lt;code&gt;KeySchedule&lt;/code&gt; below.
Note that the significantly longer hacspec definition above is not in fact longer
but has longer lines that are wrapped.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-text&#34; data-lang=&#34;text&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;def KeySchedule&amp;lt;ROLE&amp;gt;(mode, shared_secret, info, psk, psk_id):
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;  VerifyPSKInputs(mode, psk, psk_id)
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;  psk_id_hash = LabeledExtract(&amp;#34;&amp;#34;, &amp;#34;psk_id_hash&amp;#34;, psk_id)
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;  info_hash = LabeledExtract(&amp;#34;&amp;#34;, &amp;#34;info_hash&amp;#34;, info)
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;  key_schedule_context = concat(mode, psk_id_hash, info_hash)
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;  secret = LabeledExtract(shared_secret, &amp;#34;secret&amp;#34;, psk)
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;  key = LabeledExpand(secret, &amp;#34;key&amp;#34;, key_schedule_context, Nk)
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;  base_nonce = LabeledExpand(secret, &amp;#34;base_nonce&amp;#34;, key_schedule_context, Nn)
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;  exporter_secret = LabeledExpand(secret, &amp;#34;exp&amp;#34;, key_schedule_context, Nh)
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;  return Context&amp;lt;ROLE&amp;gt;(key, base_nonce, 0, exporter_secret)
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;This is all that is needed to implement &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HPKE&lt;/a&gt;.
All code examples here are taken directly from the Cryspen HPKE reference implementation.
You can find the full code in the &lt;a class=&#34;link&#34; href=&#34;https://github.com/cryspen/hpke-spec&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Github repository&lt;/a&gt; as well as the &lt;a class=&#34;link&#34; href=&#34;https://tech.cryspen.com/hpke-spec&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;documentation&lt;/a&gt;.&lt;/p&gt;
&lt;h2 id=&#34;implementation-considerations&#34;&gt;Implementation Considerations&lt;/h2&gt;
&lt;p&gt;When defining HPKE in hacspec, or most other programming languages, there are a
number of considerations that impact the way the code looks.&lt;/p&gt;
&lt;p&gt;The hacspec code is as close to the RFC pseudocode as possible.
But some changes are needed.&lt;/p&gt;
&lt;h3 id=&#34;randomness&#34;&gt;Randomness&lt;/h3&gt;
&lt;p&gt;hacspec does not allow to draw randomness.
It is therefore necessary to pass in randomness every time it is needed.&lt;/p&gt;
&lt;p&gt;This approach is pretty close to the way this would be implemented in native Rust
where a random-number generator is passed in and used to generate randomness.
For simplicity hacspec expects the randomness to be drawn on the outside instead
of doing it within the specification.&lt;/p&gt;
&lt;p&gt;Note that it is possible to pre-determine the amount of randomness needed by HPKE
calls because randomness is only needed when setting up the sender.
At this point the KEM mechanisms and hence the required randomness is known.&lt;/p&gt;
&lt;h3 id=&#34;configuration-parameters&#34;&gt;Configuration Parameters&lt;/h3&gt;
&lt;p&gt;The &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HPKE&lt;/a&gt; RFC makes most of the configuration implicit to the functions rather than
passing the algorithm identifiers around.
Because the hacspec implementation has to know which algorithm to pick, this is
of course not possible here.&lt;/p&gt;
&lt;p&gt;HPKE hacspec functions take either an &lt;a class=&#34;link&#34; href=&#34;https://tech.cryspen.com/hpke-spec/hpke/struct.HPKEConfig.html&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;&lt;code&gt;HPKEConfig&lt;/code&gt;&lt;/a&gt; object with all algorithms
in it or the specific algorithm identifier needed for the operation.&lt;/p&gt;
&lt;h3 id=&#34;naming&#34;&gt;Naming&lt;/h3&gt;
&lt;p&gt;The &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HPKE&lt;/a&gt; RFC uses, in some cases, names that are impossible to use in hacspec
because they are keywords or contain illegal characters.
Further does hacspec not support member functions as defined for the &lt;code&gt;Context&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;We therefore replace &lt;code&gt;.&lt;/code&gt; in member function calls such as &lt;code&gt;Context.Export&lt;/code&gt; with an underscore,
i.e. write &lt;code&gt;Context_Export&lt;/code&gt;.
Keywords such as &lt;code&gt;open&lt;/code&gt; are replaced with a semantically equivalent version, i.e.
&lt;code&gt;HpkeOpen&lt;/code&gt; in this example.&lt;/p&gt;
&lt;h3 id=&#34;secret-bytes&#34;&gt;Secret bytes&lt;/h3&gt;
&lt;p&gt;hacspec has the notion of secret integers that can&amp;rsquo;t be used for certain operations
and should enforce secret-independent computation time.&lt;/p&gt;
&lt;p&gt;For simplicity the hacspec HPKE implementation uses secret bytes everywhere even
if not necessary, e.g. for cipher texts.&lt;/p&gt;
&lt;h3 id=&#34;errors&#34;&gt;Errors&lt;/h3&gt;
&lt;p&gt;While the RFC defines a set of errors it does not always define which errors
are raised.
For example, it leaves open whether implementations convert errors from the
Diffie-Hellman operations into KEM errors (&lt;code&gt;EncapError&lt;/code&gt;/&lt;code&gt;DecapError&lt;/code&gt;) or not.&lt;/p&gt;
&lt;p&gt;With the specific implementation in hacspec here the errors are clearly defined.&lt;/p&gt;
&lt;h2 id=&#34;about-hacspec&#34;&gt;About hacspec&lt;/h2&gt;
&lt;p&gt;&lt;a class=&#34;link&#34; href=&#34;https://hacspec.org&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;hacspec&lt;/a&gt; is a specification language for cryptographic mechanisms, and more, embedded in &lt;a class=&#34;link&#34; href=&#34;https://www.rust-lang.org/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Rust&lt;/a&gt;.
It is a language for writing succinct, executable, formal specifications for cryptographic components.
Syntactically, hacspec is a purely functional subset of Rust that aims to be readable by developers, cryptographers, and verification experts.
An application developer can use hacspec to specify and prototype cryptographic components in Rust, and then either replace this specification with a verified implementation before deployment
or use the hacspec code directly.&lt;/p&gt;
&lt;p&gt;We used &lt;a class=&#34;link&#34; href=&#34;https://hacspec.org&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;hacspec&lt;/a&gt; here to write an executable, succinct, specification of &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HPKE&lt;/a&gt;
that&amp;rsquo;s embedding the full RFC into its &lt;a class=&#34;link&#34; href=&#34;https://tech.cryspen.com/hpke-spec&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;documentation&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;&lt;a class=&#34;link&#34; href=&#34;https://hacspec.org&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;hacspec&lt;/a&gt; is at the heart of a novel, modular verification framework for Rust
applications developed by &lt;a class=&#34;link&#34; href=&#34;https://www.cryspen.com&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Cryspen&lt;/a&gt; in cooperation with the &lt;a class=&#34;link&#34; href=&#34;https://team.inria.fr/prosecco/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Prosecco&lt;/a&gt; team.&lt;/p&gt;
&lt;h2 id=&#34;summary&#34;&gt;Summary&lt;/h2&gt;
&lt;p&gt;Even though &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HPKE&lt;/a&gt; is a relatively simple scheme it requires care when implementing.
This blog post gives an overview of how &lt;a class=&#34;link&#34; href=&#34;https://hacspec.org&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;hacspec&lt;/a&gt; can be used to achieve an executable
version of the &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HPKE&lt;/a&gt; RFC that can be used as implementation on its own or as
specification and reference implementation when implementing HPKE.&lt;/p&gt;
&lt;p&gt;My company &lt;a class=&#34;link&#34; href=&#34;https://www.cryspen.com&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Cryspen&lt;/a&gt; offers support for using &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HPKE&lt;/a&gt; as well as high assurance implementations
of HPKE and other protocols.
&lt;a class=&#34;link&#34; href=&#34;mailto:franziskus@cryspen.com&#34; &gt;Get in touch for more information.&lt;/a&gt;&lt;/p&gt;
&lt;hr&gt;
&lt;ul&gt;
&lt;li&gt;&lt;i class=&#34;fab fa-github&#34;&gt;&lt;/i&gt; &lt;a class=&#34;link&#34; href=&#34;https://github.com/cryspen/hpke-spec&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Github repository&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;i class=&#34;fa fa-book&#34; aria-hidden=&#34;true&#34;&gt;&lt;/i&gt; &lt;a class=&#34;link&#34; href=&#34;https://tech.cryspen.com/hpke-spec&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Documentation&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;i class=&#34;fa fa-file&#34; aria-hidden=&#34;true&#34;&gt;&lt;/i&gt; &lt;a class=&#34;link&#34; href=&#34;https://www.rfc-editor.org/rfc/rfc9180.html&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;RFC&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
</description>
        </item>
        <item>
        <title>TL;DR - Hybrid Public Key Encryption</title>
        <link>https://www.franziskuskiefer.de/p/tldr-hybrid-public-key-encryption/</link>
        <pubDate>Thu, 24 Feb 2022 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/tldr-hybrid-public-key-encryption/</guid>
        <description>&lt;img src="https://www.franziskuskiefer.de/p/tldr-hybrid-public-key-encryption/hybrid.jpg" alt="Featured image of post TL;DR - Hybrid Public Key Encryption" /&gt;&lt;p&gt;&lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HPKE&lt;/a&gt; is a &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/rg/cfrg/about/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;CFRG&lt;/a&gt; in &lt;a class=&#34;link&#34; href=&#34;https://www.rfc-editor.org/rfc/rfc9180.html&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;RFC 9180&lt;/a&gt; that describes a scheme for hybrid public key encryption.
It is co-authored by my &lt;a class=&#34;link&#34; href=&#34;https://www.cryspen.com&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Cryspen&lt;/a&gt; co-founder &lt;a class=&#34;link&#34; href=&#34;https://bhargavan.info/index.html&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Karthikeyan Bhargavan&lt;/a&gt; and one of
his PhD students &lt;a class=&#34;link&#34; href=&#34;https://www.benjaminlipp.de&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Benjamin Lipp&lt;/a&gt; as part of his research at &lt;a class=&#34;link&#34; href=&#34;https://team.inria.fr/prosecco&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Inria&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;This blog post will give a brief overview of the specification and describes some use cases.&lt;/p&gt;
&lt;p&gt;If you want to learn more about the security proofs behind HPKE and the RFC process,
Benjamin wrote an &lt;a class=&#34;link&#34; href=&#34;https://www.benjaminlipp.de/p/hpke-cryptographic-standard/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;excellent blog post&lt;/a&gt; about it.&lt;/p&gt;
&lt;p&gt;Hybrid Public Key Encryption, or short HPKE, is a cyrptographic mechanism that
allows encrypting payload to a public key.
It is called &amp;ldquo;hybrid&amp;rdquo; because the payload is encrypted with a symmetric scheme.
The symmetric key is then encrypted to the receivers public key.
The &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HPKE&lt;/a&gt; standard defines a number of natural extensions to the basic setting
that allow the sender to authenticate themselves.&lt;/p&gt;
&lt;h2 id=&#34;hybrid-crypto-systems&#34;&gt;Hybrid Crypto Systems&lt;/h2&gt;
&lt;p&gt;Hybrid public key encryption has been used in different ways since the early 1990s in protocols such as &lt;a class=&#34;link&#34; href=&#34;https://en.wikipedia.org/wiki/Pretty_Good_Privacy&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;PGP&lt;/a&gt; or &lt;a class=&#34;link&#34; href=&#34;https://en.wikipedia.org/wiki/Cryptographic_Message_Syntax&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;SMIME&lt;/a&gt;.
While these two protocols are for a very specific use case a more general version of hybrid encryption is described in &lt;a class=&#34;link&#34; href=&#34;https://en.wikipedia.org/wiki/Integrated_Encryption_Scheme&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;ECIES&lt;/a&gt;.
&lt;a class=&#34;link&#34; href=&#34;https://en.wikipedia.org/wiki/Integrated_Encryption_Scheme&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;ECIES&lt;/a&gt; is part of many systems nowadays.
&lt;a class=&#34;link&#34; href=&#34;https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Storing keys in the secure enclave on an iOS&lt;/a&gt; device for example uses &lt;a class=&#34;link&#34; href=&#34;https://en.wikipedia.org/wiki/Integrated_Encryption_Scheme&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;ECIES&lt;/a&gt;.
For a deeper explanation and history of hybrid crypto systems I recommend reading
&lt;a class=&#34;link&#34; href=&#34;https://blog.cloudflare.com/hybrid-public-key-encryption/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Christopher Wood&amp;rsquo;s blog post&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;However, there&amp;rsquo;s no general description of hybrid public key encryption with modern primitives.
The &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HPKE&lt;/a&gt; standard solves this issue.
Even before the RFC is finalised it is used in specifications for &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-ietf-tls-esni/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;ECH&lt;/a&gt;, &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-ietf-mls-protocol/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;MLS&lt;/a&gt;, &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-pauly-dprive-oblivious-doh/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;ODOH&lt;/a&gt;, and &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-gpew-priv-ppm/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;PPM&lt;/a&gt;.
This shows the high demand for &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HPKE&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;HPKE has four distinct modes of operation: Base, Auth, PSK, AuthPSK.
In this blog post we only describe the two most commonly used modes Base and Auth.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;HPKE Modes&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;The &lt;em&gt;Base&lt;/em&gt; mode is the most common use case for HPKE where payload is encrypted
to a public key.
All other modes are authenticated in different ways.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;em&gt;Auth&lt;/em&gt; uses the sender&amp;rsquo;s private key for authentication&lt;/li&gt;
&lt;li&gt;&lt;em&gt;PSK&lt;/em&gt; uses a pre-shared, high-entropy, key for authentication&lt;/li&gt;
&lt;li&gt;&lt;em&gt;AuthPSK&lt;/em&gt; uses the sender&amp;rsquo;s private key as well as a pre-shared, high-entropy, key for authentication&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id=&#34;encrypting-to-a-public-key&#34;&gt;Encrypting to a public key&lt;/h3&gt;
&lt;p&gt;The following figure depicts the general flow of encrypting to a public key.
This is the Base mode in HPKE.
This is the most basic application of hybrid crypto systems.
Alex knows the public key from Sasha and wants to send some &lt;code&gt;Data&lt;/code&gt; to them.
Shasha&amp;rsquo;s public key is used to encrypt a shared secret, which is used to encrypt
the &lt;code&gt;Data&lt;/code&gt;.
The encrypted shared secret as well as the encrypted data is sent to Sasha, who
can retrieve the shared secret with their corresponding private key.&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 99; flex-basis: 238px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/tldr-hybrid-public-key-encryption/hybrid-encryption.png&#34; data-size=&#34;1229x1237&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/tldr-hybrid-public-key-encryption/hybrid-encryption.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/tldr-hybrid-public-key-encryption/hybrid-encryption_hu0ec71786f79143a99e1764e382ce63cf_316986_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/tldr-hybrid-public-key-encryption/hybrid-encryption_hu0ec71786f79143a99e1764e382ce63cf_316986_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;1229&#34;
				height=&#34;1237&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;h3 id=&#34;encrypting-to-a-public-key--authenticating-with-an-asymmetric-key&#34;&gt;Encrypting to a public key &amp;amp; Authenticating with an asymmetric key&lt;/h3&gt;
&lt;p&gt;Sometimes it is useful or necessary to authenticate the sender of the data.
This is depicted in the figure below and represents the HPKE Auth mode.
The authentication is achieved by mixing in the sender&amp;rsquo;s private key such that
the receiver will only retrieve the correct shared secret if the public key
they use for the sender corresponds to the used private key.&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 118; flex-basis: 285px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/tldr-hybrid-public-key-encryption/authenticated-hybrid-encryption.png&#34; data-size=&#34;1470x1237&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/tldr-hybrid-public-key-encryption/authenticated-hybrid-encryption.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/tldr-hybrid-public-key-encryption/authenticated-hybrid-encryption_hu2a8758be36ffa4ce890f3eb2a453dd08_355212_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/tldr-hybrid-public-key-encryption/authenticated-hybrid-encryption_hu2a8758be36ffa4ce890f3eb2a453dd08_355212_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;1470&#34;
				height=&#34;1237&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;h2 id=&#34;hpke&#34;&gt;HPKE&lt;/h2&gt;
&lt;p&gt;&lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HPKE&lt;/a&gt; is essentially standardising how to use &lt;a class=&#34;link&#34; href=&#34;https://en.wikipedia.org/wiki/Key_encapsulation&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Key Encapsulation Mechanisms (KEM)&lt;/a&gt;
for hybrid encryption.
The sender in &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HPKE&lt;/a&gt; uses a KEM to generate the shared secret as well as the
encapsulation.
The shared secret is then used in an &lt;a class=&#34;link&#34; href=&#34;https://en.wikipedia.org/wiki/Authenticated_encryption#Authenticated_encryption_with_associated_data_%28AEAD%29&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;AEAD&lt;/a&gt; (after running it through a key schedule)
in order to encrypt a payload.&lt;/p&gt;
&lt;p&gt;All HPKE use cases so far only take advantage of the single-shot APIs from HPKE.
In order to encrypt a payload to a public key the sender needs to provide the
receiver&amp;rsquo;s public key &lt;code&gt;pkR&lt;/code&gt;, some information &lt;code&gt;info&lt;/code&gt; and additional data &lt;code&gt;aad&lt;/code&gt; to bind the encryption
to a certain context, as well as the payload &lt;code&gt;pt&lt;/code&gt;.
HPKE returns the cipher text &lt;code&gt;ct&lt;/code&gt; as well as the encapsulation &lt;code&gt;enc&lt;/code&gt; that are both sent to
the receiver.&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;enc, ct &amp;lt;- Seal(pkR, info, aad, pt)
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;When using the Auth mode the sender&amp;rsquo;s private key &lt;code&gt;sk&lt;/code&gt; is needed in addition.&lt;/p&gt;
&lt;p&gt;The receiver takes the encapsulation &lt;code&gt;enc&lt;/code&gt; and cipher text &lt;code&gt;ct&lt;/code&gt; together with their
private key to retrieve the payload.&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;pt &amp;lt;- Open(enc, skR, info, aad, ct)
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;When using the Auth mode the sender&amp;rsquo;s public key &lt;code&gt;pkS&lt;/code&gt; is needed in addition.&lt;/p&gt;
&lt;h3 id=&#34;multiple-encryptions&#34;&gt;Multiple Encryptions&lt;/h3&gt;
&lt;p&gt;HPKE allows multiple encryptions with the same shared secret.
This is favourable if multiple messages are sent from the sender to the receiver.
To this end HPKE generates a context that allows encrypting (and decrypting) multiple
messages.&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;enc, ContextS &amp;lt;- SetupS(pkR, info)
ContextR &amp;lt;- SetupR(enc, skR, info)
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;Note that HPKE goes a step further than the &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/html/rfc5116&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;AEAD RFC&lt;/a&gt; and simplifies the API.
The consumer only needs to provide the payload and (potentially empty) additional
data.
HPKE takes care of providing unique nonces to the AEAD and fails if the maximum
number of encryptions with the context have been performed &amp;mdash; in particular if
the nonce would overflow.&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;ct &amp;lt;- ContextS.Seal(aad, pt)
pt &amp;lt;- ContextR.Open(aad, ct)
&lt;/code&gt;&lt;/pre&gt;&lt;h3 id=&#34;exporting-secrets&#34;&gt;Exporting Secrets&lt;/h3&gt;
&lt;p&gt;In some scenarios applications need to establish additional shared secrets.
This can be achieved with the HPKE exporter interface.
The API is similar to the &lt;code&gt;Seal&lt;/code&gt; and &lt;code&gt;Open&lt;/code&gt; functions above but don&amp;rsquo;t require
a payload or additional data.
Instead an &lt;code&gt;exporter_context&lt;/code&gt; and the length of the exported secret &lt;code&gt;L&lt;/code&gt; have to
be provided.&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;enc, exported_secret &amp;lt;- SendExport(pkR, info, exporter_context, L)
exported_secret &amp;lt;- ReceiveExport(enc, skR, info, exporter_context, L)
&lt;/code&gt;&lt;/pre&gt;&lt;h3 id=&#34;use-cases&#34;&gt;Use Cases&lt;/h3&gt;
&lt;p&gt;Instead of inventing new use cases for HPKE we describe how HPKE is used in &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-ietf-mls-protocol/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;MLS&lt;/a&gt;
and &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-ietf-tls-esni/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;ECH&lt;/a&gt; as they reflect common uses of hybrid public key encryption.&lt;/p&gt;
&lt;h4 id=&#34;hpke-in-mls&#34;&gt;HPKE in MLS&lt;/h4&gt;
&lt;p&gt;&lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-ietf-mls-protocol/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;MLS&lt;/a&gt; (Message Layer Security) is an IETF draft that standardises a new way of efficiently encrypting messages
between participants in groups.
It aims to solve the problem of end-to-end encryption in instant messaging.
&lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HPKE&lt;/a&gt; is a core building block.
In order to encrypt a message to a specific entity in the protocol, &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-ietf-mls-protocol/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;MLS&lt;/a&gt; uses &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HPKE&lt;/a&gt;
to encrypt the message to the specific public key.&lt;/p&gt;
&lt;h4 id=&#34;hpke-in-ech&#34;&gt;HPKE in ECH&lt;/h4&gt;
&lt;p&gt;&lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-ietf-tls-esni/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;ECH&lt;/a&gt; (Encrypted Client Hello) is a mechanism in &lt;a class=&#34;link&#34; href=&#34;https://tools.ietf.org/html/rfc8446&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;TLS&lt;/a&gt; (Transport Layer Security)
for encrypting a ClientHello message under a server public key.
This description from the &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-ietf-tls-esni/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;ECH&lt;/a&gt; draft corresponds directly to the Base mode of &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HPKE&lt;/a&gt;
as described above.
This allows &lt;a class=&#34;link&#34; href=&#34;https://tools.ietf.org/html/rfc8446&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;TLS&lt;/a&gt; connections to become more private because they don&amp;rsquo;t leak
information about the connection, in particular the exact server the client wants
to connect to.&lt;/p&gt;
&lt;h2 id=&#34;demo&#34;&gt;Demo&lt;/h2&gt;
&lt;p&gt;In order to better understand the message flow and working of HPKE we put together
an interactive demo below to demonstrate how HPKE works.&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;First generate a key pair for the receiver.&lt;/li&gt;
&lt;li&gt;Then populate the info, additional data, and payload fields on the sender side.&lt;/li&gt;
&lt;li&gt;When clicking the &amp;ldquo;HPKE Seal&amp;rdquo; button on the sender the following happens&lt;/li&gt;
&lt;/ol&gt;
&lt;ul&gt;
&lt;li&gt;The sender retrieves the public key from the receiver that has been generated in the first step.&lt;/li&gt;
&lt;li&gt;The sender uses HPKE to encrypt the payload together with the info and additional data to the receiver&amp;rsquo;s public key.&lt;/li&gt;
&lt;li&gt;The result is written into the Encoded Shared Secret and Ciphertext fields.&lt;/li&gt;
&lt;/ul&gt;
&lt;ol start=&#34;4&#34;&gt;
&lt;li&gt;When clicking &amp;ldquo;HPKE Open&amp;rdquo; the receiver uses the private key to retrieve the shared secret and decrypt the ciphertext.
The &amp;ldquo;Info&amp;rdquo; and &amp;ldquo;Additional Data&amp;rdquo; are the same as entered on the sender&amp;rsquo;s side.&lt;/li&gt;
&lt;/ol&gt;
&lt;h3 id=&#34;try-it-out-now&#34;&gt;Try it out now!&lt;/h3&gt;
&lt;iframe width=&#34;100%&#34; height=&#34;800px&#34; src=&#34;./hpke_demo/index.html&#34;&gt;&lt;/iframe&gt;
&lt;p&gt;The demo is written in &lt;a class=&#34;link&#34; href=&#34;https://hacspec.org&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;hacspec&lt;/a&gt; (a subset of Rust) with a &lt;a class=&#34;link&#34; href=&#34;https://webassembly.org/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;WASM&lt;/a&gt; frontend.
Please stay tuned for a follow-up blog post diving into the details of this implementation.&lt;/p&gt;
&lt;h2 id=&#34;summary&#34;&gt;Summary&lt;/h2&gt;
&lt;p&gt;&lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HPKE&lt;/a&gt; is a simple, but very powerful new tool that allows to efficiently solve
key distribution problems (see the MLS use case) as well as increase privacy
in existing protocols (see the ECH use case).&lt;/p&gt;
&lt;p&gt;My company &lt;a class=&#34;link&#34; href=&#34;https://www.cryspen.com&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Cryspen&lt;/a&gt; offers support for using &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HPKE&lt;/a&gt; as well as high assurance implementations
of HPKE and other protocols.
&lt;a class=&#34;link&#34; href=&#34;mailto:franziskus@cryspen.com&#34; &gt;Get in touch for more information.&lt;/a&gt;&lt;/p&gt;
</description>
        </item>
        <item>
        <title>Cryspen ERC PoC Grant</title>
        <link>https://www.franziskuskiefer.de/p/cryspen-erc-poc-grant/</link>
        <pubDate>Thu, 10 Feb 2022 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/cryspen-erc-poc-grant/</guid>
        <description>&lt;img src="https://www.franziskuskiefer.de/p/cryspen-erc-poc-grant/erc.jpg" alt="Featured image of post Cryspen ERC PoC Grant" /&gt;&lt;p&gt;My co-founder &lt;a class=&#34;link&#34; href=&#34;https://bhargavan.info/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Karthik&lt;/a&gt; got awarded an &lt;a class=&#34;link&#34; href=&#34;https://erc.europa.eu/funding/proof-concept&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;ERC Proof of Concept grant&lt;/a&gt; for
commercialising the know-how and landmark research results from his Inria
research group &lt;a class=&#34;link&#34; href=&#34;https://team.inria.fr/prosecco/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;PROSECCO&lt;/a&gt; through Cryspen.&lt;/p&gt;
&lt;h2 id=&#34;announcement&#34;&gt;Announcement&lt;/h2&gt;
&lt;p&gt;Cryptographic mechanisms are crucial to the security of our digital lives but their design and implementation remains notoriously difficult and error-prone. With the help of two ERC Grants, Karthikeyan Bhargavan and the Prosecco team at Inria have developed state-of-the-art formal verification techniques that can be applied to real-world cryptographic software. In particular, they used these techniques to help design and analyze the TLS 1.3 protocol standard, as well to build the HACL* verified cryptographic library, code from which has been incorporated in mainstream software projects including Mozilla Firefox, the Linux Kernel, the Tezos Blockchain, the WireGuard VPN, and the ElectionGuard voting system.&lt;/p&gt;
&lt;p&gt;The goal of this new ERC Proof of Concept grant is to build upon these these landmark research results and to commercialise the associated know-how through a new company called Cryspen. Cryspen will build a verified cryptographic software stack and an associated verification toolchain that is well-documented and easy to use for security developers. Cryspen will offer consulting and support contracts for this stack as well as software contracts for developing new cryptographic applications, ranging from secure messaging system to privacy-preserving machine learning.&lt;/p&gt;
&lt;p&gt;Cryspen is co-founded by Franziskus Kiefer (CEO), Karthikeyan Bhargavan, and Jonathan Protzenko. For more information, email &lt;a class=&#34;link&#34; href=&#34;mailto:info@cryspen.com&#34; &gt;info@cryspen.com&lt;/a&gt;&lt;/p&gt;
</description>
        </item>
        <item>
        <title>(HACL*) AEAD Benchmarks</title>
        <link>https://www.franziskuskiefer.de/p/hacl-aead-benchmarks/</link>
        <pubDate>Fri, 12 Nov 2021 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/hacl-aead-benchmarks/</guid>
        <description>&lt;img src="https://www.franziskuskiefer.de/p/hacl-aead-benchmarks/AeadBenchHero.png" alt="Featured image of post (HACL*) AEAD Benchmarks" /&gt;&lt;blockquote&gt;
&lt;p&gt;This is in response to the &lt;a class=&#34;link&#34; href=&#34;https://kerkour.com/rust-symmetric-encryption-aead-benchmark/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;blog post by Sylvain Kerkour&lt;/a&gt; benchmarking ring and
Rust Crypto AEADs.
I was curious how HACL* stacks up to these two with these parameters.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;I&amp;rsquo;m maintaining the &lt;a class=&#34;link&#34; href=&#34;https://crates.io/crates/evercrypt&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Evercrypt crate&lt;/a&gt;, a wrapper
around the formally verified crypto library &lt;a class=&#34;link&#34; href=&#34;https://github.com/project-everest/hacl-star&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HACL*&lt;/a&gt;.
HACL* is a customizable, fast, formally verified crypto library written in F* and extracted to C.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a class=&#34;link&#34; href=&#34;https://crates.io/crates/chacha20poly1305&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;RustCrypto’s ChaCha20-Poly1305&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a class=&#34;link&#34; href=&#34;https://crates.io/crates/aes-gcm&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;RustCrypto’s AES-256-GCM&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a class=&#34;link&#34; href=&#34;https://crates.io/crates/ring&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;ring’s ChaCha20-Poly1305&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a class=&#34;link&#34; href=&#34;https://crates.io/crates/ring&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;ring’s AES-256-GCM&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&#34;results&#34;&gt;Results&lt;/h2&gt;
&lt;p&gt;I&amp;rsquo;m listing all results here for comparison as I&amp;rsquo;m (obviously) running the benchmarks on a different machine.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;&lt;/th&gt;
&lt;th&gt;100B&lt;/th&gt;
&lt;th&gt;1kB&lt;/th&gt;
&lt;th&gt;100kB&lt;/th&gt;
&lt;th&gt;1MB&lt;/th&gt;
&lt;th&gt;10MB&lt;/th&gt;
&lt;th&gt;100MB&lt;/th&gt;
&lt;th&gt;1GB&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;a class=&#34;link&#34; href=&#34;https://crates.io/crates/chacha20poly1305&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;RustCrypto’s ChaCha20-Poly1305&lt;/a&gt; v0.8.2&lt;/td&gt;
&lt;td&gt;1.6232 us (58.753 MiB/s)&lt;/td&gt;
&lt;td&gt;2.6941 us (353.98 MiB/s)&lt;/td&gt;
&lt;td&gt;120.10 us (794.10 MiB/s)&lt;/td&gt;
&lt;td&gt;1.1921 ms (800.02 MiB/s)&lt;/td&gt;
&lt;td&gt;12.015 ms (793.75 MiB/s)&lt;/td&gt;
&lt;td&gt;119.87 ms (795.58 MiB/s)&lt;/td&gt;
&lt;td&gt;1.1947 s (798.27 MiB/s)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;a class=&#34;link&#34; href=&#34;https://crates.io/crates/aes-gcm&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;RustCrypto’s AES-256-GCM&lt;/a&gt; v0.9.4&lt;/td&gt;
&lt;td&gt;448.97 ns (212.42 MiB/s)&lt;/td&gt;
&lt;td&gt;1.5090 us (632.01 MiB/s)&lt;/td&gt;
&lt;td&gt;118.13 us (807.33 MiB/s)&lt;/td&gt;
&lt;td&gt;1.1947 ms (798.24 MiB/s)&lt;/td&gt;
&lt;td&gt;11.986 ms (795.68 MiB/s)&lt;/td&gt;
&lt;td&gt;119.39 ms (798.81 MiB/s)&lt;/td&gt;
&lt;td&gt;1.1974 s (796.43 MiB/s)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;a class=&#34;link&#34; href=&#34;https://crates.io/crates/ring&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;ring’s ChaCha20-Poly1305&lt;/a&gt; v0.16.20&lt;/td&gt;
&lt;td&gt;193.82 ns (492.04 MiB/s)&lt;/td&gt;
&lt;td&gt;730.23 ns (1.2754 GiB/s)&lt;/td&gt;
&lt;td&gt;48.293 us (1.9285 GiB/s)&lt;/td&gt;
&lt;td&gt;490.64 us (1.8982 GiB/s)&lt;/td&gt;
&lt;td&gt;5.0475 ms (1.8451 GiB/s)&lt;/td&gt;
&lt;td&gt;51.438 ms (1.8106 GiB/s)&lt;/td&gt;
&lt;td&gt;514.99 ms (1.8084 GiB/s)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;a class=&#34;link&#34; href=&#34;https://crates.io/crates/ring&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;ring’s AES-256-GCM&lt;/a&gt; v0.16.20&lt;/td&gt;
&lt;td&gt;235.57 ns (404.83 MiB/s)&lt;/td&gt;
&lt;td&gt;556.64 ns (1.6731 GiB/s)&lt;/td&gt;
&lt;td&gt;34.609 us (2.6910 GiB/s)&lt;/td&gt;
&lt;td&gt;343.41 us (2.7120 GiB/s)&lt;/td&gt;
&lt;td&gt;3.5471 ms (2.6256 GiB/s)&lt;/td&gt;
&lt;td&gt;34.873 ms (2.6706 GiB/s)&lt;/td&gt;
&lt;td&gt;348.51 ms (2.6723 GiB/s)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;a class=&#34;link&#34; href=&#34;https://crates.io/crates/evercrypt&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HACL*’s ChaCha20-Poly1305&lt;/a&gt; v0.0.10&lt;/td&gt;
&lt;td&gt;862.79 ns (110.53 MiB/s)&lt;/td&gt;
&lt;td&gt;1.2804 us (744.81 MiB/s)&lt;/td&gt;
&lt;td&gt;55.550 us (1.6765 GiB/s)&lt;/td&gt;
&lt;td&gt;549.11 us (1.6961 GiB/s)&lt;/td&gt;
&lt;td&gt;5.8844 ms (1.5827 GiB/s)&lt;/td&gt;
&lt;td&gt;88.801 ms (1.0488 GiB/s)&lt;/td&gt;
&lt;td&gt;847.39 ms (1.0990 GiB/s)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;a class=&#34;link&#34; href=&#34;https://crates.io/crates/evercrypt&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HACL*’s AES-256-GCM&lt;/a&gt; v0.0.10&lt;/td&gt;
&lt;td&gt;238.12 ns (400.51 MiB/s)&lt;/td&gt;
&lt;td&gt;598.56 ns (1.5560 GiB/s)&lt;/td&gt;
&lt;td&gt;38.997 us (2.3882 GiB/s)&lt;/td&gt;
&lt;td&gt;391.87 us (2.3766 GiB/s)&lt;/td&gt;
&lt;td&gt;4.0217 ms (2.3157 GiB/s)&lt;/td&gt;
&lt;td&gt;68.004 ms (1.3695 GiB/s)&lt;/td&gt;
&lt;td&gt;642.12 ms (1.4504 GiB/s)&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;It is interesting to see that the HACL* AES-256-GCM implementation is only slightly
slower than ring&amp;rsquo;s (2.3GiB/s vs 2.7GiB/s) for 1MB and 10MB chunks.
But it significantly drops in performance for larger blobs while ring&amp;rsquo;s performance
stays the same.
The picture for Chacha20Poly1305 is similar, which points to general issues of
handling large data sizes within HACL*.&lt;/p&gt;
&lt;p&gt;&lt;a class=&#34;link&#34; href=&#34;./aead-intel-benchmarks.txt&#34; &gt;Raw number&lt;/a&gt;&lt;/p&gt;
&lt;h2 id=&#34;m1&#34;&gt;M1&lt;/h2&gt;
&lt;p&gt;My main machine right now is a MacBook with M1 chip.
This is a very different machine.
Here are the numbers.&lt;/p&gt;
&lt;p&gt;Note that HACL* doesn&amp;rsquo;t support AES on ARM chips yet unfortunately.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;&lt;/th&gt;
&lt;th&gt;100B&lt;/th&gt;
&lt;th&gt;1kB&lt;/th&gt;
&lt;th&gt;100kB&lt;/th&gt;
&lt;th&gt;1MB&lt;/th&gt;
&lt;th&gt;10MB&lt;/th&gt;
&lt;th&gt;100MB&lt;/th&gt;
&lt;th&gt;1GB&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;[RustCrypto’s XChaCha20-Poly1305] v0.8.2&lt;/td&gt;
&lt;td&gt;558.20 ns (170.85 MiB/s)&lt;/td&gt;
&lt;td&gt;3.0136 us (316.46 MiB/s)&lt;/td&gt;
&lt;td&gt;274.25 us (347.74 MiB/s)&lt;/td&gt;
&lt;td&gt;2.7434 ms (347.62 MiB/s)&lt;/td&gt;
&lt;td&gt;27.535 ms (346.35 MiB/s)&lt;/td&gt;
&lt;td&gt;279.16 ms (341.62 MiB/s)&lt;/td&gt;
&lt;td&gt;2.7657 s (344.83 MiB/s)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;a class=&#34;link&#34; href=&#34;https://crates.io/crates/chacha20poly1305&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;RustCrypto’s ChaCha20-Poly1305&lt;/a&gt; v0.8.2&lt;/td&gt;
&lt;td&gt;460.31 ns (207.18 MiB/s)&lt;/td&gt;
&lt;td&gt;2.9189 us (326.73 MiB/s)&lt;/td&gt;
&lt;td&gt;273.95 us (348.12 MiB/s)&lt;/td&gt;
&lt;td&gt;2.7429 ms (347.69 MiB/s)&lt;/td&gt;
&lt;td&gt;27.623 ms (345.25 MiB/s)&lt;/td&gt;
&lt;td&gt;281.35 ms (338.96 MiB/s)&lt;/td&gt;
&lt;td&gt;2.7525 s (346.48 MiB/s)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;a class=&#34;link&#34; href=&#34;https://crates.io/crates/aes-gcm&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;RustCrypto’s AES-256-GCM&lt;/a&gt; v0.9.4&lt;/td&gt;
&lt;td&gt;3.0838 us (30.925 MiB/s)&lt;/td&gt;
&lt;td&gt;9.3825 us (101.64 MiB/s)&lt;/td&gt;
&lt;td&gt;707.99 us (134.70 MiB/s)&lt;/td&gt;
&lt;td&gt;7.0729 ms (134.83 MiB/s)&lt;/td&gt;
&lt;td&gt;70.655 ms (134.98 MiB/s)&lt;/td&gt;
&lt;td&gt;706.42 ms (135.00 MiB/s)&lt;/td&gt;
&lt;td&gt;7.1158 s (134.02 MiB/s)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;a class=&#34;link&#34; href=&#34;https://crates.io/crates/ring&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;ring’s ChaCha20-Poly1305&lt;/a&gt; v0.16.20&lt;/td&gt;
&lt;td&gt;407.12 ns (234.25 MiB/s)&lt;/td&gt;
&lt;td&gt;1.3175 us (723.85 MiB/s)&lt;/td&gt;
&lt;td&gt;96.781 us (985.40 MiB/s)&lt;/td&gt;
&lt;td&gt;963.70 us (989.60 MiB/s)&lt;/td&gt;
&lt;td&gt;9.6676 ms (986.46 MiB/s)&lt;/td&gt;
&lt;td&gt;98.252 ms (970.64 MiB/s)&lt;/td&gt;
&lt;td&gt;975.96 ms (977.17 MiB/s)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;a class=&#34;link&#34; href=&#34;https://crates.io/crates/ring&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;ring’s AES-256-GCM&lt;/a&gt; v0.16.20&lt;/td&gt;
&lt;td&gt;79.751 ns (1.1678 GiB/s)&lt;/td&gt;
&lt;td&gt;394.01 ns (2.3637 GiB/s)&lt;/td&gt;
&lt;td&gt;34.355 us (2.7109 GiB/s)&lt;/td&gt;
&lt;td&gt;344.78 us (2.7012 GiB/s)&lt;/td&gt;
&lt;td&gt;3.4792 ms (2.6768 GiB/s)&lt;/td&gt;
&lt;td&gt;34.543 ms (2.6961 GiB/s)&lt;/td&gt;
&lt;td&gt;345.92 ms (2.6923 GiB/s)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;a class=&#34;link&#34; href=&#34;https://crates.io/crates/evercrypt&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HACL*’s ChaCha20-Poly1305&lt;/a&gt; v0.0.10&lt;/td&gt;
&lt;td&gt;690.43 ns (138.13 MiB/s)&lt;/td&gt;
&lt;td&gt;1.7545 us (543.55 MiB/s)&lt;/td&gt;
&lt;td&gt;132.59 us (719.25 MiB/s)&lt;/td&gt;
&lt;td&gt;1.3096 ms (728.24 MiB/s)&lt;/td&gt;
&lt;td&gt;13.261 ms (719.13 MiB/s)&lt;/td&gt;
&lt;td&gt;137.91 ms (691.53 MiB/s)&lt;/td&gt;
&lt;td&gt;1.4217 s (670.82 MiB/s)&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;Ring&amp;rsquo;s performance is again great and very stable across different payload sizes.
Rust Crypto&amp;rsquo;s implementations are significantly slower than ring&amp;rsquo;s again but also slower than on the Intel machine.
The HACL* performance for Chacha20Poly1305 is again a little worse than ring&amp;rsquo;s but significantly better than Rust Crypto&amp;rsquo;s.&lt;/p&gt;
&lt;p&gt;&lt;a class=&#34;link&#34; href=&#34;./aead-m1-benchmarks.txt&#34; &gt;Raw number&lt;/a&gt;&lt;/p&gt;
&lt;h2 id=&#34;cpu-info&#34;&gt;CPU Info&lt;/h2&gt;
&lt;h3 id=&#34;intel&#34;&gt;Intel&lt;/h3&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;Architecture:            x86_64
  CPU op-mode(s):        32-bit, 64-bit
  Address sizes:         39 bits physical, 48 bits virtual
  Byte Order:            Little Endian
CPU(s):                  8
  On-line CPU(s) list:   0-7
Vendor ID:               GenuineIntel
  Model name:            Intel(R) Core(TM) i7-4900MQ CPU @ 2.80GHz
    CPU family:          6
    Model:               60
    Thread(s) per core:  2
    Core(s) per socket:  4
    Socket(s):           1
    Stepping:            3
    CPU max MHz:         3800.0000
    CPU min MHz:         800.0000
    BogoMIPS:            5589.60
    Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx f
                         xsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_
                         good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx e
                         st tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c
                          rdrand lahf_lm abm cpuid_fault epb invpcid_single pti tpr_shadow vnmi flexpriority ept vpid e
                         pt_ad fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid xsaveopt dtherm ida arat pln pts
Virtualization features:
  Virtualization:        VT-x
Caches (sum of all):
  L1d:                   128 KiB (4 instances)
  L1i:                   128 KiB (4 instances)
  L2:                    1 MiB (4 instances)
  L3:                    8 MiB (1 instance)
NUMA:
  NUMA node(s):          1
  NUMA node0 CPU(s):     0-7
Vulnerabilities:
  Itlb multihit:         KVM: Mitigation: VMX disabled
  L1tf:                  Mitigation; PTE Inversion; VMX conditional cache flushes, SMT vulnerable
  Mds:                   Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable
  Meltdown:              Mitigation; PTI
  Spec store bypass:     Vulnerable
  Spectre v1:            Mitigation; usercopy/swapgs barriers and __user pointer sanitization
  Spectre v2:            Mitigation; Full generic retpoline, STIBP disabled, RSB filling
  Srbds:                 Vulnerable: No microcode
  Tsx async abort:       Not affected
&lt;/code&gt;&lt;/pre&gt;&lt;h3 id=&#34;m1-1&#34;&gt;M1&lt;/h3&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;machdep.cpu.brand_string: Apple M1
machdep.cpu.core_count: 8
machdep.cpu.cores_per_package: 8
machdep.cpu.logical_per_package: 8
machdep.cpu.thread_count: 8
&lt;/code&gt;&lt;/pre&gt;&lt;hr&gt;
&lt;p&gt;The code changes needed for these experiments are on &lt;a class=&#34;link&#34; href=&#34;https://github.com/franziskuskiefer/kerkour.com/tree/hacl&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Github&lt;/a&gt;.&lt;/p&gt;
</description>
        </item>
        <item>
        <title>OpenMLS Performance</title>
        <link>https://www.franziskuskiefer.de/p/openmls-performance/</link>
        <pubDate>Tue, 18 May 2021 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/openmls-performance/</guid>
        <description>&lt;img src="https://www.franziskuskiefer.de/p/openmls-performance/openmls-logo.svg" alt="Featured image of post OpenMLS Performance" /&gt;&lt;p&gt;The Messaging Layer Security (&lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/wg/mls/about/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;MLS&lt;/a&gt;) protocol is an &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/draft-ietf-mls-protocol/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;IETF proposal&lt;/a&gt; for group key establishment
and message protection.
&lt;a class=&#34;link&#34; href=&#34;https://github.com/openmls/openmls/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;OpenMLS&lt;/a&gt; is a Rust implementation of the MLS protocol in its current state (&lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/html/draft-ietf-mls-protocol-11&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;draft 11&lt;/a&gt; as of the point of writing this) that is being implemented by &lt;a class=&#34;link&#34; href=&#34;https://twitter.com/raphaelrobert&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Raphael&lt;/a&gt;, &lt;a class=&#34;link&#34; href=&#34;https://kkohbrok.github.io/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Konrad&lt;/a&gt; and myself.
For more general information on MLS I refer to the &lt;a class=&#34;link&#34; href=&#34;https://messaginglayersecurity.rocks/mls-protocol/draft-ietf-mls-protocol.html&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;spec&lt;/a&gt; and &lt;a class=&#34;link&#34; href=&#34;https://wire.com/en/blog/mls-future-of-messaging/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;other&lt;/a&gt; blog &lt;a class=&#34;link&#34; href=&#34;https://wickr.com/the-messaging-layer-security-protocol/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;posts&lt;/a&gt;.
This blog post is only about MLS, and in particular OpenMLS, performance.&lt;/p&gt;
&lt;p&gt;One goal of MLS is that it &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/doc/charter-ietf-mls/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;is supposed to be scalable&lt;/a&gt;.
The charter in particular claims the following:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;Resource requirements have good scaling in the size of the group (preferably sub-linear)&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;While performance can be theoretically analysed for MLS it is also interesting to see whether the performance goals hold up in a real implementation.
This of course only looks at a single implementation.
Nonetheless, I think that it gives a good impression on the actual performance of MLS implementations.
Particularly because OpenMLS at this point is not optimised but rather implements the MLS spec as is.&lt;/p&gt;
&lt;h2 id=&#34;methodology&#34;&gt;Methodology&lt;/h2&gt;
&lt;p&gt;MLS is a pretty complex protocol with many moving parts.
It is therefore important to clearly define what is being measured and how.&lt;/p&gt;
&lt;p&gt;First, all tests are done with the only mandatory cipher suite in MLS 1.0 MLS10_128_DHKEMX25519_AES128GCM_SHA256_Ed25519.
While other cipher suites obviously have different performance, the goal here is to investigate the general performance of MLS depending on the group size.
The exact cipher suite used is therefore irrelevant.&lt;/p&gt;
&lt;h3 id=&#34;measurements&#34;&gt;Measurements&lt;/h3&gt;
&lt;p&gt;The measurements here do not cover all possible messages in MLS.
Not all of them are fully supported by OpenMLS yet.
Pre-shared key, re-init, external-init, app-ack, and external proposals will be checked once they are implemented.
The measured messages nonetheless represent the core of the MLS protocol and should give a good idea of the general performance of the protocol.
We test performance of group creation, group join as well as the three basic messages update, add, and remove, and application messages.&lt;/p&gt;
&lt;p&gt;All measurements except for the first two use one of the following set-ups:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Base&lt;/strong&gt;: The group is created by a user.
All other participants are invited and each participant creates the group locally.
Then every participant sends an update message to the group and everyone else processes it.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Bare:&lt;/strong&gt; The group is created by a user.
All other participants are invited and each participant creates the group locally.
This creates an extremely sparse version of the underlying tree in MLS and is therefore interesting to look at.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Measurements are run on different group sizes.
When running benchmarks with large groups such as 1000 participants a lot of memory is used in order to simulate all devices (up to 10 GB) such that larger groups are hard to simulate.
The chosen group sizes allow us to get a good idea how MLS performs depending on the group size.
We in particular test groups of the size 2, 3, 4, 5, 6, 7, 8, 9, 10, 20, 30, 40, 50, 100, 200, 300, 400, 500, 1000.&lt;/p&gt;
&lt;h4 id=&#34;operations&#34;&gt;Operations&lt;/h4&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Group creation:&lt;/strong&gt;
Creating a group involves creating the group, proposals and welcome messages for the other participants, and applying the commit.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Join group:&lt;/strong&gt;
Joining a group is equivalent to processing a welcome message to locally create the new group.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Update messages:&lt;/strong&gt;
Sending an update to a group involves creating a proposal, the corresponding commit and applying the commit.
When receiving an update message the commit is being processed.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Adding a user:&lt;/strong&gt;
When a new user is added to the group the add proposal and welcome message are created and the commit is locally applied by the adder.
When receiving a commit with an add proposal it is processed by the user.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Removing a user:&lt;/strong&gt;
When a user is removed from the group the remove proposal and commit are created and locally applied by the remover.
When receiving a commit with a remove proposal it is processed by the user.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Application messages:&lt;/strong&gt;
Sending an application message consists of creating the plaintext message and encrypting it for the group.
In order to receive an application message the user has to decrypt and parse the message.
We measure performance of a single message that is being sent and processed.
Note that the processing time of subsequent messages is not significantly different from the first one.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&#34;results&#34;&gt;Results&lt;/h2&gt;
&lt;p&gt;You can find the raw data and some more graphs in the &lt;a class=&#34;link&#34; href=&#34;https://docs.google.com/spreadsheets/d/1nZv8lpT28JctDVo4ARBLZCKcIdvo-h8cIyN3_dIedFU&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;OpenMLS performance spreadsheet&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;All measurements were performed on a laptop with Arch Linux, an Intel Core i7-4900MQ @ 2.80GHz and 16 GB memory.&lt;/p&gt;
&lt;h3 id=&#34;group-setup&#34;&gt;Group setup&lt;/h3&gt;
&lt;p&gt;As the following graph shows the time needed to create a group is linear in the number of participants added when creating the group.
The blue line shows the actual measurements while the magenta one is a trend line showing the linear relation.
This is what is to be expected because the performance is dominated by the creation of welcome messages, which have to be created for each member.&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 161; flex-basis: 388px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/openmls-performance/group-creation.png&#34; data-size=&#34;600x371&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/openmls-performance/group-creation.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/openmls-performance/group-creation_hu57a2dcf3e32b211e0f433ee29c03139d_18564_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/openmls-performance/group-creation_hu57a2dcf3e32b211e0f433ee29c03139d_18564_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;600&#34;
				height=&#34;371&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;h3 id=&#34;join-group&#34;&gt;Join group&lt;/h3&gt;
&lt;p&gt;The performance of joining a group is linear in the group size because the information in the welcome message as well as the tree that is being processed when joining the group are linear in the number of group members.
Note that it is not logarithmic because the tree needs to be constructed.
This requires processing of each node in some way, which is linear in the group size.
The blue line again shows the actual measurements while the magenta one is a trend line for the linear relation.&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 161; flex-basis: 388px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/openmls-performance/join.png&#34; data-size=&#34;600x371&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/openmls-performance/join.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/openmls-performance/join_hu734cf3b75b0b48c8e923a553d67cf8f2_17633_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/openmls-performance/join_hu734cf3b75b0b48c8e923a553d67cf8f2_17633_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;600&#34;
				height=&#34;371&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;h3 id=&#34;update&#34;&gt;Update&lt;/h3&gt;
&lt;p&gt;Sending and processing updates are both sub-linear in the number of group members because the number of computations depend on the height of the tree in the &lt;em&gt;base&lt;/em&gt; case.&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 161; flex-basis: 388px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/openmls-performance/update.png&#34; data-size=&#34;600x371&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/openmls-performance/update.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/openmls-performance/update_hu35214adaf455b57549cfd18cbec99d3a_21902_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/openmls-performance/update_hu35214adaf455b57549cfd18cbec99d3a_21902_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;600&#34;
				height=&#34;371&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;In the case of a very sparse tree, which we have in the &lt;em&gt;bare&lt;/em&gt; case because every leaf only processed the welcome message, the performance of sending an update however is linear in the group size.
When creating a commit for an update proposal the sender has to include a path and refresh the private tree.
The following two flamegraphs show the difference between the base and the bare case.
While it doesn&amp;rsquo;t show directly what&amp;rsquo;s going on, it can be seen that in the base case (first flamegraph) the &lt;code&gt;new_with_keys&lt;/code&gt; function requires a lot more time relative to the rest of the &lt;code&gt;replace_private_tree&lt;/code&gt; function.
This is a strong indicator for where to look for the differences.&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 473; flex-basis: 1135px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/openmls-performance/send-update-base.png&#34; data-size=&#34;3606x762&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/openmls-performance/send-update-base.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/openmls-performance/send-update-base_hufc51b128e635b21ce491e52af18006b2_543362_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/openmls-performance/send-update-base_hufc51b128e635b21ce491e52af18006b2_543362_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;3606&#34;
				height=&#34;762&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 400; flex-basis: 961px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/openmls-performance/send-update-bare.png&#34; data-size=&#34;3606x900&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/openmls-performance/send-update-bare.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/openmls-performance/send-update-bare_hu0f10bb19fb0a7c72e6073eb1bf6f484b_687156_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/openmls-performance/send-update-bare_hu0f10bb19fb0a7c72e6073eb1bf6f484b_687156_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;3606&#34;
				height=&#34;900&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Looking at a tree with 300 leaves for example we have to encrypt 299 times (for every other leaf) in the case of a bare tree.
In a fully updated tree however only 9 encryptions are necessary, one for each level of the tree.
It is therefore expected that the performance of sending an update (with commit) in the bare case is linear in the group size.&lt;/p&gt;
&lt;h3 id=&#34;adding-a-user&#34;&gt;Adding a user&lt;/h3&gt;
&lt;p&gt;Looking at the performance of adding a user and processing an add commit in the following graph we can again see the linear growth in relation to the number of group members.
This is almost independent of the state of the tree.
The operations appear to be slightly more expensive in a fully updated tree though.&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 161; flex-basis: 388px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/openmls-performance/add.png&#34; data-size=&#34;600x371&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/openmls-performance/add.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/openmls-performance/add_hua4318a423a34102703a7d11724cff97b_26376_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/openmls-performance/add_hua4318a423a34102703a7d11724cff97b_26376_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;600&#34;
				height=&#34;371&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;h3 id=&#34;removing-a-user&#34;&gt;Removing a user&lt;/h3&gt;
&lt;p&gt;Like updating, removing a user and processing a remove commit are linear in complexity in the base case as the following graph shows.
Removing in a very sparse tree is significantly more expensive than in a fully updated tree.
The reason is the same as for updating the tree.
The remove information has to be encrypted to all other remaining participants in the tree.&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 161; flex-basis: 388px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/openmls-performance/remove.png&#34; data-size=&#34;600x371&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/openmls-performance/remove.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/openmls-performance/remove_hue143a9c78448c9986e178aac44e5d629_24639_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/openmls-performance/remove_hue143a9c78448c9986e178aac44e5d629_24639_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;600&#34;
				height=&#34;371&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;h3 id=&#34;application-messages&#34;&gt;Application messages&lt;/h3&gt;
&lt;p&gt;Sending and receiving application messages is essentially independent of the group size, as expected.
Receiving the first message within an epoch has a small overhead compared to subsequent message as seen in the second graph.
This should be negligible in practice though.&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 161; flex-basis: 388px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/openmls-performance/application-message-send.png&#34; data-size=&#34;600x371&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/openmls-performance/application-message-send.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/openmls-performance/application-message-send_hu05137400dfc3443fc55cd4df04c88ebb_15843_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/openmls-performance/application-message-send_hu05137400dfc3443fc55cd4df04c88ebb_15843_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;600&#34;
				height=&#34;371&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 161; flex-basis: 388px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/openmls-performance/application-message-receive.png&#34; data-size=&#34;600x371&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/openmls-performance/application-message-receive.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/openmls-performance/application-message-receive_hu599bf318a9b6aa87504f8a066c21e800_23613_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/openmls-performance/application-message-receive_hu599bf318a9b6aa87504f8a066c21e800_23613_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;600&#34;
				height=&#34;371&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;h2 id=&#34;analysis&#34;&gt;Analysis&lt;/h2&gt;
&lt;p&gt;First, the plain performance numbers tell us that the goal of the MLS charter of a protocol that scales well for large groups has been mostly.
Depending on the state of the tree some operations might take longer than expected.
However, this can be mitigated by the application ensuring that the tree is updated and shrunk regularly.
Notably, the real world performance appears to be consistent with the theoretical expectations.&lt;/p&gt;
&lt;h2 id=&#34;technical-background&#34;&gt;Technical background&lt;/h2&gt;
&lt;p&gt;The measurements are &lt;em&gt;not&lt;/em&gt; done with any Rust benchmarking framework such as &lt;a class=&#34;link&#34; href=&#34;https://crates.io/crates/criterion&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;criterion&lt;/a&gt;.
Due to the way criterion works there&amp;rsquo;s significant &lt;a class=&#34;link&#34; href=&#34;https://github.com/bheisler/criterion.rs/issues/475&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;overhead in criterion&lt;/a&gt;.
While the numbers in this post can be reliably reproduced a more thorough measurement framework&lt;/p&gt;
&lt;p&gt;The flamegraphs are produced with &lt;a class=&#34;link&#34; href=&#34;https://crates.io/crates/pprof&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;pprof&lt;/a&gt;, a simple to use CPU profiler for Rust.&lt;/p&gt;
&lt;p&gt;All measurements were performed on &lt;a class=&#34;link&#34; href=&#34;https://github.com/openmls/openmls/tree/65030529e43716d482a6e57a432da5a388fd0a3c&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;this revision&lt;/a&gt;.
To reproduce them check out the revision and run&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;for&lt;/span&gt; i in &lt;span class=&#34;m&#34;&gt;2&lt;/span&gt; &lt;span class=&#34;m&#34;&gt;3&lt;/span&gt; &lt;span class=&#34;m&#34;&gt;4&lt;/span&gt; &lt;span class=&#34;m&#34;&gt;5&lt;/span&gt; &lt;span class=&#34;m&#34;&gt;6&lt;/span&gt; &lt;span class=&#34;m&#34;&gt;7&lt;/span&gt; &lt;span class=&#34;m&#34;&gt;8&lt;/span&gt; &lt;span class=&#34;m&#34;&gt;9&lt;/span&gt; &lt;span class=&#34;m&#34;&gt;10&lt;/span&gt; &lt;span class=&#34;m&#34;&gt;20&lt;/span&gt; &lt;span class=&#34;m&#34;&gt;30&lt;/span&gt; &lt;span class=&#34;m&#34;&gt;40&lt;/span&gt; &lt;span class=&#34;m&#34;&gt;50&lt;/span&gt; &lt;span class=&#34;m&#34;&gt;100&lt;/span&gt; &lt;span class=&#34;m&#34;&gt;200&lt;/span&gt; &lt;span class=&#34;m&#34;&gt;300&lt;/span&gt; &lt;span class=&#34;m&#34;&gt;400&lt;/span&gt; &lt;span class=&#34;m&#34;&gt;500&lt;/span&gt; 1000&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt; &lt;span class=&#34;k&#34;&gt;do&lt;/span&gt; &lt;span class=&#34;se&#34;&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;se&#34;&gt;&lt;/span&gt;    cargo bench --bench group -- &lt;span class=&#34;nv&#34;&gt;$i&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt; &lt;span class=&#34;se&#34;&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;se&#34;&gt;&lt;/span&gt;&lt;span class=&#34;k&#34;&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h2 id=&#34;conclusion--future-work&#34;&gt;Conclusion &amp;amp; Future work&lt;/h2&gt;
&lt;p&gt;Measuring performance of a protocol as complex as MLS is pretty difficult.
Without an application and elaborate test framework that can simulate many different scenarios it is only possible to get the basic numbers as shown here.
While they give a good indicator towards the performance of the MLS protocol they are insufficient to claim any performance of real applications that use MLS.&lt;/p&gt;
&lt;p&gt;Nonetheless, the numbers show that the MLS protocol appears to allow for efficient, end-to-end-encrypted messaging in large groups.
Sending and receiving application messages is independent of the group size while group operations are sub-linear in the group size in most cases.&lt;/p&gt;
&lt;p&gt;When OpenMLS is further developed and we have a messaging client using it another set of measurements should be performed with real world usage scenarios in mind in order to investigate whether the performance we have seen here translates to efficient group messaging in an application.
The MLS specification further leaves anything around authentication and authorization policies open to the application.
These might be complex procedures and impact the MLS performance as well.&lt;/p&gt;
</description>
        </item>
        <item>
        <title>💲 Web Monetization 💲</title>
        <link>https://www.franziskuskiefer.de/p/web-monetization/</link>
        <pubDate>Sun, 14 Feb 2021 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/web-monetization/</guid>
        <description>&lt;img src="https://www.franziskuskiefer.de/p/web-monetization/hero.jpg" alt="Featured image of post 💲 Web Monetization 💲" /&gt;&lt;p&gt;Thanks to &lt;a class=&#34;link&#34; href=&#34;https://about.me/cyberdees&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Deez&lt;/a&gt; I gave &lt;a class=&#34;link&#34; href=&#34;https://webmonetization.org&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;web monetization&lt;/a&gt; a spin on this website today.
Here I write up how I did it, how it went, and what I think about it.&lt;/p&gt;
&lt;p&gt;The proposed &lt;a class=&#34;link&#34; href=&#34;https://webmonetization.org/specification.html&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;web monetization standard&lt;/a&gt; allows browsers to securely pay websites, and, in turn, allows for websites to react to being paid, for example by turning off ads or providing extra functionality to paying visitors.
There is some good description of use cases on &lt;a class=&#34;link&#34; href=&#34;https://developers.coil.com/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Coil&amp;rsquo;s website&lt;/a&gt; if you&amp;rsquo;re looking for a more general explainer.&lt;/p&gt;
&lt;p&gt;The following diagram from the &lt;a class=&#34;link&#34; href=&#34;https://webmonetization.org/docs/explainer/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;web monetization docs&lt;/a&gt; illustrate the information flow.
In short, the &lt;code&gt;monetization&lt;/code&gt; meta-tag on the page is parsed by the browser, which initiates a session for a page visit and triggers the payment through the payment pointer.&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 184; flex-basis: 442px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/web-monetization/webmonetization-flow.png&#34; data-size=&#34;1050x570&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/web-monetization/webmonetization-flow.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/web-monetization/webmonetization-flow_hu4b9a27d68db843b15861a92d09493226_35217_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/web-monetization/webmonetization-flow_hu4b9a27d68db843b15861a92d09493226_35217_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;1050&#34;
				height=&#34;570&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;h2 id=&#34;payment-pointer-&#34;&gt;Payment pointer 📬&lt;/h2&gt;
&lt;p&gt;To set up web monetization on a website like this, one first has to get a payment pointer that can receive payments.
Getting this payment pointer was probably the hardest part for me.&lt;/p&gt;
&lt;p&gt;I selected one of the recommended wallet providers &lt;a class=&#34;link&#34; href=&#34;https://uphold.com&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Uphold&lt;/a&gt;.
Uphold has a support page for &lt;a class=&#34;link&#34; href=&#34;https://support.uphold.com/hc/en-us/articles/360043227832-How-to-find-your-ILP-address-Interledger-payment-pointer-&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;how to get the ILP (Interledger payment pointer)&lt;/a&gt;.
The problem is that it&amp;rsquo;s difficult to understand how to get to the &amp;ldquo;sub-account for the asset&amp;rdquo;.
In fact I was only able to do this in &lt;a class=&#34;link&#34; href=&#34;https://brave.com/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Brave&lt;/a&gt; because &lt;a class=&#34;link&#34; href=&#34;https://uphold.com/dashboard&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;uphold.com/dashboard&lt;/a&gt; always forwards me to &lt;a class=&#34;link&#34; href=&#34;https://wallet.uphold.com/dashboard&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;wallet.uphold.com/dashboard&lt;/a&gt;, which doesn&amp;rsquo;t have the necessary information (or I just didn&amp;rsquo;t find it).&lt;/p&gt;
&lt;p&gt;Setting all trust concerns aside (see the &lt;a class=&#34;link&#34; href=&#34;#security-privacy&#34; &gt;privacy section&lt;/a&gt;) I tried to verify my Uphold account.
The verification didn&amp;rsquo;t go through yet 🤔.
But I can still receive funds and have honestly no idea what&amp;rsquo;s happening here.
This is a pretty bad sign for a provider that&amp;rsquo;s supposed to handle money for me.&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 356; flex-basis: 855px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/web-monetization/UpholdWallet.png&#34; data-size=&#34;845x237&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/web-monetization/UpholdWallet.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/web-monetization/UpholdWallet_hu31f66a2b6192b48aa6e67561a26b0d79_14589_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/web-monetization/UpholdWallet_hu31f66a2b6192b48aa6e67561a26b0d79_14589_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;845&#34;
				height=&#34;237&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;h3 id=&#34;the-interledger-&#34;&gt;The Interledger 📒&lt;/h3&gt;
&lt;p&gt;The &lt;a class=&#34;link&#34; href=&#34;https://interledger.org/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Interledger&lt;/a&gt; is an open protocol suite for sending payments across different ledgers.
It is used by the web monetization framework to send the money to the website owner or content creator.
You might know that I have opinions on cryptocurrencies and blockchain technologies (hint: they are not very positive).
I understand that there aren&amp;rsquo;t a lot of good ways of sending money to individuals or organisations that supports a lot of different technologies and currencies.
But I don&amp;rsquo;t understand why any sort of ledger needs to be involved.&lt;/p&gt;
&lt;h3 id=&#34;security-privacy&#34;&gt;Privacy &amp;amp; Security considerations 🔐🕵🏻‍♀️&lt;/h3&gt;
&lt;p&gt;The first road block I hit was the registration of the uphold account.
It looks like it requires registration with a government ID.
While the banking industry is for obvious reasons heavily regulated, I don&amp;rsquo;t understand why I need to send highly sensitive documents to a provider with a low trust level.
Signing up with an existing bank account or credit card might have other privacy implications but would not have the trust issues a provider like Uphold has.&lt;/p&gt;
&lt;p&gt;If the web monetization protocol wants to be successful, it has to be better than existing solutions (ads).
Also in terms of privacy.
It is therefore paramount in my opinion that the protocol does not yield any information about the person visiting a website.
But I can see a couple ways privacy could get compromised here and no documents addressing them.
A particular concern I have is how tracking users across different websites is prevented given that the user is always sending from the same account.
The subscription provider like &lt;a class=&#34;link&#34; href=&#34;https://coil.com/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Coil&lt;/a&gt; is another big privacy risk as they see every transaction a user is taking.&lt;/p&gt;
&lt;p&gt;All this can be remedied but requires transparency and clear technical solutions.&lt;/p&gt;
&lt;h2 id=&#34;getting-started-&#34;&gt;Getting started 🌐&lt;/h2&gt;
&lt;p&gt;There is a &lt;a class=&#34;link&#34; href=&#34;https://github.com/sabinebertram/hugo-webmonetization-component&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;web monetization theme&lt;/a&gt; for &lt;a class=&#34;link&#34; href=&#34;https://gohugo.io&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;hugo&lt;/a&gt; (the framework I use for this site) that allows for easy integration of web monetization.&lt;/p&gt;
&lt;p&gt;First I added the hugo-webmonetization-component as second theme to my site:&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;git submodule add git@github.com:sabinebertram/hugo-webmonetization-component.git themes/webmonetization
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Then I changed my theme in the &lt;code&gt;config.toml&lt;/code&gt; as follows:&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-toml&#34; data-lang=&#34;toml&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;nx&#34;&gt;theme&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;[&lt;/span&gt;&lt;span class=&#34;s2&#34;&gt;&amp;#34;gohugo-theme-ananke&amp;#34;&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt; &lt;span class=&#34;s2&#34;&gt;&amp;#34;webmonetization&amp;#34;&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;And then set my &lt;a class=&#34;link&#34; href=&#34;https://paymentpointers.org/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;payment pointer&lt;/a&gt; in the &lt;code&gt;params&lt;/code&gt; section of the &lt;code&gt;config.toml&lt;/code&gt;:&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-toml&#34; data-lang=&#34;toml&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;p&#34;&gt;[&lt;/span&gt;&lt;span class=&#34;nx&#34;&gt;params&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;  &lt;span class=&#34;nx&#34;&gt;monetization&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;s2&#34;&gt;&amp;#34;$ilp.uphold.com/NMNKYReeKNNw&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;In order to actually use the monetization parameter I added it to the ananke theme&amp;rsquo;s &lt;code&gt;&amp;lt;head&amp;gt;&lt;/code&gt;.
The &lt;code&gt;head&lt;/code&gt; is defined in &lt;code&gt;themes/gohugo-theme-ananke/layouts/_default/baseof.html&lt;/code&gt;, which includes a &lt;code&gt;head-additions.html&lt;/code&gt; where we can add the monetization partial.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-html&#34; data-lang=&#34;html&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;{{ partial &amp;#34;webmonetization.html&amp;#34; .}}
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id=&#34;sample-exclusive-content-&#34;&gt;Sample exclusive content 💎&lt;/h3&gt;
&lt;p&gt;In hugo it is simple to add exclusive content with the following short code.
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-C&#34; data-lang=&#34;C&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;p&#34;&gt;{{&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;%&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;exclusive&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;%&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;}}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt; &lt;span class=&#34;p&#34;&gt;...&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;exclusive&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;content&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;...&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;p&#34;&gt;{{&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;%&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;/&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;exclusive&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;%&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;}}&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;
Note that this only works if &lt;code&gt;blackfriday&lt;/code&gt; is used as markup engine and things like markdown code blocks don&amp;rsquo;t work in there.
This might be a shortcoming of the hugo theme I&amp;rsquo;m using here.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-toml&#34; data-lang=&#34;toml&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;p&#34;&gt;[&lt;/span&gt;&lt;span class=&#34;nx&#34;&gt;markup&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;  &lt;span class=&#34;nx&#34;&gt;defaultMarkdownHandler&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;s2&#34;&gt;&amp;#34;blackfriday&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;⚠️ I switched to a new theme on this blog that does not support webmonetization right now!&lt;/strong&gt;&lt;/p&gt;
&lt;h3 id=&#34;issues-i-encountered-&#34;&gt;Issues I encountered 🐞&lt;/h3&gt;
&lt;p&gt;First this only worked on the main page after following the instructions.
It turned out that I had to update &lt;a class=&#34;link&#34; href=&#34;https://github.com/budparr/gohugo-theme-ananke&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;my hugo theme&lt;/a&gt; to get support on every page.&lt;/p&gt;
&lt;p&gt;The description on the &lt;a class=&#34;link&#34; href=&#34;https://github.com/sabinebertram/hugo-webmonetization-component&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;web monetization theme&lt;/a&gt; appears to be a little outdated.
It is even easier to include it now.&lt;/p&gt;
&lt;h2 id=&#34;the-consumer-side---coil-&#34;&gt;The consumer side - Coil 👩🏾‍💻&lt;/h2&gt;
&lt;p&gt;To see how consumers visiting a website experience web monetization I used &lt;a class=&#34;link&#34; href=&#34;https://coil.com&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Coil&lt;/a&gt;.
With an account and an &lt;a class=&#34;link&#34; href=&#34;https://coil.com/#Extension-Install-Section&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;extension for your favourite browser&lt;/a&gt; we see that it is working.&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 128; flex-basis: 309px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/web-monetization/franziskuskiefer.de-coil.png&#34; data-size=&#34;1822x1414&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/web-monetization/franziskuskiefer.de-coil.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/web-monetization/franziskuskiefer.de-coil_hua3dd889600459af75981609ff7dd6705_1508888_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/web-monetization/franziskuskiefer.de-coil_hua3dd889600459af75981609ff7dd6705_1508888_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;1822&#34;
				height=&#34;1414&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;h3 id=&#34;thoughts-on-the-user-experience-&#34;&gt;Thoughts on the user experience 🤔&lt;/h3&gt;
&lt;p&gt;Seeing the green &lt;code&gt;$&lt;/code&gt; when visiting a page that uses web monetization shows the user that they are supporting the content creator and feels good.
However, it takes a while for the monetization to kick in such that it looks like the page refreshes after a second for exclusive content.&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 553; flex-basis: 1329px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/web-monetization/monetization-loading.gif&#34; data-size=&#34;1296x234&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/web-monetization/monetization-loading.gif&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/web-monetization/monetization-loading_hu06eafc1f96b3d27d408d84addaab345f_75104_480x0_resize_box.gif 480w, https://www.franziskuskiefer.de/p/web-monetization/monetization-loading_hu06eafc1f96b3d27d408d84addaab345f_75104_1024x0_resize_box.gif 1024w&#34;
				width=&#34;1296&#34;
				height=&#34;234&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;It is also not entirely clear how the membership works from the popup.
In particular what&amp;rsquo;s included and how the money gets distributed.
But this might be a trade-off for the sake of usability.
A more detailed information panel would be nice though.
The mobile &lt;a class=&#34;link&#34; href=&#34;https://www.pumabrowser.com/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Puma browser&lt;/a&gt; is a little better here.&lt;/p&gt;
&lt;p&gt;Overall this reminds me a little of the donation system Amazon is running through smile.amazon.com, which is great idea but not very transparent (though this improved over time).&lt;/p&gt;
&lt;div class=&#34;row&#34;&gt;
 &lt;div class=&#34;column&#34; style=&#34;float: left; width: 50%;&#34;&gt;
   &lt;img src=&#34;../../images/webmonetization-puma1.png&#34; alt=&#34;Puma1&#34; style=&#34;width:90%&#34;&gt;
 &lt;/div&gt;
 &lt;div class=&#34;column&#34; style=&#34;float: left; width: 50%; margin-bottom: 25px;&#34;&gt;
   &lt;img src=&#34;../../images/webmonetization-puma2.png&#34; alt=&#34;Puma2&#34; style=&#34;width:90%&#34;&gt;
 &lt;/div&gt;
&lt;/div&gt;
&lt;h2 id=&#34;conclusion-&#34;&gt;Conclusion 🚧&lt;/h2&gt;
&lt;p&gt;First, I really like the idea of allowing users to give money directly to websites and content creators.
It is also relatively easy to get web monetization set up on a website.
If this is through integration in a framework or by manually adding the header tag.&lt;/p&gt;
&lt;p&gt;My two main concerns are around privacy and the state of tooling.
This is obviously not a final standard such that some hiccups are to be expected.
Issues around more mature tools such as Uphold are a little more concerning though.
To judge the real privacy impact a more in depth analysis of the standard as well as the implementations and services are needed.
But it is worrying that the specification doesn&amp;rsquo;t even mention privacy implications.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id=&#34;update&#34;&gt;Update&lt;/h2&gt;
&lt;p&gt;I was pointed to a blog post on &lt;a class=&#34;link&#34; href=&#34;https://coil.com/p/sharafian/Doubling-Down-on-Privacy/cD_ZiwT2J&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;privacy in Coil&lt;/a&gt; that explains how they use &lt;a class=&#34;link&#34; href=&#34;https://privacypass.github.io/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;privacy pass&lt;/a&gt; for user privacy (there&amp;rsquo;s an &lt;a class=&#34;link&#34; href=&#34;https://datatracker.ietf.org/group/privacypass/documents/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;IETF working group&lt;/a&gt; in the process of standardising privacy pass) and something they call wallet privacy.&lt;/p&gt;
&lt;p&gt;I also filed &lt;a class=&#34;link&#34; href=&#34;https://github.com/WICG/webmonetization/issues/165&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;a spec issue&lt;/a&gt; to get more explicit privacy treatment in the spec.&lt;/p&gt;
&lt;h2 id=&#34;update-2&#34;&gt;Update 2&lt;/h2&gt;
&lt;p&gt;I mentioned above that Uphold appears to be dubious.
Now that they disabled my account I have to disable the web monetization experiment on this page.
I don&amp;rsquo;t really care, but Uphold appears to be as bad as I expected.
There was no communication whatsoever from Uphold except the following screen when logging in.&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 69; flex-basis: 167px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/web-monetization/uphold-account-lock.png&#34; data-size=&#34;880x1262&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/web-monetization/uphold-account-lock.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/web-monetization/uphold-account-lock_hu10c4aee958f27bc70be79fb2e16716b6_88296_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/web-monetization/uphold-account-lock_hu10c4aee958f27bc70be79fb2e16716b6_88296_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;880&#34;
				height=&#34;1262&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;While being logged in it actually says &amp;quot; Uphold is currently unavailable&amp;quot; 🤷🏻‍♂️&lt;/p&gt;
&lt;h2 id=&#34;update-3&#34;&gt;Update 3&lt;/h2&gt;
&lt;p&gt;After getting in touch with Uphold (thanks Kaily!) it turned out that the account verification didn&amp;rsquo;t go through for some reason and I had to redo it to unlock my account.&lt;/p&gt;
&lt;p&gt;I got an innocuous email saying&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;We’ve had to temporarily restrict your account while we gather some more information. You can still trade but you won’t be able to withdraw funds.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;What this actually meant is that I had to get in touch with the Uphold support team to figure out what&amp;rsquo;s going on.&lt;/p&gt;
&lt;p&gt;I re-enabled web-monetization on this page.
While the initial experience on my end wasn&amp;rsquo;t great it was unrelated to web-monetization and due to some shortcomings in Uphold&amp;rsquo;s communication and me ignoring some of it 😬.&lt;/p&gt;
</description>
        </item>
        <item>
        <title>I&#39;m leaving AISEC</title>
        <link>https://www.franziskuskiefer.de/p/im-leaving-aisec/</link>
        <pubDate>Mon, 04 May 2020 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/im-leaving-aisec/</guid>
        <description>&lt;img src="https://www.franziskuskiefer.de/p/im-leaving-aisec/hero.jpg" alt="Featured image of post I&#39;m leaving AISEC" /&gt;&lt;p&gt;I don&amp;rsquo;t like to write a post like this but I really feel that this one is necessary.
After not even half a year I&amp;rsquo;m going to leave the &lt;a class=&#34;link&#34; href=&#34;https://www.aisec.fraunhofer.de&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Fraunhofer AISEC&lt;/a&gt; at the end of May.
In this post I want to explain why.&lt;/p&gt;
&lt;p&gt;&lt;em&gt;This is not a post about contact tracing!&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;During the week of April 13 the controversy around &lt;a class=&#34;link&#34; href=&#34;https://www.pepp-pt.org/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;PEPP-PT&lt;/a&gt; started to heat up. Articles from &lt;a class=&#34;link&#34; href=&#34;https://www.coindesk.com/decentralized-protocol-removed-from-eu-contact-tracing-website-with-no-notice&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;coindesk&lt;/a&gt; and other media such as &lt;a class=&#34;link&#34; href=&#34;https://www.golem.de/news/pepp-pt-streit-beim-corona-app-projekt-2004-147925.html&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Golem&lt;/a&gt; (German), started to pop up and I started to get a little concerned knowing that AISEC is part of the PEPP-PT organization.
This quickly changed from being a sensible thing done by some people in the organization that employs me to something pretty sketchy that I definitely wanted to learn more about.
Note that I haven&amp;rsquo;t been involved in any of the contact tracing approaches at AISEC or anywhere else.&lt;/p&gt;
&lt;p&gt;There were three separate points that concerned me.&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Everything I have seen pointed to an approach to contact tracing that has huge potential to being abused. An approach that needs careful consideration and maybe shouldn&amp;rsquo;t be used in the first place. But without knowing any details I could hardly tell if this was really the case.&lt;/li&gt;
&lt;li&gt;The way PEPP-PT and AISEC communicated not only with the public but, as it appeared, also with other members of the consortium and employees, didn&amp;rsquo;t seem compatible with my understanding of responsible science, which requires an open discussion.&lt;/li&gt;
&lt;li&gt;This situation started to shed a bad light on everyone working for AISEC who&amp;rsquo;s taking privacy and open communication on such an important topic seriously.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;In order to be able to judge the situation a little better and potentially help the necessary discussion around privacy in contact tracing apps I decided to reply to the only e-mail I had on the topic.
This was before anything was published by PEPP-PT or AISEC.
On April 1st when PEPP-PT was launched the AISEC director Claudia Eckert sent out an e-mail informing everyone that &lt;a class=&#34;link&#34; href=&#34;https://www.aisec.fraunhofer.de/de/presse-und-veranstaltungen/presse/pressemitteilungen/2020/PEPP-PT.html&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;AISEC was part of PEPP-PT&lt;/a&gt; (press release from AISEC on that day in German).
I noted that the optics were pretty bad and other institutions such as ETH Zürich left PEPP-PT. In particular, I wanted to know&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;in which way AISEC is involved in PEPP-PT and how the future collaboration is supposed to look like;&lt;/li&gt;
&lt;li&gt;how the institute wants to ensure that the situation doesn&amp;rsquo;t deteriorate any further (prevent further loss in credibility);&lt;/li&gt;
&lt;li&gt;when specifications, security models, and code would be published.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;I didn&amp;rsquo;t want to get involved in any (public) discussion before knowing what&amp;rsquo;s going on.
Asking internally, the person who should know, seemed like the obvious way to go.&lt;/p&gt;
&lt;p&gt;The response was a little disappointing.&lt;/p&gt;
&lt;p&gt;I won&amp;rsquo;t disclose any content of internal e-mails.
But the last sentence said that I&amp;rsquo;m of course free to hand in my notice and leave AISEC at any time.&lt;/p&gt;
&lt;p&gt;So that&amp;rsquo;s what I&amp;rsquo;m doing.
I leave.
This is not an organization I want to work for.
Neither does the behavior of AISEC as part of PEPP-PT reflect my understanding of research, science, and social responsibility, nor does the response of the AISEC leadership demonstrate an environment in which I want to work.&lt;/p&gt;
&lt;p&gt;&lt;em&gt;(While I got a half-hearted explanation relayed a week later that tried to explain the e-mail with stress and the influx of many hostile e-mails, I believe that it is a symptom of a disrespectful culture within the organization.
Actually, I haven&amp;rsquo;t heard from Claudia Eckert since that e-mail.)&lt;/em&gt;&lt;/p&gt;
&lt;hr&gt;
&lt;p&gt;So if you are interested in hiring me, send me an e-mail (mail@ this domain).&lt;/p&gt;
</description>
        </item>
        <item>
        <title>Shared-Secrets Service</title>
        <link>https://www.franziskuskiefer.de/p/shared-secrets-service/</link>
        <pubDate>Mon, 23 Dec 2019 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/shared-secrets-service/</guid>
        <description>&lt;img src="https://www.franziskuskiefer.de/p/shared-secrets-service/hero.jpg" alt="Featured image of post Shared-Secrets Service" /&gt;&lt;p&gt;At the &lt;a class=&#34;link&#34; href=&#34;https://berlin-crypto.github.io&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Berlin Crypto&lt;/a&gt; this month we had a talk by &lt;a class=&#34;link&#34; href=&#34;https://twitter.com/xyahe/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Kevin&lt;/a&gt; about a &lt;a class=&#34;link&#34; href=&#34;https://secrets.syseleven.de&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;shared-secret service&lt;/a&gt; they developed at &lt;a class=&#34;link&#34; href=&#34;https://syseleven.de&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Syselevn&lt;/a&gt;.
After experimenting with PGP and deciding that it doesn&amp;rsquo;t do what they needed, they decided to go with a very simple, custom encrypt-then-mac scheme. You can find details &lt;a class=&#34;link&#34; href=&#34;https://github.com/syseleven/shared-secrets/blob/master/ENCRYPTION.md&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;here&lt;/a&gt;.
When someone says they built their own encryption scheme and message format I get obviously curious.
In this post I want to summarize the scheme, design decisions, compare it standard authenticated encryption schemes, and ponder the question of the right security definitions.&lt;/p&gt;
&lt;p&gt;Note that I refrain from formal definitions in this post.
I only want to give the intuition.
Please read the linked documents for formal definitions and details.
See for example the &lt;a class=&#34;link&#34; href=&#34;https://cseweb.ucsd.edu/~mihir/papers/oem.pdf&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Authenticated Encryption paper by Bellare and Namprempre&lt;/a&gt; for details on authenticated encryption and the &lt;a class=&#34;link&#34; href=&#34;https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.76.4921&amp;amp;rep=rep1&amp;amp;type=pdf&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Authenticated Encryption with Associated Data by Rogaway&lt;/a&gt; on AEADs.&lt;/p&gt;
&lt;h2 id=&#34;shared-secrets&#34;&gt;Shared-Secrets&lt;/h2&gt;
&lt;p&gt;The service and scheme are described as follows:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;Shared-Secrets is an application that helps you to simply share one-time secrets over the web.
Using the Shared-Secrets service allows you to transfer the actual secret in an encrypted form.
Retrieving the secret is as simple as following a link.
In contrast to other secret sharing services, Shared-Secrets does not store the secret on the server, but puts the encrypted secret into the link that you share with the desired recipient.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;I leave aside the fact that any attacker that can intercept the message can trivially retrieve the secret and focus on the encryption scheme used for the service.
Note that the service allows to encrypt the message with a password before sharing it to prevent the aforementioned attack.&lt;/p&gt;
&lt;p&gt;The encryption scheme used for this service is a basic encrypt-then-mac scheme that can be written as&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;(c, t) &amp;lt;- EtM(key, nonce, msg, aad)
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;where &lt;code&gt;aad&lt;/code&gt; contains all meta-data (version etc.).
Keys for the mac and encryption algorithms are derived as follows&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;key &amp;lt;- random() # 32-byte
(k_c, k_t) &amp;lt;- (HMAC-SHA256(key, &amp;#34;enc&amp;#34;), HMAC-SHA256(key, &amp;#34;mac&amp;#34;))
rsakey &amp;lt;- RSA-OAEP(pk, key)
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;The RSA key &lt;code&gt;pk&lt;/code&gt; is the server&amp;rsquo;s public key.
Now we can compute the ciphertext and mac.&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;c &amp;lt;- AES-256-CTR(k_c, nonce, msg)
t &amp;lt;- HMAC-SHA256(k_t, aad, c)
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;The message format is defined as&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;[version:01][rsakeycount:02][rsakeyid:32][rsakeylength:02][rsakey:mm][...][rsakeyid:32][rsakeylength:02][rsakey:mm][nonce:16][message:nn][mac:32]
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;with &lt;code&gt;rsakeyid := SHA256(pk)&lt;/code&gt; and &lt;code&gt;nonce := $(date +%s)|0..0&lt;/code&gt; (8-byte unix timestamp, padded 8 zero bytes).&lt;/p&gt;
&lt;h3 id=&#34;observations&#34;&gt;Observations&lt;/h3&gt;
&lt;p&gt;Looking at the scheme there are a two things that stand out.
This is in addition to the unclear threat scenario that I won&amp;rsquo;t discuss in this post.&lt;/p&gt;
&lt;p&gt;Note that there&amp;rsquo;s currently no standardized way of doing  hybrid encryption. There&amp;rsquo;s currently an &lt;a class=&#34;link&#34; href=&#34;https://tools.ietf.org/html/draft-irtf-cfrg-hpke-02&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;RFC in the making&lt;/a&gt; but until that&amp;rsquo;s finished it is necessary to define custom hybrid schemes as done here.&lt;/p&gt;
&lt;h4 id=&#34;the-nonce-is-not-random&#34;&gt;The nonce is not random&lt;/h4&gt;
&lt;p&gt;When using encryption schemes such as AES-CTR it is paramount that the nonce is unique.
If this is not the case, the key-stream becomes known and allows full message recovery.
Using a timestamp as nonce is usually a bad move as time is predictable and not random.&lt;/p&gt;
&lt;h4 id=&#34;how-is-this-different-from-an-aead&#34;&gt;How is this different from an AEAD&lt;/h4&gt;
&lt;p&gt;The scheme as described above looks like an AEAD scheme.
So the question is why didn&amp;rsquo;t they just use an established AEAD scheme such as AES-GCM or ChaCha20Poly1305.&lt;/p&gt;
&lt;h2 id=&#34;encrypt-then-mac--aead&#34;&gt;Encrypt-then-Mac == AEAD?&lt;/h2&gt;
&lt;p&gt;Let&amp;rsquo;s talk about encryption and authentication first.
Historically encryption offered confidentiality but no integrity.
Something that&amp;rsquo;s not immediately obvious to non-cryptographers who want to use encryption to protect their data.
Authenticated Encryption (AE) and its relation to non-authenticated encryption was first described in the previously mentioned paper by &lt;a class=&#34;link&#34; href=&#34;https://cseweb.ucsd.edu/~mihir/papers/oem.pdf&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Bellare and Namprempre&lt;/a&gt; in 2000.&lt;/p&gt;
&lt;p&gt;Encryption was considered secure if it satisfied the indistinguishable under chosen plaintext property, i.e. if an attacker couldn&amp;rsquo;t distinguish whether a ciphertext encrypts message &lt;code&gt;a&lt;/code&gt; or message &lt;code&gt;b&lt;/code&gt;.
But &amp;ldquo;security&amp;rdquo; of an encryption scheme intuitively might mean something else as well.
In addition to not being able to know which message is encrypted in a ciphertext it shouldn&amp;rsquo;t be possible for an attacker to change the content of the message or the ciphertext without the recipient noticing it.
This property can be described as ciphertext (or plaintext) integrity and allows the definition of authenticated encryption.
Adding associated data (AD) that is not encrypted but authenticated we get Authenticated Encryption with Associated Data (AEAD).
For a comprehensive overview of AEAD and its history I recommend checking out these &lt;a class=&#34;link&#34; href=&#34;https://summerschool-croatia.cs.ru.nl/2016/slides/PhilRogaway.pdf&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;slides by Phillip Rogaway&lt;/a&gt;.&lt;/p&gt;
&lt;h3 id=&#34;encrypt-then-mac--aead-1&#34;&gt;Encrypt-then-Mac != AEAD&lt;/h3&gt;
&lt;p&gt;Generally encrypt-then-mac schemes can be considered AEADs.
For this to be true however, the Mac has to be strongly unforgeable.
Luckily this is the case for HMAC such that the scheme described above is fine in this regard.&lt;/p&gt;
&lt;p&gt;A MAC scheme is weakly unforgeable (WUF-CMA) if an attacker is not able to generate a tag for a new message, i.e. a message that she hasn&amp;rsquo;t seen a tag for before.
If a scheme is strongly unforgeable (SUF-CMA), it must me impossible for an attacker to generate a new message, tag pair, i.e. not only a new message but also a new tag.
While SUF-CMA seems like an artificial extension of the intuitive notion of WUF-CMA it is necessary to build an AEAD as WUF-CMA doesn&amp;rsquo;t provide integrity guarantees for the ciphertext or plaintext.&lt;/p&gt;
&lt;h2 id=&#34;aead-properties&#34;&gt;AEAD Properties&lt;/h2&gt;
&lt;p&gt;The motivation to build this custom AEAD scheme instead of using an existing one was a big point of discussion at the meetup.
The essence is that Kenny didn&amp;rsquo;t trust that an AEAD provided exactly what he needed.
So what are properties of an AEAD?
Generally AEADs are supposed to offer IND-CCA security where the attacker is allowed to decrypt arbitrary ciphertexts.
Instead of thinking of AEAD as IND-CCA secure it is more intuitive to think of it as IND-CPA secure (i.e. the attacker can&amp;rsquo;t do better than guessing which message is encrypted in a ciphertext when given the ciphertext to one of two adversarially chosen messages) and offering INT-CTXT, i.e. integrity of the ciphertext.
Note that this &lt;strong&gt;does not&lt;/strong&gt; imply authenticity of the plaintext because IND-CCA does not guarantee that it is impossible for an attacker to generate a valid ciphertext for a specially crafted message.&lt;/p&gt;
&lt;h3 id=&#34;uniqueness-of-tags&#34;&gt;Uniqueness of Tags&lt;/h3&gt;
&lt;p&gt;The property that was questioned to be part of the AEAD security definition but was important to the Shared-Secrets service is the uniqueness of the ciphertext and tag.
This is necessary to make sure secrets can only be retrieved once.
According to the &lt;a class=&#34;link&#34; href=&#34;https://secrets.syseleven.de/how&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;website&lt;/a&gt; the server uses a fingerprint to achieve this.
First I notice that fingerprint is not defined in the encryption scheme.
Looking at &lt;a class=&#34;link&#34; href=&#34;https://github.com/syseleven/shared-secrets/blob/2fa63d5bf0673d497c7ee5afa766176ccb34b34f/lib/shared-secrets.exec.php#L256&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;the code&lt;/a&gt; it appears that the fingerprint is the tag.
The fingerprint is stored on the server and the service refuses to decrypt anything with the fingerprint if it did so once before.&lt;/p&gt;
&lt;p&gt;So the question is whether the used encrypt-then-mac scheme makes sure that the tag is unique and whether an AEAD would have offered this property as well.&lt;/p&gt;
&lt;p&gt;In other words, can an attacker generate a second, different, valid tag  &lt;code&gt;t&#39;&lt;/code&gt; for an existing ciphertext, tag pair &lt;code&gt;(c, t)&lt;/code&gt;.
Note that I do not consider encodings here.
(Using base64 encoding for example it is possible to generate two different base64 strings that decode to the same binary message.)
To this end there has to exist a pair &lt;code&gt;(c, t), (c&#39;, t&#39;)&lt;/code&gt; with &lt;code&gt;Dec(c) == Dec(c&#39;) &amp;amp;&amp;amp; Verify(t) == Verify(t&#39;)&lt;/code&gt; i.e. two ciphertext, tag pairs that decrypt to the same message and both tags are valid.
First note that the unforgeability of the Mac ensures that it is impossible to generate a valid tag &lt;code&gt;t&#39;&lt;/code&gt; for a given ciphertext &lt;code&gt;c&lt;/code&gt; without knowledge of the key.
It follows that the ciphertext &lt;code&gt;c&#39;&lt;/code&gt; has to be different from the original ciphertext &lt;code&gt;c&lt;/code&gt;.
But without knowledge of the message &lt;code&gt;m&lt;/code&gt; encrypted in &lt;code&gt;c&lt;/code&gt; (or the key) it is impossible to generate a ciphertext &lt;code&gt;c&#39;&lt;/code&gt; that decrypts to &lt;code&gt;m&lt;/code&gt;.
Hence this is not possible.&lt;/p&gt;
&lt;p&gt;While everything else in this post were well established properties of AEADs this one doesn&amp;rsquo;t appear to follow trivially.
However, this applies to the custom scheme used in Shared-Secrets as well as an off-the-shelf AEAD.&lt;/p&gt;
&lt;h2 id=&#34;timestamps-as-nonces&#34;&gt;Timestamps as Nonces&lt;/h2&gt;
&lt;p&gt;Non-random nonces break most AEAD schemes.
This is one reason &lt;a class=&#34;link&#34; href=&#34;https://web.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Misuse-Resistant AE (MRAE)&lt;/a&gt; was introduced and specified for schemes such as AES-GCM (&lt;a class=&#34;link&#34; href=&#34;https://tools.ietf.org/html/rfc8452&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;AES-GCM-SIV&lt;/a&gt;).&lt;/p&gt;
&lt;p&gt;So how does choosing a timestamp as nonce fare in the Shared-Secret scheme?&lt;/p&gt;
&lt;p&gt;Recall that AES in counter mode, as used here, is an XOR of a plaintext block with the AES encryption of the concatenation of the nonce and the counter (&lt;code&gt;c_i = m_i xor AES(key, nonce||ctr)&lt;/code&gt;).
Thus, one can recover an unknown plaintext by computing the xor of its ciphertext with the xor of a known ciphertext, plaintext pair (&lt;code&gt;m_i = c_i xor (c&#39;_i xor m&#39;_i)&lt;/code&gt;) when the nonce is known.&lt;/p&gt;
&lt;p&gt;While the Shared-Secrets scheme is very fragile here and not well-designed here (why not just take a random nonce?) I can&amp;rsquo;t see how this can be exploited.
Even if an attacker is able to generate two ciphertexts with the same nonce (this can be easily done by sending two requests to the server at the same time), the key will be different in both cases.&lt;/p&gt;
&lt;h2 id=&#34;discussion-how-to-define-security&#34;&gt;Discussion: How to define security?&lt;/h2&gt;
&lt;p&gt;This episode illustrates how important it is for security definitions to model real-world scenarios that people actually have when using a primitive.
But it also shows that sometimes, even though standard primitives with appropriate security definitions exist, communicating these properties fail.
The use case of the Shared-Secrets is a peculiar one but highlights these issues.
Something I did not expect is that people rather define their own crypto schemes than using existing ones because they think they don&amp;rsquo;t understand the properties properly.
But this is all the more reason to make sure the exact security properties a scheme offers are communicated and well understood by everyone.&lt;/p&gt;
&lt;p&gt;For me this is another pointer that it is important to have properly working communication channels between people analyzing crypto and everyone using it in order to transport requirements and make sure everyone is on the same page.
And this is, among others things, what we do at the &lt;a class=&#34;link&#34; href=&#34;https://berlin-crypto.github.io&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Berlin Crypto&lt;/a&gt; meetup in a very informal and local setting.&lt;/p&gt;
</description>
        </item>
        <item>
        <title>Mozilla SURF Summit Vienna 2019</title>
        <link>https://www.franziskuskiefer.de/p/mozilla-surf-summit-vienna-2019/</link>
        <pubDate>Tue, 12 Nov 2019 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/mozilla-surf-summit-vienna-2019/</guid>
        <description>&lt;img src="https://www.franziskuskiefer.de/p/mozilla-surf-summit-vienna-2019/surf-vienna-2019.jpg" alt="Featured image of post Mozilla SURF Summit Vienna 2019" /&gt;&lt;p&gt;Last week we had the third Security Engineering University Relationship Framework (&lt;a class=&#34;link&#34; href=&#34;https://surf.mozilla.org/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;SURF&lt;/a&gt;) &lt;a class=&#34;link&#34; href=&#34;https://web.archive.org/web/20191111151144/https://events.mozilla.org/mozillasecurityresearchsummit2019&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;summit in Vienna&lt;/a&gt;.
The last SURF summit I attended was the first one &lt;a class=&#34;link&#34; href=&#34;../mozilla-security-research-summit-london-2018/&#34; &gt;in London 2018&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;This time we had four talks by Mozillians, three invited talks, as well as eight lightning talks.
I &lt;a class=&#34;link&#34; href=&#34;https://twitter.com/_franziskus_/status/1192730087487135744&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;live-tweeted&lt;/a&gt; a little during the event if you like slides on photos.&lt;/p&gt;
&lt;p&gt;&lt;a class=&#34;link&#34; href=&#34;https://christophkerschbaumer.com/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Christoph&lt;/a&gt; talked about how to &lt;a class=&#34;link&#34; href=&#34;surf_vienna_kerschbaumer.pdf&#34; &gt;harden the content security landscape of Firefox&lt;/a&gt; and posed the question how we could do some of that on the web.
The web PKI with all its problems was the topic of &lt;a class=&#34;link&#34; href=&#34;thyla-webpki.pdf&#34; &gt;Thyla&amp;rsquo;s talk&lt;/a&gt;, with a focus on &lt;a class=&#34;link&#34; href=&#34;https://mislove.org/publications/CRLite-Oakland.pdf&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;CRLite&lt;/a&gt;. There&amp;rsquo;s also a &lt;a class=&#34;link&#34; href=&#34;https://blog.mozilla.org/security/2019/11/01/validating-delegated-credentials-for-tls-in-firefox/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;blog post&lt;/a&gt; on the Mozilla security blog on this with more details and links.&lt;/p&gt;
&lt;p&gt;One prominent topic at this SURF summit was how to preserve privacy online and counter tracking.
&lt;a class=&#34;link&#34; href=&#34;https://twitter.com/nataliabielova&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Natliia&lt;/a&gt; gave an invited talk on &lt;a class=&#34;link&#34; href=&#34;https://arxiv.org/abs/1812.01514&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;detecting trackers missed by filter lists and browser extensions&lt;/a&gt;, &lt;a class=&#34;link&#34; href=&#34;https://senglehardt.com/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Steven&lt;/a&gt; talked about &lt;a class=&#34;link&#34; href=&#34;senglehardt-private-web.pdf&#34; &gt;challenges in building a private web&lt;/a&gt; and &lt;a class=&#34;link&#34; href=&#34;https://www.esat.kuleuven.be/cosic/people/gunes-acar/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Gunes&lt;/a&gt; about &lt;a class=&#34;link&#34; href=&#34;dark_patterns_surf_vienna_mozilla.pdf&#34; &gt;dark patterns&lt;/a&gt; and how to find them on the web.&lt;/p&gt;
&lt;p&gt;On the crypto side we had &lt;a class=&#34;link&#34; href=&#34;https://twitter.com/kennyog&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Kenny&lt;/a&gt; talk about &lt;a class=&#34;link&#34; href=&#34;kenny-api-design.pdf&#34; &gt;API design of crypto primitves&lt;/a&gt; and primality testing.
Details can be found in the well titled papers &lt;a class=&#34;link&#34; href=&#34;https://eprint.iacr.org/2019/032&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;safety in numbers&lt;/a&gt; and &lt;a class=&#34;link&#34; href=&#34;https://eprint.iacr.org/2018/749&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;prime and prejudice&lt;/a&gt;.
I talked about &lt;a class=&#34;link&#34; href=&#34;kiefer-pq-mozilla.pdf&#34; &gt;Post Quantum Crypto and Mozilla&lt;/a&gt; calling on more experiments with post quantum crypto beyond TLS key exchange.&lt;/p&gt;
&lt;p&gt;We closed the summit with a panel discussion on the gap between theory and practice.&lt;/p&gt;
</description>
        </item>
        <item>
        <title>Wrapping arithmetic in Rust</title>
        <link>https://www.franziskuskiefer.de/p/wrapping-arithmetic-in-rust/</link>
        <pubDate>Mon, 21 Oct 2019 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/wrapping-arithmetic-in-rust/</guid>
        <description>&lt;p&gt;One of Rusts great feature is that it catches integer overflows at runtime and panics rather than wraps (in debug builds).
I recommend you read &lt;a class=&#34;link&#34; href=&#34;https://huonw.github.io/blog/2016/04/myths-and-legends-about-integer-overflow-in-rust/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Huon&amp;rsquo;s blog post&lt;/a&gt; about this from a couple years ago.&lt;/p&gt;
&lt;p&gt;While this is a desirable behaviour in general, integer overflows are commonly used when implementing cryptography primitives.
Rust offers wrapping alternatives such as &lt;code&gt;wrapping_add&lt;/code&gt; etc. to allow  wrapping behaviour.
However, this makes code very hard to read, e.g. &lt;code&gt;let c = a + b&lt;/code&gt; is easier to read than &lt;code&gt;let c = a.wrapping_add(b)&lt;/code&gt;.&lt;/p&gt;
&lt;h2 id=&#34;other-wrapping-arithmetic&#34;&gt;Other wrapping arithmetic&lt;/h2&gt;
&lt;p&gt;Rust itself provides a wrapping integer type in &lt;a class=&#34;link&#34; href=&#34;https://doc.rust-lang.org/std/num/struct.Wrapping.html&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;&lt;code&gt;std::num::Wrapping&lt;/code&gt;&lt;/a&gt;.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-Rust&#34; data-lang=&#34;Rust&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;use&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;std&lt;/span&gt;::&lt;span class=&#34;n&#34;&gt;num&lt;/span&gt;::&lt;span class=&#34;n&#34;&gt;Wrapping&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;&lt;/span&gt;&lt;span class=&#34;kd&#34;&gt;let&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;zero&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;Wrapping&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;mi&#34;&gt;0&lt;/span&gt;&lt;span class=&#34;k&#34;&gt;u32&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;);&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;&lt;/span&gt;&lt;span class=&#34;kd&#34;&gt;let&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;one&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;Wrapping&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;mi&#34;&gt;1&lt;/span&gt;&lt;span class=&#34;k&#34;&gt;u32&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;);&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;&lt;/span&gt;&lt;span class=&#34;fm&#34;&gt;assert_eq!&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;std&lt;/span&gt;::&lt;span class=&#34;kt&#34;&gt;u32&lt;/span&gt;::&lt;span class=&#34;n&#34;&gt;MAX&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;zero&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;-&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;one&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;).&lt;/span&gt;&lt;span class=&#34;mi&#34;&gt;0&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;);&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;This is a good solution when you want to be explicit about what you&amp;rsquo;re doing.
However, its readability is still not great.&lt;/p&gt;
&lt;h2 id=&#34;wrappit&#34;&gt;#[wrappit]&lt;/h2&gt;
&lt;p&gt;To alleviate this shortcoming I implemented a &lt;a class=&#34;link&#34; href=&#34;https://doc.rust-lang.org/reference/procedural-macros.html&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;procedural macro&lt;/a&gt; that rewrites arithmetic operators &lt;code&gt;+,-,*&lt;/code&gt; into their wrapping equivalents &lt;code&gt;wrapping_add, wrapping_sub, wrapping_mul&lt;/code&gt; as well as their assigning versions &lt;code&gt;+=,-=,*=&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;The following function for example&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-Rust&#34; data-lang=&#34;Rust&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cp&#34;&gt;#[wrappit]&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;&lt;/span&gt;&lt;span class=&#34;k&#34;&gt;fn&lt;/span&gt; &lt;span class=&#34;nf&#34;&gt;mix&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;a&lt;/span&gt;: &lt;span class=&#34;kt&#34;&gt;u32&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;b&lt;/span&gt;: &lt;span class=&#34;kt&#34;&gt;u32&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;c&lt;/span&gt;: &lt;span class=&#34;kp&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;[&lt;/span&gt;&lt;span class=&#34;kt&#34;&gt;u32&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;])&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;-&amp;gt; &lt;span class=&#34;kt&#34;&gt;u32&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;{&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;kd&#34;&gt;let&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;k&#34;&gt;mut&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;r&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;a&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;+&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;b&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;k&#34;&gt;for&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;u&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;k&#34;&gt;in&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;c&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;p&#34;&gt;{&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;r&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;*=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;u&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;p&#34;&gt;}&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;r&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;}&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;is rewritten to&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-Rust&#34; data-lang=&#34;Rust&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;fn&lt;/span&gt; &lt;span class=&#34;nf&#34;&gt;mix&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;a&lt;/span&gt;: &lt;span class=&#34;kt&#34;&gt;u32&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;b&lt;/span&gt;: &lt;span class=&#34;kt&#34;&gt;u32&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;c&lt;/span&gt;: &lt;span class=&#34;kp&#34;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;[&lt;/span&gt;&lt;span class=&#34;kt&#34;&gt;u32&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;])&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;-&amp;gt; &lt;span class=&#34;kt&#34;&gt;u32&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;{&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;kd&#34;&gt;let&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;k&#34;&gt;mut&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;r&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;a&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;.&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;wrapping_add&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;b&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;);&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;k&#34;&gt;for&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;u&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;k&#34;&gt;in&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;c&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;p&#34;&gt;{&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;r&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;r&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;.&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;wrapping_mul&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;u&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;);&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;p&#34;&gt;}&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;n&#34;&gt;r&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;}&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;You can find wrapping_arithmetic on &lt;a class=&#34;link&#34; href=&#34;https://github.com/franziskuskiefer/wrapping-arithmetic&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;GitHub&lt;/a&gt; and on &lt;a class=&#34;link&#34; href=&#34;https://crates.io/crates/wrapping_arithmetic&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;crates.io&lt;/a&gt;.
To use &lt;code&gt;#[wrappit]&lt;/code&gt; add &lt;code&gt;wrapping_arithmetic = &amp;quot;0.1&amp;quot;&lt;/code&gt; to your &lt;code&gt;cargo.toml&lt;/code&gt;.&lt;/p&gt;
</description>
        </item>
        <item>
        <title>Update on hacspec</title>
        <link>https://www.franziskuskiefer.de/p/update-on-hacspec/</link>
        <pubDate>Fri, 30 Nov 2018 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/update-on-hacspec/</guid>
        <description>&lt;img src="https://www.franziskuskiefer.de/p/update-on-hacspec/hacspec2-architecture.png" alt="Featured image of post Update on hacspec" /&gt;&lt;p&gt;Earlier this year I introduced &lt;a class=&#34;link&#34; href=&#34;../hacspec1&#34; &gt;hacspec, a new specification language for cryptographic primitives&lt;/a&gt;.
After Karthik presented the idea and very preliminary results at &lt;a class=&#34;link&#34; href=&#34;https://github.com/HACS-workshop/hacspec/blob/master/doc/hacspec-short-talk-CFRG-IETF-101.pdf&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;IETF 101&lt;/a&gt; in March we made quite some progress and presented a paper with a little more detail at &lt;a class=&#34;link&#34; href=&#34;https://ssr2018.net/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;SSR&lt;/a&gt; earlier this week.
In this blog post I&amp;rsquo;ll give the gist of the &lt;a class=&#34;link&#34; href=&#34;https://github.com/HACS-workshop/hacspec/blob/master/doc/hacspec-ssr18-paper.pdf&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;SSR paper&lt;/a&gt; and introduce the first version of &lt;em&gt;hacspec&lt;/em&gt;.&lt;/p&gt;
&lt;p&gt;All information about &lt;em&gt;hacspec&lt;/em&gt; can be found at &lt;a class=&#34;link&#34; href=&#34;https://hacs-workshop.github.io/hacspec/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;https://hacs-workshop.github.io/hacspec/&lt;/a&gt;.&lt;/p&gt;
&lt;h2 id=&#34;the-language&#34;&gt;The language&lt;/h2&gt;
&lt;p&gt;The &lt;em&gt;hacspec&lt;/em&gt; language is a DSL for cryptographic algorithms.
But it can also be seen as a typed subset of Python.
The following describes the language.&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;  Values v ::=
         n                             integer constants 
       | True | False                  boolean constants 
       | &amp;#39;...&amp;#39; | &amp;#34;...&amp;#34;                 string constants 
       | (v1,...,vn)                   tuple constant 
       | array([v1,...,vn])            array constant 

  
Expressions e ::=
         v                             values 
       | x | m.x                       local and global variables 
       | (e1,...,en)                   tuple construction 
       | array([e1,...,en])            array construction 
       | array.length(e)               array length 
       | e[e0]                         array access 
       | e[e0:e1]                      array slice
       | e(e1,...,en)                  function call
       | e1 binop e2                   builtin binary operators
       | unaryop e                     builtin unary operators
  
Types t ::=
         int, str, bool                basic types 
       | tuple_t(t1,...,tn)            tuples 
       | vlarray_t(t)                  variable-length array 
       | x                             user-defined or builtin type 
       | x(t1,...,tn,e1,...,em)        builtin type application 
  
Statements s ::=
         x: Type = t                   type declaration 
       | x: t                          variable declaration  
       | x = e                         variable assignment 
       | x binop= e                    augmented variable assignment 
       | (x1,..,xn) = e                tuple matching 
       | x[i] = e                      array update 
       | x[i] binop= e                 augmented array update 
       | x[i:j] = e                    array slice update 
       | if e:                         if-elif-else conditional 
             s1...sn  
         elif e:  
             s1&amp;#39;...sn&amp;#39;  
         else  
             s1&amp;#39;&amp;#39;...sn&amp;#39;&amp;#39;  
       | for i in range(e):            for loop 
             s1...sn  
       | break                         break from loop 
       | def x(x1:t1,...,xn:tn) -&amp;gt; t:  function declaration
             s1 ... sn                
       | return e                      return from function 
       | from x import x1, x2,..., xn  module import 
  
Specs σ ::= s1...sn                    sequence of statements 
&lt;/code&gt;&lt;/pre&gt;&lt;h2 id=&#34;hacspec-architecture&#34;&gt;hacspec architecture&lt;/h2&gt;
&lt;p&gt;The &lt;em&gt;hacspec&lt;/em&gt; architecture is depicted in the following graph.&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 117; flex-basis: 281px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/update-on-hacspec/hacspec2-architecture.png&#34; data-size=&#34;2873x2451&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/update-on-hacspec/hacspec2-architecture.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/update-on-hacspec/hacspec2-architecture_hu59cb5aa3cd237429216159464502cf06_303676_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/update-on-hacspec/hacspec2-architecture_hu59cb5aa3cd237429216159464502cf06_303676_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;2873&#34;
				height=&#34;2451&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;h2 id=&#34;writing-hacspec&#34;&gt;Writing hacspec&lt;/h2&gt;
&lt;p&gt;Every spec should be accompanied by a test and some test vectors leaving the author with at least two files, e.g. &lt;code&gt;poly.py&lt;/code&gt; and &lt;code&gt;poly_test.py&lt;/code&gt; (also see &lt;a class=&#34;link&#34; href=&#34;#Example&#34; &gt;Example section&lt;/a&gt;).
Note that only the spec file has to be &lt;em&gt;hacspec&lt;/em&gt; syntax.
The test file can make use of all of Python.
&lt;em&gt;hacspec&lt;/em&gt; comes with a standard library called speclib and a spec-checker.
To use the &lt;em&gt;hacspec&lt;/em&gt; speclib and spec-checker install them via &lt;code&gt;pip install hacspec&lt;/code&gt; or from the source (the &lt;code&gt;setup.py&lt;/code&gt; for the Python package can be found in &lt;code&gt;/build/&lt;/code&gt;).
Running &lt;em&gt;hacspec&lt;/em&gt; requires a Python interpreter version 3.6.4 or newer.&lt;/p&gt;
&lt;h3 id=&#34;speclib&#34;&gt;speclib&lt;/h3&gt;
&lt;p&gt;Commonly used functionality is provided in &lt;em&gt;speclib&lt;/em&gt; (&lt;code&gt;from hacspec.speclib import *&lt;/code&gt;).
The full speclib documentation can be found &lt;a class=&#34;link&#34; href=&#34;https://hacs-workshop.github.io/hacspec/docs/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;here&lt;/a&gt;.
Some highlights are&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;em&gt;modular arithmetic&lt;/em&gt;: &lt;code&gt;natmod_t&lt;/code&gt; is an integer data type that provides modular arithmetic, e.g. &lt;code&gt;felem_t = natmod_t((2**130)-5)&lt;/code&gt; defines field elements modulo &lt;code&gt;(2**130)-5&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;&lt;em&gt;machine integers&lt;/em&gt;: &lt;code&gt;unitN_t&lt;/code&gt; define commonly used machine integer types for &lt;code&gt;N = 8, 16, 32, 64, 128&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;&lt;em&gt;byte arrays, vectors, and matrices&lt;/em&gt;: provided data structures are &lt;code&gt;array_t, bytes_t, vector_t, matrix_t&lt;/code&gt; as well as the variable length versions &lt;code&gt;vlarray_t&lt;/code&gt; and &lt;code&gt;vlbytes_t&lt;/code&gt;. Note that the vector and matrix data types offer point-wise arithmetic.&lt;/li&gt;
&lt;li&gt;&lt;em&gt;refinements&lt;/em&gt;: &lt;code&gt;refine_t&lt;/code&gt; allows to refine data types.&lt;/li&gt;
&lt;li&gt;&lt;em&gt;contracts&lt;/em&gt;: &lt;code&gt;@contract&lt;/code&gt; annotation on functions can be used for pre- and post-conditions.&lt;sup&gt;1&lt;/sup&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id=&#34;spec-checker&#34;&gt;spec-checker&lt;/h3&gt;
&lt;p&gt;Since hacspecs are executed with a Python interpreter it is not sufficient to run &lt;em&gt;hacspec&lt;/em&gt; to check their syntax.
To check that the syntax is valid a spec-checker is provided.&lt;sup&gt;2&lt;/sup&gt;&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;hacspec-check &amp;lt;your-hacspec&amp;gt;
&lt;/code&gt;&lt;/pre&gt;&lt;h3 id=&#34;executing-hacspec&#34;&gt;Executing hacspec&lt;/h3&gt;
&lt;p&gt;&lt;em&gt;hacspec&lt;/em&gt; tests are executed with the Python interpreter.
Executing tests on a spec can yield three different results.&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;The execution is successful and all test vectors pass. In this case the spec is most likely correct and doesn&amp;rsquo;t contain any obvious typing issues.&lt;/li&gt;
&lt;li&gt;The execution fails because of a failing test case. In this case the spec is probably wrong (or the test vectors are incorrect).&lt;/li&gt;
&lt;li&gt;The execution fails because of a type error. The speclib as well as &lt;a class=&#34;link&#34; href=&#34;https://github.com/agronholm/typeguard/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;typeguard&lt;/a&gt; are used to perform runtime type checks.&lt;/li&gt;
&lt;/ol&gt;
&lt;h2 id=&#34;checking-and-compiling-hacspec&#34;&gt;Checking and compiling hacspec&lt;/h2&gt;
&lt;p&gt;To use &lt;em&gt;hacspecs&lt;/em&gt; for formal verification such as verification of cryptographic properties of an algorithm, generating code in other languages from the spec, or verifying correctness of other implementations with it, a second set of tools is provided.
These tools are written in OCaml and thus require additional setup and are not packaged right now.&lt;sup&gt;3&lt;/sup&gt;
Check out the &lt;a class=&#34;link&#34; href=&#34;https://github.com/HACS-workshop/hacspec&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;repository&lt;/a&gt; to use them.
All tools can be easily called via &lt;code&gt;make&lt;/code&gt; (see documentation in the repo &lt;code&gt;/compiler/&lt;/code&gt; for details).&lt;/p&gt;
&lt;h3 id=&#34;type-checker&#34;&gt;Type checker&lt;/h3&gt;
&lt;p&gt;To perform proper type checking Python is impractical.
A native type checker is implemented in OCaml that performs syntax and type checking for &lt;em&gt;hacspec&lt;/em&gt;.
To run the type checker on a spec simply run &lt;code&gt;./checker.native &amp;lt;your-spec&amp;gt;&lt;/code&gt;.&lt;/p&gt;
&lt;h3 id=&#34;compiler&#34;&gt;Compiler&lt;/h3&gt;
&lt;p&gt;The type checker also produces a typed AST that can be used to generate the spec in another formal language.
There are currently compiler for EasyCrypt and F*.
I&amp;rsquo;ll only describe the F* compiler as it&amp;rsquo;s more complete.&lt;/p&gt;
&lt;h4 id=&#34;f-compiler&#34;&gt;F* compiler&lt;/h4&gt;
&lt;p&gt;The F* compiler requires &lt;a class=&#34;link&#34; href=&#34;https://github.com/mitls/hacl-star/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;&lt;code&gt;HACL_HOME&lt;/code&gt;&lt;/a&gt; and &lt;a class=&#34;link&#34; href=&#34;https://github.com/FStarLang/FStar&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;&lt;code&gt;FSTAR_HOME&lt;/code&gt;&lt;/a&gt; environment variables to be set.
The compiler is then invoked like this &lt;code&gt;./to_fstar &amp;lt;your-spec&amp;gt;&lt;/code&gt;.
The generated F* spec can then be type checked or executed on test vectors to check correctness of the spec.
Using &lt;a class=&#34;link&#34; href=&#34;https://github.com/FStarLang/kremlin&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;kremlin&lt;/a&gt; the F* code can also be used to generate C code.&lt;/p&gt;
&lt;h2 id=&#34;Example&#34;&gt;Example&lt;/h2&gt;
&lt;p&gt;The &lt;a class=&#34;link&#34; href=&#34;https://github.com/HACS-workshop/hacspec/tree/master/specs&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;&lt;em&gt;hacspec&lt;/em&gt; repo&lt;/a&gt; has many examples.
I&amp;rsquo;ll only give a short one here.&lt;/p&gt;
&lt;p&gt;The spec &lt;code&gt;poly.py&lt;/code&gt;:&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-Python&#34; data-lang=&#34;Python&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;kn&#34;&gt;from&lt;/span&gt; &lt;span class=&#34;nn&#34;&gt;hacspec.speclib&lt;/span&gt; &lt;span class=&#34;kn&#34;&gt;import&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;*&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;n&#34;&gt;p130m5&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;nat_t&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;mi&#34;&gt;2&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;**&lt;/span&gt; &lt;span class=&#34;mi&#34;&gt;130&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;-&lt;/span&gt; &lt;span class=&#34;mi&#34;&gt;5&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;n&#34;&gt;felem_t&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;natmod_t&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;p130m5&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;nd&#34;&gt;@typechecked&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;def&lt;/span&gt; &lt;span class=&#34;nf&#34;&gt;felem&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;n&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;nat_t&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;-&amp;gt;&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;felem_t&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;k&#34;&gt;return&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;natmod&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;n&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;p130m5&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;nd&#34;&gt;@typechecked&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;def&lt;/span&gt; &lt;span class=&#34;nf&#34;&gt;poly&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;m&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;vlarray_t&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;felem_t&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;),&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;r&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;felem_t&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;-&amp;gt;&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;felem_t&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;n&#34;&gt;acc&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;felem_t&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;felem&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;mi&#34;&gt;0&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;k&#34;&gt;for&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;i&lt;/span&gt; &lt;span class=&#34;ow&#34;&gt;in&lt;/span&gt; &lt;span class=&#34;nb&#34;&gt;range&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;array&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;.&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;length&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;m&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)):&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;        &lt;span class=&#34;n&#34;&gt;acc&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;acc&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;+&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;m&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;[&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;i&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;])&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;*&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;r&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;k&#34;&gt;return&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;acc&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The test &lt;code&gt;poly_test.py&lt;/code&gt;:&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-Python&#34; data-lang=&#34;Python&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;kn&#34;&gt;from&lt;/span&gt; &lt;span class=&#34;nn&#34;&gt;poly&lt;/span&gt; &lt;span class=&#34;kn&#34;&gt;import&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;*&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;def&lt;/span&gt; &lt;span class=&#34;nf&#34;&gt;main&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;():&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;n&#34;&gt;m&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;array&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;([&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;felem&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;mh&#34;&gt;0x6f4620636968706172676f7470797243&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;),&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;               &lt;span class=&#34;n&#34;&gt;felem&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;mh&#34;&gt;0x6f7247206863726165736552206d7572&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)])&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;n&#34;&gt;k&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;felem&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;mh&#34;&gt;0xa806d542fe52447f336d555778bed685&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;n&#34;&gt;expected&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;natmod&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;mh&#34;&gt;0xa01b776a69ea8c1cd3ba00179dc218ab&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;p130m5&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;n&#34;&gt;p&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;poly&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;m&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;k&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;k&#34;&gt;if&lt;/span&gt; &lt;span class=&#34;ow&#34;&gt;not&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;expected&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;==&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;p&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;        &lt;span class=&#34;nb&#34;&gt;print&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;s2&#34;&gt;&amp;#34;Error&amp;#34;&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;        &lt;span class=&#34;nb&#34;&gt;print&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;s2&#34;&gt;&amp;#34;Expected: &amp;#34;&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;+&lt;/span&gt; &lt;span class=&#34;nb&#34;&gt;str&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;expected&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;))&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;        &lt;span class=&#34;nb&#34;&gt;print&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;s2&#34;&gt;&amp;#34;Got:      &amp;#34;&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;+&lt;/span&gt; &lt;span class=&#34;nb&#34;&gt;str&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;p&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;))&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;k&#34;&gt;else&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;        &lt;span class=&#34;nb&#34;&gt;print&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;s2&#34;&gt;&amp;#34;Test successful&amp;#34;&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;if&lt;/span&gt; &lt;span class=&#34;vm&#34;&gt;__name__&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;==&lt;/span&gt; &lt;span class=&#34;s2&#34;&gt;&amp;#34;__main__&amp;#34;&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;n&#34;&gt;main&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;()&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;This can now be run with &lt;code&gt;python poly_test.py&lt;/code&gt; and checked with &lt;code&gt;hacspec-check poly.py&lt;/code&gt; and &lt;code&gt;checker.native poly.py&lt;/code&gt;.
Compiling this to F* can be done with &lt;code&gt;to_fstar.native poly.py&lt;/code&gt;, generating the following F* code.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-ocaml&#34; data-lang=&#34;ocaml&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;module&lt;/span&gt; &lt;span class=&#34;nc&#34;&gt;Poly&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;open&lt;/span&gt; &lt;span class=&#34;nc&#34;&gt;Speclib&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;let&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;p130m5&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;:&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;nat_t&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;2&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;**.&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;130&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;-.&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;5&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;let&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;felem_t&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;:&lt;/span&gt; &lt;span class=&#34;nc&#34;&gt;Type0&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;natmod_t&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;p130m5&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;let&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;felem&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;n&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;:&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;nat_t&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;:&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;felem_t&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;natmod&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;n&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;p130m5&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;let&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;poly&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;m&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;:&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;vlarray_t&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;felem_t&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;r&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;:&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;felem_t&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;:&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;felem_t&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;  &lt;span class=&#34;k&#34;&gt;let&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;acc&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;felem&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;0&lt;/span&gt; &lt;span class=&#34;k&#34;&gt;in&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;  &lt;span class=&#34;k&#34;&gt;let&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;acc&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;repeati&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;array_length&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;m&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;k&#34;&gt;fun&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;i&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;acc&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;-&amp;gt;&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;acc&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;+.&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;m&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;.[&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;i&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;])&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;*.&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;r&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;acc&lt;/span&gt; &lt;span class=&#34;k&#34;&gt;in&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;  &lt;span class=&#34;n&#34;&gt;acc&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h1 id=&#34;next-steps&#34;&gt;Next steps&lt;/h1&gt;
&lt;p&gt;We hope that &lt;em&gt;hacspec&lt;/em&gt; is a useful tool for spec authors and many people indeed voiced interest already.
While the tooling isn&amp;rsquo;t perfect yet, the language is developed enough to start using it.
The next steps for &lt;em&gt;hacspec&lt;/em&gt; is to get some usage from spec authors and improve tooling.
We also hope to get more compilers for different formal languages implemented.&lt;/p&gt;
&lt;br&gt;
&lt;hr&gt;
&lt;br&gt;
&lt;ol&gt;
&lt;li&gt;Note that contracts are still in development and not fully supported yet.&lt;/li&gt;
&lt;li&gt;In future &lt;em&gt;hacspec&lt;/em&gt; syntax checks and running test vectors on the spec should be done in one invocation.&lt;/li&gt;
&lt;li&gt;In future pre-built binaries should be distributed to make this easier.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;&lt;em&gt;hacspec is mostly a spare time project for me at the moment. Development is therefore not always as fast as I&amp;rsquo;d like.&lt;/em&gt;&lt;/p&gt;
</description>
        </item>
        <item>
        <title>Mozilla Security Research Summit London 2018</title>
        <link>https://www.franziskuskiefer.de/p/mozilla-security-research-summit-london-2018/</link>
        <pubDate>Mon, 19 Nov 2018 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/mozilla-security-research-summit-london-2018/</guid>
        <description>&lt;p&gt;The Security Engineering University Relationship Framework (SURF) is an initiative within the Firefox security engineering team to improve relations with privacy and security researchers.
SURF includes a variety of possible relationships but is focused on building long-term relationships with researchers and organisations.
The goal of SURF projects is to explore topics that are outside of Mozilla&amp;rsquo;s immediate product needs, influence Mozilla&amp;rsquo;s long-term product development and vision.&lt;/p&gt;
&lt;p&gt;On November 12th the &lt;a class=&#34;link&#34; href=&#34;https://web.archive.org/web/20181119104824/https://events.mozilla.org/securityresearchsummit&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;first SURF summit&lt;/a&gt; was held in London.
SURF summits are an opportunity for researchers and Mozillians to get together and exchange ideas.
This very first summit, organised by &lt;a class=&#34;link&#34; href=&#34;https://twitter.com/ThylaVdMerwe&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Thyla&lt;/a&gt;, was attended by a number of Mozillians, UK academics, and grad students.&lt;/p&gt;
&lt;p&gt;Four Mozillians presented challenges they are currently facing, pitching possible research challenges.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a class=&#34;link&#34; href=&#34;https://senglehardt.com/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Steven Englehardt&lt;/a&gt; talked about the need for &lt;a class=&#34;link&#34; href=&#34;https://drive.google.com/file/d/1AG_fFXiJOUSAj3Bwe9UVxO3aSL-2YVAP/view&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;tracking protection&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a class=&#34;link&#34; href=&#34;https://christophkerschbaumer.com/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Christoph Kerschbaumer&lt;/a&gt; talked about &lt;a class=&#34;link&#34; href=&#34;https://drive.google.com/file/d/1CwhFz3sUs3qbL1X8LGM9DcGmC9RQWTkJ/view&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;preventing data exfiltration from the browser&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;I talked about &lt;a class=&#34;link&#34; href=&#34;https://drive.google.com/file/d/1Ly3S3BE-S8tDbty7nX6UTcuwn2CrGyAe/view&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;securely implementing cryptography&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a class=&#34;link&#34; href=&#34;https://twitter.com/ThylaVdMerwe&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Thyla van der Merwe&lt;/a&gt; talked about &lt;a class=&#34;link&#34; href=&#34;https://drive.google.com/file/d/1XIJLIp-TuG9tSiu40EfatAOWydnUQIFB/view&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Tor at scale&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;There were also two invited speakers.
&lt;a class=&#34;link&#34; href=&#34;https://www.kcl.ac.uk/nms/depts/informatics/people/Academic-Staff.aspx&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Lorenzo Cavallaro&lt;/a&gt; introduced us to &lt;a class=&#34;link&#34; href=&#34;https://drive.google.com/file/d/1t4Y1QpJqZ0wZ6C1vmW0bLqJu3zTExTyH/view&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;TESSERACT&lt;/a&gt;, an attempt to elliminate experimental bias in malware classification systems.
And &lt;a class=&#34;link&#34; href=&#34;https://www.sba-research.org/team/key-researchers/stefan-brunthaler/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Stefan Brunthaler&lt;/a&gt; talked about software diversity as possible solutions to spectre-like attacks (no slides online yet).
In two rounds grad students also presented ongoing work on &lt;a class=&#34;link&#34; href=&#34;https://drive.google.com/file/d/1wShMHfhrfSxGqJDv7XNpnjEK4wgVshDc/view&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;MPC&lt;/a&gt;, &lt;a class=&#34;link&#34; href=&#34;https://drive.google.com/file/d/16R_O-Y14wt5cr0zqL_IdW63ri3ZYQOPE/view&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Primality Testing&lt;/a&gt;, &lt;a class=&#34;link&#34; href=&#34;https://drive.google.com/file/d/1On2B8v6Dfw-N3hY3mKWKAOCAZCMPuZU1/view&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Blockchains&lt;/a&gt;, and &lt;a class=&#34;link&#34; href=&#34;https://drive.google.com/file/d/1iOZAUSdBpGXi9WfZJg4NdcpBfvE10MV6/view&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;UnlimitID&lt;/a&gt; in lightning talks.&lt;/p&gt;
</description>
        </item>
        <item>
        <title>Shipping (some) HACL*</title>
        <link>https://www.franziskuskiefer.de/p/shipping-some-hacl/</link>
        <pubDate>Thu, 12 Apr 2018 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/shipping-some-hacl/</guid>
        <description>&lt;img src="https://www.franziskuskiefer.de/p/shipping-some-hacl/hero.jpg" alt="Featured image of post Shipping (some) HACL*" /&gt;&lt;p&gt;If you didn&amp;rsquo;t read the article about the &lt;a class=&#34;link&#34; href=&#34;../hacl-star/&#34; &gt;HACL* approach&lt;/a&gt;, go there first and read it. tl;dr&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;a class=&#34;link&#34; href=&#34;https://github.com/mitls/hacl-star/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HACL*&lt;/a&gt; is a cryptographic library written in &lt;a class=&#34;link&#34; href=&#34;https://www.fstar-lang.org/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;F*&lt;/a&gt; that allows translation to C using kremlin.
It guarantees memory safety, secret independent computation, and functional correctness with respect to a mathematical specification.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;hr&gt;
&lt;p&gt;In this second blog post I describe the process of integrating code from HACL*, a researchy crypto library, into NSS, a production library shipping to millions of people, running on a plethora of platforms.
In short, how to ship (some parts of) HACL*.&lt;/p&gt;
&lt;h1 id=&#34;shipping-formally-verified-code&#34;&gt;Shipping formally verified code&lt;/h1&gt;
&lt;p&gt;Before integrating any code from HACL* into NSS there had to be some criteria the code had to fulfil in order to get considered and a process of integrating, maintaining, and updating the code.
The criteria roughly looked like this:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The code has to be correct.&lt;/li&gt;
&lt;li&gt;Performance must not be degraded by any new code.&lt;/li&gt;
&lt;li&gt;The code has to be human readable and modifiable, i.e. it must pass a code review process.&lt;/li&gt;
&lt;li&gt;The code must run on all platforms supported by NSS or must have fallback code for platforms that are not supported.&lt;/li&gt;
&lt;li&gt;Upstream changes can to be integrated easily into NSS and fixes can be integrated upstream.&lt;/li&gt;
&lt;li&gt;The verification and generation toolchain has to run in the NSS world.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;We started integrating HACL* crypto primitives into NSS with &lt;a class=&#34;link&#34; href=&#34;https://tools.ietf.org/html/rfc7748&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Curve25519&lt;/a&gt;.
At the time of writing NSS contains code from HACL* for Curve25519 64-bit, &lt;a class=&#34;link&#34; href=&#34;https://tools.ietf.org/html/rfc7539&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Poly1305&lt;/a&gt; 32-bit and 64-bit, &lt;a class=&#34;link&#34; href=&#34;https://tools.ietf.org/html/rfc7539&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;ChaCha20&lt;/a&gt;, and ChaCha20 with SSSE3 hardware acceleration.
More primitives are in the pipeline and will be integrated in the near future.&lt;/p&gt;
&lt;h2 id=&#34;correctness&#34;&gt;Correctness&lt;/h2&gt;
&lt;p&gt;Any code that lands in NSS has to be correct, obviously.
This might be evident but when talking about HACL* generated C code, correctness is not so simple.
Correctness can be checked relatively easily by looking at the HACL* specification of a given primitive.
This code is relatively easy to review (when familiar with F*) as it closely resembles the mathematical specification of the primitive.
The correctness of the C code is guaranteed by the formal proofs from HACL*.
In addition we run all the usual test vectors on it of course.
To catch any errors in the extraction chain from F* to C the extracted C code is reviewed for correctness as well.&lt;/p&gt;
&lt;h2 id=&#34;performance&#34;&gt;Performance&lt;/h2&gt;
&lt;p&gt;Performance was not a big concern.
As shown in the &lt;a class=&#34;link&#34; href=&#34;https://github.com/mitls/hacl-star/blob/master/doc/papers/hacl-star-ccs2017.pdf&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HACL* paper from CCS 2017&lt;/a&gt;, performance of most primitives is on par with or better than the fastest C implementations out there.
Nonetheless, performance of each primitive is compared between HACL* and the NSS to make sure not to degrade performance.
For every primitive I looked at so far the performance of HACL* was at least as good as the performance of the NSS code.&lt;/p&gt;
&lt;h2 id=&#34;code-quality&#34;&gt;Code quality&lt;/h2&gt;
&lt;p&gt;Code quality was, as with any generated code, a big concern.
How readable is the generated code? Can it easily be changed if the need arises?
The first versions we looked at weren&amp;rsquo;t that great &amp;hellip;&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 265; flex-basis: 637px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/shipping-some-hacl/hacl-review.png&#34; data-size=&#34;1983x747&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/shipping-some-hacl/hacl-review.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/shipping-some-hacl/hacl-review_hucd9959a0171e896eec7c417310d2ea11_228638_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/shipping-some-hacl/hacl-review_hucd9959a0171e896eec7c417310d2ea11_228638_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;1983&#34;
				height=&#34;747&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;
&lt;figure style=&#34;flex-grow: 513; flex-basis: 1232px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/shipping-some-hacl/ugly-hacl.png&#34; data-size=&#34;755x147&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/shipping-some-hacl/ugly-hacl.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/shipping-some-hacl/ugly-hacl_hua247d0e64cbda0435f58ad9ca08350bd_23578_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/shipping-some-hacl/ugly-hacl_hua247d0e64cbda0435f58ad9ca08350bd_23578_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;755&#34;
				height=&#34;147&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;But after a couple improvements to kremlin the code was good to go.
While every new piece of code that&amp;rsquo;s being integrated has to pass code review the C code produced by kremlin is good enough now to land new primitives without having to improve upstream code first.
Note however that code passes review here that wouldn&amp;rsquo;t pass if it were hand-written.
The code generator is not perfect.
We have to live with some rough edges.
The most important point is that the code is understandable.&lt;/p&gt;
&lt;p&gt;NSS if formatted with &lt;code&gt;clang-format&lt;/code&gt;, which is checked on CI.
So the only change to the verified C code imported from HACL* is formatting.&lt;/p&gt;
&lt;h3 id=&#34;some-pain-points-remain&#34;&gt;Some pain points remain&lt;/h3&gt;
&lt;p&gt;There are some outstanding issues that I hope get fixed in kremlin and would improve code quality significantly.
Kremlin doesn&amp;rsquo;t know &lt;code&gt;const&lt;/code&gt;, which is one of the few nice helpers one can use in C to control what&amp;rsquo;s happening to your pointer.
While &lt;code&gt;const&lt;/code&gt; is not necessary because of the HACL* proofs, it would be nice to have.
Kremlin further generates unnecessary casts such as &lt;code&gt;(uint32_t)4U&lt;/code&gt;.
This is not a big deal but makes code harder to read.
There&amp;rsquo;s also a big number of temporary variables that aren&amp;rsquo;t necessary and make the code harder to read.&lt;/p&gt;
&lt;h2 id=&#34;platform-support&#34;&gt;Platform support&lt;/h2&gt;
&lt;p&gt;Being a researchy library HACL* is not tested on a big variety of platforms.
NSS on the other hand has to run on most available platforms as well as a number of legacy platforms.
While the NSS CI covers Windows, Linux, and Mac in different configurations such as Intel 32-bit, 64-bit, and aarch64, there are other platforms such as BSD using NSS that are not covered.
As expected we ran into a couple issues on some platforms such as BSD and Solaris but they were quickly resolved.&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 1113; flex-basis: 2671px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/shipping-some-hacl/nss-bsd-hacl-bug.png&#34; data-size=&#34;2048x184&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/shipping-some-hacl/nss-bsd-hacl-bug.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/shipping-some-hacl/nss-bsd-hacl-bug_hu8f546d68494cda5357b945ab8d6d4090_37035_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/shipping-some-hacl/nss-bsd-hacl-bug_hu8f546d68494cda5357b945ab8d6d4090_37035_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;2048&#34;
				height=&#34;184&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 1113; flex-basis: 2671px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/shipping-some-hacl/nss-solaris-hacl-bug.png&#34; data-size=&#34;2048x184&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/shipping-some-hacl/nss-solaris-hacl-bug.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/shipping-some-hacl/nss-solaris-hacl-bug_hu19f69798e7220ccf971107e9a02084f9_34408_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/shipping-some-hacl/nss-solaris-hacl-bug_hu19f69798e7220ccf971107e9a02084f9_34408_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;2048&#34;
				height=&#34;184&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Especially code that is hardware dependent such as Intel intrinsics needs extra attention.
The &lt;a class=&#34;link&#34; href=&#34;https://github.com/mitls/hacl-star/blob/master/snapshots/kremlib/vec128.h&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;&lt;code&gt;vec128.h&lt;/code&gt;&lt;/a&gt; header used by HACL* to abstract hardware instructions needed a couple iterations before it worked on all supported platforms.&lt;/p&gt;
&lt;h2 id=&#34;handling-change&#34;&gt;Handling change&lt;/h2&gt;
&lt;p&gt;The code imported from HACL* into NSS is not expected to change a lot.
But there are always reasons why the code has to get updated and a process is required to do so.
To fix issues like broken platforms, changes to the upstream projects have to be landed and the snapshot in NSS has to get updated to the new upstream version.
For this process to run smoothly it&amp;rsquo;s necessary for both teams to work together.&lt;/p&gt;
&lt;p&gt;Updating the HACL* code in NSS is pretty easy.
First the new code is generated with a new version of HACL*, formatted, and copied to NSS.
Then the docker image running the CI gets updated.
Here&amp;rsquo;s a diff for a recent update.&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 231; flex-basis: 554px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/shipping-some-hacl/nss-hacl-patch.png&#34; data-size=&#34;2922x1264&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/shipping-some-hacl/nss-hacl-patch.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/shipping-some-hacl/nss-hacl-patch_hu805ece9199a9cd293d27098f6d0ff899_195247_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/shipping-some-hacl/nss-hacl-patch_hu805ece9199a9cd293d27098f6d0ff899_195247_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;2922&#34;
				height=&#34;1264&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;h2 id=&#34;running-the-verification-in-nss&#34;&gt;Running the verification in NSS&lt;/h2&gt;
&lt;p&gt;To make sure that whatever we use in NSS actually verifies and the generated code isn&amp;rsquo;t changed manually, the NSS CI has to verify the HACL* snapshot it uses on every run.
NSS uses &lt;a class=&#34;link&#34; href=&#34;https://github.com/taskcluster&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;taskcluster&lt;/a&gt; as CI, which allows us to use a &lt;a class=&#34;link&#34; href=&#34;https://searchfox.org/nss/source/automation/taskcluster/docker-hacl&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;docker image&lt;/a&gt; that re-verifies the used HACL* revision on every push.
Checking the code in NSS is then a simple diff.&lt;/p&gt;
&lt;h1 id=&#34;lessons-learned&#34;&gt;Lessons learned&lt;/h1&gt;
&lt;p&gt;The first lesson is that it&amp;rsquo;s possible to ship formally verified software.
The code is relatively simple and self-contained, which makes this easier.
But it shows that formal verification tools are good enough to be used in production.&lt;/p&gt;
&lt;p&gt;The second lesson we learned is probably the more valuable one.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;Talk to each other and work together.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;From an engineering standpoint it might be frightening to start looking at formal verification tools and corresponding languages.
But people working with these tools are happy to help out if that means more people are using their tools.
It will need some effort getting used to the tools and languages but it&amp;rsquo;s well worth it.&lt;/p&gt;
&lt;p&gt;For people working on formal methods; You might have to learn a little more than you wanted to know about differences between different platforms and compilers and how to ship software.
But that might be worth the effort if it means your proofs are used in production software that&amp;rsquo;s used by millions of people.&lt;/p&gt;
&lt;hr&gt;
&lt;p&gt;Looking for more material on this?
There&amp;rsquo;s a high-level &lt;a class=&#34;link&#34; href=&#34;https://blog.mozilla.org/security/2017/09/13/verified-cryptography-firefox-57/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;blog post&lt;/a&gt; that talks about the formal verification work in NSS happening at Mozilla.
There has also been a talk at RWC 2018 earlier this year on this work (&lt;a class=&#34;link&#34; href=&#34;https://rwc.iacr.org/2018/Slides/Beurdouche.pdf&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;slides&lt;/a&gt;, &lt;a class=&#34;link&#34; href=&#34;https://www.youtube.com/watch?v=xrZTVRICpSs&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;video&lt;/a&gt;).&lt;/p&gt;
</description>
        </item>
        <item>
        <title>The HACL* approach</title>
        <link>https://www.franziskuskiefer.de/p/the-hacl-approach/</link>
        <pubDate>Wed, 14 Feb 2018 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/the-hacl-approach/</guid>
        <description>&lt;img src="https://www.franziskuskiefer.de/p/the-hacl-approach/hacl-chart.png" alt="Featured image of post The HACL* approach" /&gt;&lt;p&gt;HACL* (High-Assurance Cryptographic Library) is a formally verified cryptographic library in &lt;a class=&#34;link&#34; href=&#34;https://www.fstar-lang.org/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;F*&lt;/a&gt;, developed by the &lt;a class=&#34;link&#34; href=&#34;http://prosecco.inria.fr/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Prosecco team&lt;/a&gt; at &lt;a class=&#34;link&#34; href=&#34;https://www.inria.fr/en/centre/paris&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;INRIA Paris&lt;/a&gt; in collaboration with Microsoft Research, as part of &lt;a class=&#34;link&#34; href=&#34;https://github.com/project-everest&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Project Everest&lt;/a&gt;.
HACL* was inspired by discussions at the &lt;a class=&#34;link&#34; href=&#34;https://hacs-workshop.github.io/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HACS workshop&lt;/a&gt; and aims at developing a set of reference implementations in C for common cryptographic primitives.&lt;/p&gt;
&lt;p&gt;This is the first post in a series describing formal verification in NSS as an approach to improve confidence in highly complex, highly security critical code.
In this first post I describe the most important ideas and concepts of HACL*, the basis of most formally verified code in NSS.
If you want to have all the juicy details about HACL*, I recommend reading the &lt;a class=&#34;link&#34; href=&#34;https://github.com/mitls/hacl-star/blob/master/doc/papers/hacl-star-ccs2017.pdf&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;CCS&#39;17 paper&lt;/a&gt;.&lt;/p&gt;
&lt;h1 id=&#34;hacl&#34;&gt;HACL*&lt;/h1&gt;
&lt;p&gt;HACL*, though written in F*, can be compiled to C code with guaranteed memory safety, secret independent computation, and functional correctness with respect to some mathematical specification.
Let&amp;rsquo;s first have a look at the high-level idea of HACL* on the example of Curve25519.&lt;/p&gt;
&lt;p&gt;The first step is to take the specification (&lt;a class=&#34;link&#34; href=&#34;https://tools.ietf.org/html/rfc7748&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;RFC 7748&lt;/a&gt; in this case) and translate it into a high level F* specification.
This specification is easy to read and can be checked for correctness against the RFC easily.
All correctness guarantees HACL* gives for the generated C code are based on this specification, i.e. the C code is proven to be functionally equivalent to the the high level specification.
Here the definition of the Montgomery ladder, an excerpt from the &lt;a class=&#34;link&#34; href=&#34;https://github.com/mitls/hacl-star/blob/dev_specs/specs/Spec.Curve25519.fst&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Curve25519 specification&lt;/a&gt;. (Apologies for the highlighting, no F* support.)&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-ocaml&#34; data-lang=&#34;ocaml&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt; 1&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;let&lt;/span&gt; &lt;span class=&#34;k&#34;&gt;rec&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;montgomery_ladder_&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;init&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;elem&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;x&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;xp1&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;k&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;scalar&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;ctr&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;nat&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;{&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;ctr&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;&amp;lt;=&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;256&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;})&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt; 2&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;  &lt;span class=&#34;o&#34;&gt;:&lt;/span&gt; &lt;span class=&#34;nc&#34;&gt;Tot&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;proj_point&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;decreases&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;ctr&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt; 3&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;  &lt;span class=&#34;k&#34;&gt;if&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;ctr&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;0&lt;/span&gt; &lt;span class=&#34;k&#34;&gt;then&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;x&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt; 4&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;  &lt;span class=&#34;k&#34;&gt;else&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;(&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt; 5&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;k&#34;&gt;let&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;ctr&amp;#39;&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;ctr&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;-&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;1&lt;/span&gt; &lt;span class=&#34;k&#34;&gt;in&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt; 6&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;k&#34;&gt;let&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;x&amp;#39;&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;,&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;xp1&amp;#39;&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt; 7&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;      &lt;span class=&#34;k&#34;&gt;if&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;uint_to_nat&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;ith_bit&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;k&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;ctr&amp;#39;&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;1&lt;/span&gt; &lt;span class=&#34;k&#34;&gt;then&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;(&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt; 8&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;        &lt;span class=&#34;k&#34;&gt;let&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;nqp2&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;,&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;nqp1&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;add_and_double&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;init&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;xp1&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;x&lt;/span&gt; &lt;span class=&#34;k&#34;&gt;in&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt; 9&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;        &lt;span class=&#34;n&#34;&gt;nqp1&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;,&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;nqp2&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;10&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;      &lt;span class=&#34;o&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;k&#34;&gt;else&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;add_and_double&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;init&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;x&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;xp1&lt;/span&gt; &lt;span class=&#34;k&#34;&gt;in&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;11&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;n&#34;&gt;montgomery_ladder_&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;init&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;x&amp;#39;&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;xp1&amp;#39;&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;k&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;ctr&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;12&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;o&#34;&gt;)&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;
&lt;p&gt;Running the reference implementation is possible but obviously slow (it is executed in OCaml).
However a subset of F* (called Low*) can be translated to C using &lt;a class=&#34;link&#34; href=&#34;https://github.com/FStarLang/kremlin&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Kremlin&lt;/a&gt;.
While the specification might be valid Low* code it is not optimised and thus won&amp;rsquo;t yield fast C code.
In order to generate fast C code more efficient Low* code has to be written first.
Looking at state of the art C code for the given algorithm (&lt;a class=&#34;link&#34; href=&#34;https://github.com/jedisct1/libsodium/blob/e878bc141be12820dc6dbcd7a97bf50070bc1e2a/src/libsodium/crypto_scalarmult/curve25519/donna_c64/curve25519_donna_c64.c&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Curve25519 Donna&lt;/a&gt; for example) Low* code can be written that resembles the fast C code and can be extracted via Kremlin to similarly looking C code.&lt;/p&gt;
&lt;p&gt;At this point the main benefit of the HACL* approach comes to light.
The optimised Low* code (as well as the extracted C code) are hard to get right and even harder to review for correctness, memory safety, and secret independent execution.
Using an SMT solver (&lt;a class=&#34;link&#34; href=&#34;https://github.com/Z3Prover/z3&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Z3&lt;/a&gt; is used in HACL*) and F*&amp;rsquo;s strong type system, functional equivalence is proven between the high-level F* specification and the optimised Low* code.
The Low* code usually has to be enhanced with additional information to help prove the equivalence.
This additional code however is ignored by Kremlin and doesn&amp;rsquo;t get translated to C.&lt;/p&gt;
&lt;p&gt;The following graphic gives an overview of the HACL* process.&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 141; flex-basis: 339px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/the-hacl-approach/hacl-chart.png&#34; data-size=&#34;842x595&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/the-hacl-approach/hacl-chart.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/the-hacl-approach/hacl-chart_hubf5385a0c6763cff9ba6bbfffd88a9a5_61924_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/the-hacl-approach/hacl-chart_hubf5385a0c6763cff9ba6bbfffd88a9a5_61924_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;842&#34;
				height=&#34;595&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;h2 id=&#34;an-example---conditional-swap&#34;&gt;An Example - Conditional Swap&lt;/h2&gt;
&lt;p&gt;HACL* is a pretty complex library and it might be hard to understand what&amp;rsquo;s going on.
Therefore I&amp;rsquo;ll give a small example of the basic concepts behind HACL* focusing on functional correctness.&lt;/p&gt;
&lt;p&gt;Conditional swaps are used for example in Curve25519 implementations to swap two variables &lt;code&gt;a&lt;/code&gt; and &lt;code&gt;b&lt;/code&gt; if a certain condition is given, &lt;code&gt;c = 0&lt;/code&gt; here.
In F* this can be written as follows.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-ocaml&#34; data-lang=&#34;ocaml&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;1&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;val&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;cswap&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;:&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;x&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;uint32&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;-&amp;gt;&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;y&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;uint32&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;-&amp;gt;&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;c&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;uint32&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;-&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;2&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;  &lt;span class=&#34;nc&#34;&gt;Tot&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;uint32&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;*&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;uint32&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;3&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;let&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;cswap&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;x&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;y&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;c&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;4&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;  &lt;span class=&#34;k&#34;&gt;if&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;c&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;0ul&lt;/span&gt; &lt;span class=&#34;k&#34;&gt;then&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;5&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;o&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;x&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;,&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;y&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;6&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;  &lt;span class=&#34;k&#34;&gt;else&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;7&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;o&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;y&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;,&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;x&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;)&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;
&lt;p&gt;This code can be easily inspected for correctness and is used as specification.
However, this is not the code we want to have as it branches on potentially secret data in &lt;code&gt;c&lt;/code&gt;.
Instead of checking &lt;code&gt;c&lt;/code&gt; for &lt;code&gt;0&lt;/code&gt; we should use masking and logical operations to achieve the variable swapping.
Note that we require &lt;code&gt;c&lt;/code&gt; to be either all &lt;code&gt;1&lt;/code&gt; or all &lt;code&gt;0&lt;/code&gt; now.
This can be easily computed from the single bit &lt;code&gt;c&lt;/code&gt; we had in the previous example.
This looks as follows in pseudo-C-code.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-C&#34; data-lang=&#34;C&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;1&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;kt&#34;&gt;void&lt;/span&gt; &lt;span class=&#34;nf&#34;&gt;cswap_constant_time&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;kt&#34;&gt;uint32_t&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;*&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;a&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt; &lt;span class=&#34;kt&#34;&gt;uint32_t&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;*&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;b&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt; &lt;span class=&#34;kt&#34;&gt;uint32_t&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;c&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;2&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;kt&#34;&gt;uint32_t&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;mask&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;*&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;a&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;^&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;*&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;b&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;c&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;3&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;o&#34;&gt;*&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;a&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;*&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;a&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;^&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;mask&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;4&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;o&#34;&gt;*&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;b&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;*&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;b&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;^&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;mask&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;5&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;p&#34;&gt;}&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;
&lt;p&gt;The same code in F* (with slightly different input/output behaviour) looks as follows.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-ocaml&#34; data-lang=&#34;ocaml&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;1&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;val&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;cswap_constant_time&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;:&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;x&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;uint32&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;-&amp;gt;&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;y&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;uint32&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;-&amp;gt;&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;c&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;uint32&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;{&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;c&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;0xFFFFFFFFul&lt;/span&gt; &lt;span class=&#34;err&#34;&gt;\&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;/&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;c&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;0ul&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;}&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;-&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;2&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;  &lt;span class=&#34;nc&#34;&gt;Tot&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;uint32&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;*&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;uint32&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;3&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;let&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;cswap_constant_time&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;x&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;y&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;c&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;4&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;  &lt;span class=&#34;k&#34;&gt;let&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;mask&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;x&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;^^&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;y&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;&amp;amp;^&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;c&lt;/span&gt; &lt;span class=&#34;k&#34;&gt;in&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;5&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;  &lt;span class=&#34;k&#34;&gt;let&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;a&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;x&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;^^&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;mask&lt;/span&gt; &lt;span class=&#34;k&#34;&gt;in&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;6&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;  &lt;span class=&#34;k&#34;&gt;let&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;b&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;y&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;^^&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;mask&lt;/span&gt; &lt;span class=&#34;k&#34;&gt;in&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;7&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;  &lt;span class=&#34;o&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;a&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;,&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;b&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;)&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;
&lt;p&gt;This code is not trivially correct anymore and requires considerable thought by both author and reviewer.
But instead of staring at the code to understand it or writing incomplete tests we can use F* now to prove that &lt;code&gt;cswap_constant_time&lt;/code&gt; is equivalent to our spec, i.e. &lt;code&gt;cswap&lt;/code&gt;.
To this end we write a lemma to ensures that.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-ocaml&#34; data-lang=&#34;ocaml&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;1&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;let&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;a&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;,&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;b&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;cswap_constant_time&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;x&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;y&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;c&lt;/span&gt; &lt;span class=&#34;k&#34;&gt;in&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;2&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;let&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;c&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;,&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;d&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;cswap&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;x&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;y&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;c&lt;/span&gt; &lt;span class=&#34;k&#34;&gt;in&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;3&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;n&#34;&gt;a&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;c&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;/&lt;/span&gt;&lt;span class=&#34;err&#34;&gt;\&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;b&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;d&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;
&lt;p&gt;While this can&amp;rsquo;t be proven immediately it is relatively easy to write some helper lemmata that help F* and Z3 to understand the correctness of this statement.
The C code extracted by Kremlin from the F* code above then looks as follows.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-C&#34; data-lang=&#34;C&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;1&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;typedef&lt;/span&gt; &lt;span class=&#34;k&#34;&gt;struct&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;2&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;  &lt;span class=&#34;kt&#34;&gt;uint32_t&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;fst&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;3&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;  &lt;span class=&#34;kt&#34;&gt;uint32_t&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;snd&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;4&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;p&#34;&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;5&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;n&#34;&gt;K___uint32_t_uint32_t&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;6&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;7&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;n&#34;&gt;K___uint32_t_uint32_t&lt;/span&gt; &lt;span class=&#34;nf&#34;&gt;Impl_CSwap_cswap_constant_time&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;kt&#34;&gt;uint32_t&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;x&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt; &lt;span class=&#34;kt&#34;&gt;uint32_t&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;y&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt; &lt;span class=&#34;kt&#34;&gt;uint32_t&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;c&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;8&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;  &lt;span class=&#34;k&#34;&gt;return&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;((&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;K___uint32_t_uint32_t&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;){&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;.&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;fst&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;x&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;^&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;((&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;x&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;^&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;y&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;c&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;),&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;.&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;snd&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;y&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;^&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;((&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;x&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;^&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;y&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;&amp;amp;&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;c&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;});&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;9&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;p&#34;&gt;}&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;
&lt;p&gt;Check out the &lt;a class=&#34;link&#34; href=&#34;https://github.com/franziskuskiefer/the-hacl-approach&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;repository&lt;/a&gt; for the full source code of the example.&lt;/p&gt;
&lt;p&gt;Memory safety can be proven easily as well by specifying liveliness conditions of buffers.
In this example we don&amp;rsquo;t have buffers so no need for verifying memory safety.
We skip proving secret-independent execution here as it requires additional support from HACL*.&lt;/p&gt;
&lt;h1 id=&#34;code-generation-vs-code-verification&#34;&gt;Code Generation vs Code Verification&lt;/h1&gt;
&lt;p&gt;The HACL* approach as described above is a great way of generating fast C code that&amp;rsquo;s proven to be correct, memory safe, and have secret-independent runtime.
For &lt;a class=&#34;link&#34; href=&#34;https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;NSS&lt;/a&gt; we decided to use code generation and integrate code from HACL* into the code base.
However, instead of generating code it would also be possible to verify existing C code with other tools such as Cryptol/SAW to prove similar properties of the code.&lt;/p&gt;
&lt;p&gt;The main advantage of code generation is that the mathematical specifications can be easily used to build more complex algorithms and protocols on top and allow for re-use of specification code.
The trusted code base written in F* is therefore very small.&lt;/p&gt;
&lt;p&gt;The main drawback of generating code is a relatively large third-party code base that has to be trusted in order to generate the code.
The weakest link in the case of HACL* is probably Kremlin, which has a &lt;a class=&#34;link&#34; href=&#34;https://www.microsoft.com/en-us/research/wp-content/uploads/2017/05/icfp17main-main96-p-5064b17-32755-submitted.pdf&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;hand written proof&lt;/a&gt; but is a relatively young piece of code that probably contains bugs.&lt;/p&gt;
&lt;p&gt;There is no optimal solution to this problem that works for everyone but the HACL* approach as described in this post is a great way to get better confidence in correctness and security of complex C code using formal verification.&lt;/p&gt;
&lt;p&gt;In the next post I&amp;rsquo;ll talk about challenges we faced when integrating code from HACL* into NSS and how we solved them.&lt;/p&gt;
</description>
        </item>
        <item>
        <title>Introducing HacSpec</title>
        <link>https://www.franziskuskiefer.de/p/introducing-hacspec/</link>
        <pubDate>Thu, 08 Feb 2018 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/introducing-hacspec/</guid>
        <description>&lt;img src="https://www.franziskuskiefer.de/p/introducing-hacspec/hero.png" alt="Featured image of post Introducing HacSpec" /&gt;&lt;p&gt;HacSpec is a proposal for a new specification language for cryptographic primitives that is succinct, that is easy to read and implement, and that lends itself to formal verification.
It aims to formalise the pseudocode used in cryptographic standards by proposing a formal syntax that can be checked for simple errors.
HacSpec specifications are further executable to test against test vectors specified in a common syntax.&lt;/p&gt;
&lt;p&gt;The main focus of HacSpec is to allow specifications to be compiled to formal languages such as cryptol, coq, F*, and easycrypt and thus make it easier to formally verify implementations.
This allows a specification using HacSpec to be the basis not only for implementations but also for formal proofs of functional correctness, cryptographic security, and side-channel resistance.&lt;/p&gt;
&lt;p&gt;The idea of having a language like HacSpec stems from discussions at the recent HACS workshop in Zurich.
The &lt;a class=&#34;link&#34; href=&#34;https://hacs-workshop.github.io/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;High-Assurance-Cryptographic-Software workshop (HACS)&lt;/a&gt; is an invite-only workshop co-located with the &lt;a class=&#34;link&#34; href=&#34;https://rwc.iacr.org/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Real World Crypto&lt;/a&gt; symposium.&lt;/p&gt;
&lt;p&gt;Anyone interested in moving this project forward should subscribe to the &lt;a class=&#34;link&#34; href=&#34;https://moderncrypto.org/mail-archive/hacspec/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;mailing list&lt;/a&gt; or file issues and pull requests against the &lt;a class=&#34;link&#34; href=&#34;https://github.com/HACS-workshop/hacspec/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Github repository&lt;/a&gt;.&lt;/p&gt;
&lt;h2 id=&#34;how-far-are-we&#34;&gt;How far are we?&lt;/h2&gt;
&lt;p&gt;We discussed and hacked at HACS a month ago and improved a little over the last weeks.
The current state can be found at  &lt;a class=&#34;link&#34; href=&#34;https://github.com/HACS-workshop/hacspec/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Github repository&lt;/a&gt;.&lt;/p&gt;
&lt;h3 id=&#34;the-language&#34;&gt;The language&lt;/h3&gt;
&lt;p&gt;There are &lt;a class=&#34;link&#34; href=&#34;https://github.com/HACS-workshop/hacspec/tree/master/specs&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;examples&lt;/a&gt; written in what we believe could be the HacSpec.
The language is valid Python 3.6 using PEP484 and PEP526 for typing.
It further uses comments (similar to PEP484 types) to define lengths and ranges.&lt;/p&gt;
&lt;p&gt;There are also &lt;a class=&#34;link&#34; href=&#34;https://github.com/HACS-workshop/hacspec/tree/master/specs/hacspec-rust&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;experiments using Rust&lt;/a&gt; as basis for HacSpec.
While Rust&amp;rsquo;s type system makes it a compelling candidate, limitations in handling integers of arbitrary size means we probably won&amp;rsquo;t be basing HacSpec on Rust.&lt;/p&gt;
&lt;p&gt;The &lt;a class=&#34;link&#34; href=&#34;https://github.com/HACS-workshop/hacspec/blob/master/LANGUAGE.md&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;language specification&lt;/a&gt; is currently vague and not fully formalised yet.
It lives in a markdown document but will move to an RFC layout later.&lt;/p&gt;
&lt;h3 id=&#34;formal-specifications&#34;&gt;Formal specifications&lt;/h3&gt;
&lt;p&gt;To show how cryptographic primitives are modelled in formal languages we added a number of &lt;a class=&#34;link&#34; href=&#34;https://github.com/HACS-workshop/hacspec/tree/master/formal-models&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;specifications&lt;/a&gt; in different languages such as cryptol, coq, F*, and easycrypt to the repository.&lt;/p&gt;
&lt;h3 id=&#34;spec-checker&#34;&gt;Spec checker&lt;/h3&gt;
&lt;p&gt;In order to verify whether a specification is a valid HacSpec Aaron started to implement a &lt;a class=&#34;link&#34; href=&#34;https://github.com/HACS-workshop/hacspec/tree/master/spec-checker&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;spec-checker&lt;/a&gt;.
Basing HacSpec on another language like Python means that not all valid Python programs are valid HacSpec programs.
The spec checker is supposed to tell authors whether a given python program is a valid HacSpec.&lt;/p&gt;
&lt;h3 id=&#34;compilers&#34;&gt;Compilers&lt;/h3&gt;
&lt;p&gt;There&amp;rsquo;s currently a very basic &lt;a class=&#34;link&#34; href=&#34;https://github.com/HACS-workshop/hacspec/tree/master/spec-compilers&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;HacSpec to F* compiler&lt;/a&gt; from Karthik.
Eventually we would like to have compilers from HacSpec to all common formal languages such as cryptol, coq, F*, and easycrypt.&lt;/p&gt;
&lt;h2 id=&#34;call-for-participation&#34;&gt;Call for participation&lt;/h2&gt;
&lt;p&gt;We invite contributions in the following areas.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;We invite people to submit “standalone&amp;quot; formal specs for inclusion in the formal-models directory.&lt;/li&gt;
&lt;li&gt;We invite formal methods people to build compilers from HacSpec to their favourite modelling language.&lt;/li&gt;
&lt;li&gt;We invite spec authors and developers to comment on HacSpec and provide examples of what they consider good crypto specs or beautiful “obviously correct” crypto implementations.&lt;/li&gt;
&lt;li&gt;We invite developers to build compilers from HacSpec to their favourite programming language.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&#34;what-hacspec-is-not-about&#34;&gt;What HacSpec is not about&lt;/h2&gt;
&lt;p&gt;HacSpec does &lt;em&gt;not&lt;/em&gt; aim to be general enough to express protocols at this point. While this might be a target in the future the first iteration of HacSpec is only targeting crypto primitives.&lt;/p&gt;
&lt;h2 id=&#34;links&#34;&gt;Links&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a class=&#34;link&#34; href=&#34;https://github.com/HACS-workshop/hacspec/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Github repository&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a class=&#34;link&#34; href=&#34;https://moderncrypto.org/mail-archive/hacspec/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Mailing list&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
</description>
        </item>
        <item>
        <title>CVE-2017-5462 - A PRNG issue</title>
        <link>https://www.franziskuskiefer.de/p/cve-2017-5462-a-prng-issue/</link>
        <pubDate>Thu, 31 Aug 2017 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/cve-2017-5462-a-prng-issue/</guid>
        <description>&lt;img src="https://www.franziskuskiefer.de/p/cve-2017-5462-a-prng-issue/hero.jpg" alt="Featured image of post CVE-2017-5462 - A PRNG issue" /&gt;&lt;p&gt;On April 19, 2017, Mozilla Foundation published the &lt;a class=&#34;link&#34; href=&#34;https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/%5c#CVE-2017-5462&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Security Advisory 2017-10&lt;/a&gt; outlining several recently fixed security vulnerabilities.
One of these vulnerabilities, tracked as CVE-2017-5462, affects the Pseudo-Random Number Generator (PRNG) within the Network Security Services (NSS) library prior to version 3.29.5 and Firefox prior to version 53.&lt;/p&gt;
&lt;p&gt;This post describes the bug and how it was discovered.&lt;/p&gt;
&lt;h1 id=&#34;inside-the-nss-prng&#34;&gt;Inside the NSS PRNG&lt;/h1&gt;
&lt;p&gt;NSS uses &lt;code&gt;Hash_DRBG&lt;/code&gt; as PRNG, which is one of several PRNG schemes defined in the &lt;a class=&#34;link&#34; href=&#34;http://csrc.nist.gov/publications/nistpubs/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;NIST Special Publication 800-90&lt;/a&gt;.
Like most widely used PRNGs the &lt;code&gt;Hash_DRBG&lt;/code&gt; is a Deterministic Random Bit Generator (DRBG). (Even though this term is usually only used for NIST PRNGs.)
While the standard contains all the details, the relevant features can be summarised as follows.&lt;/p&gt;
&lt;p&gt;The state of &lt;code&gt;Hash_DRBG&lt;/code&gt; is composed of three values:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;A 55-byte integer state variable &lt;code&gt;V&lt;/code&gt;, which is updated with each
request of new bits&lt;/li&gt;
&lt;li&gt;A 55-byte integer constant &lt;code&gt;C&lt;/code&gt; that depends on the seed and is updated when re-seeding the PRNG.&lt;/li&gt;
&lt;li&gt;A counter &lt;code&gt;c&lt;/code&gt; tracking when the next re-seeding is needed.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;To generate random bits, &lt;code&gt;Hash_DRBG&lt;/code&gt; concatenates &lt;code&gt;H(V) || H(V+1) || H(V+2) || ...&lt;/code&gt; until enough bits are generated.
&lt;code&gt;H&lt;/code&gt; denotes a cryptographic hash function here.
NSS uses the SHA-256 hash function for &lt;code&gt;H&lt;/code&gt; with a digest length of 32 bytes.
After generating new bits the state variable &lt;code&gt;V&lt;/code&gt; is updated according to the rule &lt;code&gt;V&lt;/code&gt;&lt;sub&gt;&lt;code&gt;c+1&lt;/code&gt;&lt;/sub&gt; &lt;code&gt; = V + H(0x03 || V&lt;/code&gt;&lt;sub&gt;&lt;code&gt;c&lt;/code&gt;&lt;/sub&gt; &lt;code&gt;) + C + c&lt;/code&gt; and counter &lt;code&gt;c&lt;/code&gt; is incremented by one.
Addition is performed modulo &lt;code&gt;2&lt;/code&gt;&lt;sup&gt;&lt;code&gt;440&lt;/code&gt;&lt;/sup&gt; &lt;code&gt; = 2&lt;/code&gt;&lt;sup&gt;&lt;code&gt;8*55&lt;/code&gt;&lt;/sup&gt; to fit it in the 55 bytes of &lt;code&gt;V&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;The PRNG implementation can be found in the file &lt;a class=&#34;link&#34; href=&#34;https://searchfox.org/nss/rev/fcdcad1fc1ddb6e70653637b0ea0f3359b8533f2/lib/freebl/drbg.c&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;drbg.c&lt;/a&gt; within the NSS codebase.&lt;/p&gt;
&lt;h1 id=&#34;cve-2017-5462&#34;&gt;CVE-2017-5462&lt;/h1&gt;
&lt;p&gt;The issue identified in CVE-2017-5462 is in the code implementing the addition.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-C&#34; data-lang=&#34;C&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cm&#34;&gt;/*
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cm&#34;&gt; * build some fast inline functions for adding.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cm&#34;&gt; */&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cp&#34;&gt;#define PRNG_ADD_CARRY_ONLY(dest, start, carry)    \
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cp&#34;&gt;    {                                              \
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cp&#34;&gt;        int k1;                                    \
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cp&#34;&gt;        for (k1 = start; carry &amp;amp;&amp;amp; k1 &amp;gt;= 0; k1--) { \
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cp&#34;&gt;            carry = !(++dest[k1]);                 \
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cp&#34;&gt;        }                                          \
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cp&#34;&gt;    }
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cp&#34;&gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cm&#34;&gt;/*
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cm&#34;&gt; * NOTE: dest must be an array for the following to work.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cm&#34;&gt; */&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cp&#34;&gt;#define PRNG_ADD_BITS(dest, dest_len, add, len, carry)               \
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cp&#34;&gt;    carry = 0;                                                       \
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cp&#34;&gt;    PORT_Assert((dest_len) &amp;gt;= (len));                                \
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cp&#34;&gt;    {                                                                \
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cp&#34;&gt;        int k1, k2;                                                  \
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cp&#34;&gt;        for (k1 = dest_len - 1, k2 = len - 1; k2 &amp;gt;= 0; --k1, --k2) { \
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cp&#34;&gt;            carry += dest[k1] + add[k2];                             \
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cp&#34;&gt;            dest[k1] = (PRUint8)carry;                               \
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cp&#34;&gt;            carry &amp;gt;&amp;gt;= 8;                                             \
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cp&#34;&gt;        }                                                            \
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cp&#34;&gt;    }
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cp&#34;&gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cp&#34;&gt;#define PRNG_ADD_BITS_AND_CARRY(dest, dest_len, add, len, carry) \
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cp&#34;&gt;    PRNG_ADD_BITS(dest, dest_len, add, len, carry)               \
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;cp&#34;&gt;    PRNG_ADD_CARRY_ONLY(dest, dest_len - len, carry)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;When the PRNG performs addition to update &lt;code&gt;V&lt;/code&gt; it uses the macro &lt;code&gt;PRNG_ADD_BITS_AND_CARRY&lt;/code&gt;, which first delegates to the macro &lt;code&gt;PRNG_ADD_BITS&lt;/code&gt; to add the two summands without considering the final carry and then the macro &lt;code&gt;PRNG_ADD_CARRY_ONLY&lt;/code&gt; to add the carry.&lt;/p&gt;
&lt;p&gt;In this addition code it is clear that the carry should be added at the position &lt;em&gt;preceding&lt;/em&gt; the original most-significant-byte of the shorter of the two summands.
This fact was supposed to be represented by the index &lt;code&gt;dest_len-len&lt;/code&gt; supplied as parameter to &lt;code&gt;PRNG_ADD_CARRY_ONLY&lt;/code&gt;.
Note that numbers are represented as sequences of bytes with byte number zero being the most-significant byte.
The essence of the bug is that &lt;code&gt;dest_len-len&lt;/code&gt; does not point to the correct position of the carry, which should have been added at position &lt;code&gt;dest_len-len-1&lt;/code&gt; instead.&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 272; flex-basis: 653px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/cve-2017-5462-a-prng-issue/CVE-2017-5462-bug.png&#34; data-size=&#34;822x302&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/cve-2017-5462-a-prng-issue/CVE-2017-5462-bug.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/cve-2017-5462-a-prng-issue/CVE-2017-5462-bug_hub1c2623f6de8a86dd08abf8f9dad51d9_19637_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/cve-2017-5462-a-prng-issue/CVE-2017-5462-bug_hub1c2623f6de8a86dd08abf8f9dad51d9_19637_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;822&#34;
				height=&#34;302&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;h2 id=&#34;example&#34;&gt;Example&lt;/h2&gt;
&lt;p&gt;We note that &lt;code&gt;3 * 0x40 = 0xc0&lt;/code&gt; under both proper and broken addition (the latter due to absence of carrying in this example).
However, &lt;code&gt;3 * 0x95 = 0x01bf&lt;/code&gt; under proper unbounded addition resp. &lt;code&gt;0xbf&lt;/code&gt; under proper modulo addition.
Yet, the result under broken addition is &lt;code&gt;0x01 + 0xbf = 0xc0&lt;/code&gt;.&lt;/p&gt;
&lt;h1 id=&#34;finding-the-bug-with-testing&#34;&gt;Finding the Bug with Testing&lt;/h1&gt;
&lt;p&gt;The easiest way to find most types of bugs in PRNGs following NIST SP 800-90 is by testing the implementation with the official test vectors (seeds and outputs) provided in the standard.
I found the bug after implementing these test vectors.
Functional unit testing would probably have caught this particular bug as well.
For PRNGs not following the NIST standard, defining corresponding test vectors is a good idea to avoid regressions during maintenance.&lt;/p&gt;
&lt;p&gt;Statistical tests such as NIST SP 800-22 or &lt;a class=&#34;link&#34; href=&#34;https://github.com/ticki/diehardest&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;DIEHARDEST&lt;/a&gt; are not very useful for testing cryptographic PRNGs.
They can be used for testing the entropy pool that is fed into the PRNG.
But such tests will not fail as long as the internal state does not stay constant and output passes through a cryptographic primitive (such as SHA-256) before reaching the consumer.&lt;/p&gt;
&lt;h1 id=&#34;formal-analysis&#34;&gt;Formal Analysis&lt;/h1&gt;
&lt;p&gt;Independ of my investigation, &lt;a class=&#34;link&#34; href=&#34;https://formal.iti.kit.edu/klebanov/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Vladimir Klebanov&lt;/a&gt; found this bug using &lt;a class=&#34;link&#34; href=&#34;https://formal.iti.kit.edu/~klebanov/software/entroposcope/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Entroposcope&lt;/a&gt;, a static analysis tool created for finding implementation bugs in pseudo-random number generators.&lt;/p&gt;
&lt;p&gt;Entropy loss occurs when the number of possible output streams is less than the number of possible seeds.
This is equivalent to the case when two different seeds produce the same output stream (also called a collision).
Entroposcope is built on top of the bounded model checker &lt;a class=&#34;link&#34; href=&#34;https://link.springer.com/chapter/10.1007/978-3-642-54862-8_26&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;CBMC&lt;/a&gt;, which in turn transforms the problem into a challenge for a &lt;a class=&#34;link&#34; href=&#34;https://en.wikipedia.org/wiki/Boolean_satisfiability_problem&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;SAT solver&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;Considering the &lt;code&gt;Hash_DRBG&lt;/code&gt;, the question whether &lt;code&gt;V&lt;/code&gt;&lt;sub&gt;&lt;code&gt;c+1&lt;/code&gt;&lt;/sub&gt; &lt;code&gt; = V + H(0x03 || V&lt;/code&gt;&lt;sub&gt;&lt;code&gt;c&lt;/code&gt;&lt;/sub&gt; &lt;code&gt;) + C + c&lt;/code&gt; produces a collision and the DRBG loses entropy or not boils down to whether distinct 55-byte values &lt;code&gt;x&lt;/code&gt;&lt;sub&gt;&lt;code&gt;1&lt;/code&gt;&lt;/sub&gt;, &lt;code&gt;x&lt;/code&gt;&lt;sub&gt;&lt;code&gt;2&lt;/code&gt;&lt;/sub&gt; exist, such that &lt;code&gt;x&lt;/code&gt;&lt;sub&gt;&lt;code&gt;1&lt;/code&gt;&lt;/sub&gt; &lt;code&gt; + H(x&lt;/code&gt;&lt;sub&gt;&lt;code&gt;1&lt;/code&gt;&lt;/sub&gt;&lt;code&gt;) = x&lt;/code&gt;&lt;sub&gt;&lt;code&gt;2&lt;/code&gt;&lt;/sub&gt; &lt;code&gt; + H(x&lt;/code&gt;&lt;sub&gt;&lt;code&gt;2&lt;/code&gt;&lt;/sub&gt;&lt;code&gt;)&lt;/code&gt;.
Now, it is clear that this question cannot be answered without either knowing the output of &lt;code&gt;H&lt;/code&gt; for each 55-byte input (which is infeasible) or some (unknown to us and certainly also to the tool) nontrivial mathematical argument on the nature of &lt;code&gt;H&lt;/code&gt; in this context.
In this regard, the &lt;code&gt;Hash_DRBG&lt;/code&gt; differs from many other PRNGs that employ significantly simpler operations on the output of &lt;code&gt;H&lt;/code&gt; before it makes its way to the PRNG caller.&lt;/p&gt;
&lt;p&gt;As a consequence of this design, Entroposcope can not be used to prove absence of entropy loss in the &lt;code&gt;Hash_DRBG&lt;/code&gt;.
Nonetheless, Entroposcope can check collision-freedom of the PRNG under an idealised &lt;code&gt;H&lt;/code&gt; and find bugs in the parts of the implementation that are not &lt;code&gt;H&lt;/code&gt;.
For this purpose we consider an idealised PRNG with &lt;code&gt;H(b||V) = V&lt;/code&gt; and &lt;code&gt;C = V&lt;/code&gt;&lt;sub&gt;&lt;code&gt;0&lt;/code&gt;&lt;/sub&gt;.
This is the same kind of idealisation that helped Vladimir to uncover previously unknown bugs in OpenSSL and &lt;a class=&#34;link&#34; href=&#34;https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6313&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;GnuPG&lt;/a&gt;.
With the idealisation, on the first iteration (&lt;code&gt;c = 0&lt;/code&gt;) updating the state becomes &lt;code&gt;V&lt;/code&gt;&lt;sub&gt;&lt;code&gt;1&lt;/code&gt;&lt;/sub&gt; &lt;code&gt; = 3 * V&lt;/code&gt;&lt;sub&gt;&lt;code&gt;0&lt;/code&gt;&lt;/sub&gt;.
Because &lt;code&gt;3&lt;/code&gt; and &lt;code&gt;2&lt;/code&gt;&lt;sup&gt;&lt;code&gt;440&lt;/code&gt;&lt;/sup&gt; are co-prime, &lt;code&gt;V&lt;/code&gt;&lt;sub&gt;&lt;code&gt;1&lt;/code&gt;&lt;/sub&gt; will not produce a collision if implemented properly.&lt;/p&gt;
&lt;p&gt;Indeed, given the idealised code, Entroposcope produced a counterexample to entropy preservation with two concrete seeds leading to the same output stream.
Tracing these two executions makes it easy to pinpoint the cause of the collision in the addition code.&lt;/p&gt;
&lt;p&gt;Thanks to Vladimir for finding this bug and helping to write this post.&lt;/p&gt;
</description>
        </item>
        <item>
        <title>New Website</title>
        <link>https://www.franziskuskiefer.de/p/new-website/</link>
        <pubDate>Tue, 29 Aug 2017 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/new-website/</guid>
        <description>&lt;p&gt;After a couple of years using &lt;a class=&#34;link&#34; href=&#34;https://ghost.org&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;ghost&lt;/a&gt; I switched to the static page generator &lt;a class=&#34;link&#34; href=&#34;https://gohugo.io/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;hugo&lt;/a&gt;.
Hugo is easy to write and easy to publish.
But more importantly it doesn&amp;rsquo;t offer the attack surface ghost does and doesn&amp;rsquo;t require external ressources like ghost does.
It further decreases the amount of ressources used on the server.&lt;/p&gt;
</description>
        </item>
        <item>
        <title>Aes Gcm Speedup</title>
        <link>https://www.franziskuskiefer.de/p/aes-gcm-speedup/</link>
        <pubDate>Tue, 27 Jun 2017 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/aes-gcm-speedup/</guid>
        <description>&lt;img src="https://www.franziskuskiefer.de/p/aes-gcm-speedup/linux64-encrypt.png" alt="Featured image of post Aes Gcm Speedup" /&gt;&lt;p&gt;AES-GCM is a NIST standardised authenticated encryption algorithm (FIPS 800-38D). Since its standardisation in 2008 its usage increased to a point where it is the prevalent encryption used with TLS. With 85% it is by far the &lt;a class=&#34;link&#34; href=&#34;https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&amp;amp;end_date=2017-05-24&amp;amp;keys=__none__!__none__!__none__&amp;amp;max_channel_version=release%252F53&amp;amp;measure=SSL_SYMMETRIC_CIPHER_FULL&amp;amp;min_channel_version=null&amp;amp;processType=*&amp;amp;product=Firefox&amp;amp;sanitize=1&amp;amp;sort_keys=submissions&amp;amp;start_date=2017-04-13&amp;amp;table=0&amp;amp;trim=1&amp;amp;use_submission_date=0&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;most widely used cipher&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 214; flex-basis: 514px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/aes-gcm-speedup/Screenshot-from-2017-06-14-10-09-27.png&#34; data-size=&#34;2136x996&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/aes-gcm-speedup/Screenshot-from-2017-06-14-10-09-27.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/aes-gcm-speedup/Screenshot-from-2017-06-14-10-09-27_hu5f9a0a1e55af718e3b7c22a01d1d2b21_69058_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/aes-gcm-speedup/Screenshot-from-2017-06-14-10-09-27_hu5f9a0a1e55af718e3b7c22a01d1d2b21_69058_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;2136&#34;
				height=&#34;996&#34;
				loading=&#34;lazy&#34;
				alt=&#34;Firefox 53 TLS cipher telemetry&#34;&gt;
		&lt;/a&gt;
		
		&lt;figcaption&gt;Firefox 53 TLS cipher telemetry&lt;/figcaption&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Unfortunately the AES-GCM implementation used in Firefox (provided by NSS) does not take advantage of full hardware acceleration; it uses a slower software-only implementation on Mac, Linux 32-bit, or any device that doesn&amp;rsquo;t have the &lt;a class=&#34;link&#34; href=&#34;https://en.wikipedia.org/wiki/Advanced_Vector_Extensions&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;AVX&lt;/a&gt;, &lt;a class=&#34;link&#34; href=&#34;https://en.wikipedia.org/wiki/CLMUL_instruction_set&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;PCLMUL&lt;/a&gt;, and &lt;a class=&#34;link&#34; href=&#34;https://en.wikipedia.org/wiki/AES_instruction_set&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;AES-NI&lt;/a&gt; hardware instructions. Looking at these numbers about only 30% of Firefox users get full hardware acceleration.&lt;/p&gt;
&lt;p&gt;Before jumping on the obvious issue of Firefox’s AES-GCM code being comparatively slow – as well as not being resistant to &lt;a class=&#34;link&#34; href=&#34;https://en.wikipedia.org/wiki/Side-channel_attack&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;side channel analysis&lt;/a&gt; –  I wanted to see what the actual impact on Firefox users is. Downloading a file on a mid-2015 MacBook Pro Retina with Firefox incurs CPU usage of 50% with 17% of Firefox&amp;rsquo;s CPU usage is in &lt;code&gt;ssl3_AESGCM&lt;/code&gt;. In comparison, Chrome only creates 15% CPU usage with the same download. On a Windows laptop with an AMD C-70 (no AES-NI) Firefox CPU usage is 60% and the download speed is capped at 3.5MB/s. Chrome on the same machine needs 50% of the CPU and downloads with 10MB/s. This doesn&amp;rsquo;t seem to be only an academic issue: Particularly for battery-operated devices, the energy consumption difference would be noticeable.&lt;/p&gt;
&lt;h1 id=&#34;improving-gcm-performance&#34;&gt;Improving GCM performance&lt;/h1&gt;
&lt;p&gt;Speeding up the GCM multiplication function is the first obvious step to improve AES-GCM performance. A &lt;a class=&#34;link&#34; href=&#34;https://bugzilla.mozilla.org/show_bug.cgi?id=868948&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;bug&lt;/a&gt; was opened on integration of the original AES-GCM code to provide an alternative to the textbook implementation of &lt;code&gt;gcm_HashMult&lt;/code&gt;. This code is not only slow but has timing side channels. Here an excerpt from the &lt;a class=&#34;link&#34; href=&#34;https://searchfox.org/mozilla-central/rev/d67ef71097da4d1aa344c9d9c672e49a7228e765/security/nss/lib/freebl/mpi/mp_gf2m.c#337&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;binary multiplication&lt;/a&gt; algorithm.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-C++&#34; data-lang=&#34;C++&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;for&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;ib&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;mi&#34;&gt;1&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;ib&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;&amp;lt;&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;b_used&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;ib&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;++&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;n&#34;&gt;b_i&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;*&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;pb&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;++&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;cm&#34;&gt;/* Inner product:  Digits of a */&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;k&#34;&gt;if&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;b_i&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;       &lt;span class=&#34;n&#34;&gt;s_bmul_d_add&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;MP_DIGITS&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;a&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;),&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;a_used&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;b_i&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;MP_DIGITS&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;c&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;+&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;ib&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;);&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;k&#34;&gt;else&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;        &lt;span class=&#34;nf&#34;&gt;MP_DIGIT&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;c&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;ib&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;+&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;a_used&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;b_i&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;p&#34;&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;We can improve on two fronts here. First NSS should use PCLMUL to speed up the ghash multiplication if possible. Second if PCLMUL is not available, NSS should use a fast constant-time implementation.&lt;/p&gt;
&lt;p&gt;&lt;a class=&#34;link&#34; href=&#34;https://bugzilla.mozilla.org/show_bug.cgi?id=868948&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Bug 868948&lt;/a&gt; has several attempts of speeding up the software implementation without introducing timing side-channels. Unfortunately the fastest code that was proposed uses table lookups and is therefore not constant-time. Thanks to &lt;a class=&#34;link&#34; href=&#34;https://www.bearssl.org/constanttime.html&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Thomas Pornin&lt;/a&gt; I found a nicer way to implement the binary multiplication in a way that doesn&amp;rsquo;t leak any timing information and is still faster than any other code I&amp;rsquo;ve seen. (Check out Thomas&amp;rsquo; excellent write-up for details.)&lt;/p&gt;
&lt;p&gt;If PCLMUL is available on the CPU, using it is of course the way to go. All modern compilers support intrinsics, which allows us to write &amp;ldquo;inline assembly&amp;rdquo; in C that runs on all platforms without having to write assembly. A hardware accelerated implementation of the ghash multiplication can be &lt;a class=&#34;link&#34; href=&#34;https://searchfox.org/nss/rev/40ab32e6acb227e7ede4734573e448ff43d179d5/lib/freebl/gcm.c#314&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;easily implemented&lt;/a&gt; with &lt;a class=&#34;link&#34; href=&#34;https://software.intel.com/sites/landingpage/IntrinsicsGuide/#text=clmul&amp;amp;expand=641&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;&lt;code&gt;_mm_clmulepi64_si128&lt;/code&gt;&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;On Mac and Linux the new 32-bit and 64-bit software ghash functions (faster and constant-time) are used on the respective platforms if PCLMUL or AVX is not available. Since Windows doesn&amp;rsquo;t support 128-bit integers (outside of registers) NSS falls back to the slower 32-bit ghash code (which is still more than 25% faster).&lt;/p&gt;
&lt;h1 id=&#34;improving-aes-performance&#34;&gt;Improving AES performance&lt;/h1&gt;
&lt;p&gt;To speed up AES NSS requires hardware acceleration on Mac as well as on Linux 32-bit and any machine that doesn&amp;rsquo;t support AVX (or has it disabled). When NSS can&amp;rsquo;t use the specialised AES code it falls back to a table-based implementation that is again not constant-time (in addition to being slow). Implementing AES with &lt;a class=&#34;link&#34; href=&#34;https://software.intel.com/sites/landingpage/IntrinsicsGuide/#text=aes&amp;amp;expand=641&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;intrinsics&lt;/a&gt; is a breeze.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-C++&#34; data-lang=&#34;C++&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;n&#34;&gt;m&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;_mm_xor_si128&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;m&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;cx&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;-&amp;gt;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;keySchedule&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;[&lt;/span&gt;&lt;span class=&#34;mi&#34;&gt;0&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;]);&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;k&#34;&gt;for&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;i&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;mi&#34;&gt;1&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;i&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;&amp;lt;&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;cx&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;-&amp;gt;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;Nr&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;++&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;i&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;        &lt;span class=&#34;n&#34;&gt;m&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;_mm_aesenc_si128&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;m&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;cx&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;-&amp;gt;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;keySchedule&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;[&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;i&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;]);&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;p&#34;&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;n&#34;&gt;m&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;=&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;_mm_aesenclast_si128&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;(&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;m&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;cx&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;-&amp;gt;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;keySchedule&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;[&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;cx&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;-&amp;gt;&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;Nr&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;]);&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;n&#34;&gt;_mm_storeu_si128&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;((&lt;/span&gt;&lt;span class=&#34;kr&#34;&gt;__m128i&lt;/span&gt; &lt;span class=&#34;o&#34;&gt;*&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;)&lt;/span&gt;&lt;span class=&#34;n&#34;&gt;output&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;,&lt;/span&gt; &lt;span class=&#34;n&#34;&gt;m&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;);&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Key expansion is a little bit more involved (for 192 and 256 bit). But is &lt;a class=&#34;link&#34; href=&#34;https://searchfox.org/nss/rev/40ab32e6acb227e7ede4734573e448ff43d179d5/lib/freebl/rijndael.c#393&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;written&lt;/a&gt; in about 100 lines as well.&lt;/p&gt;
&lt;p&gt;Mac sees the biggest improvement here. Previously, only Windows and 64-bit Linux used AES-NI, and now all desktop x86 and x64 platforms use it when available.&lt;/p&gt;
&lt;h1 id=&#34;looking-at-the-numbers&#34;&gt;Looking at the numbers&lt;/h1&gt;
&lt;p&gt;To measure the performance gain of the new AES-GCM code I encrypt a 479MB file with a 128-bit key (the most widely used key size for AES-GCM). Note that these numbers are supposed to show a trend and heavily depend on the used machine and system load at the time.&lt;/p&gt;
&lt;p&gt;Linux measurements are done on an Intel Core i7-4790, Windows measurements on a Surface Pro 2 with an Intel Core i5-4300U, and Mac (Core i7-4980HQ).&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 161; flex-basis: 387px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/aes-gcm-speedup/linux64-encrypt.png&#34; data-size=&#34;665x412&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/aes-gcm-speedup/linux64-encrypt.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/aes-gcm-speedup/linux64-encrypt_huda4d54ffc045a6df2c10e7f1ccf14ff2_16323_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/aes-gcm-speedup/linux64-encrypt_huda4d54ffc045a6df2c10e7f1ccf14ff2_16323_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;665&#34;
				height=&#34;412&#34;
				loading=&#34;lazy&#34;
				alt=&#34;Linux 64-bit encrypt&#34;&gt;
		&lt;/a&gt;
		
		&lt;figcaption&gt;Linux 64-bit encrypt&lt;/figcaption&gt;
		
	&lt;/figure&gt;
&lt;figure style=&#34;flex-grow: 161; flex-basis: 387px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/aes-gcm-speedup/linux32-encrypt.png&#34; data-size=&#34;657x407&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/aes-gcm-speedup/linux32-encrypt.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/aes-gcm-speedup/linux32-encrypt_hucce0dfca27d67dcda26a65d2301bc90b_16065_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/aes-gcm-speedup/linux32-encrypt_hucce0dfca27d67dcda26a65d2301bc90b_16065_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;657&#34;
				height=&#34;407&#34;
				loading=&#34;lazy&#34;
				alt=&#34;Linux 32-bit encrypt&#34;&gt;
		&lt;/a&gt;
		
		&lt;figcaption&gt;Linux 32-bit encrypt&lt;/figcaption&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;On 64-bit Linux performance of any machine without AES, PCLMUL, or AVX instructions AES-GCM 128 is at least twice as fast now. If AES and PCLMUL is available, the new code only needs 33% of the time the old code took.
The speed-up for 32-bit Linux is obviously more significant as it didn&amp;rsquo;t have any hardware accelerated code before. With full hardware acceleration the new code is more than 5 times faster than before. In the worst case, when PCLMUL is not available, the speed-up is still more than 50%.&lt;/p&gt;
&lt;p&gt;The story is similar on Windows (though NSS had fast code for 32-bit there before).
&lt;figure style=&#34;flex-grow: 161; flex-basis: 388px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/aes-gcm-speedup/win64-encrypt.png&#34; data-size=&#34;600x371&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/aes-gcm-speedup/win64-encrypt.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/aes-gcm-speedup/win64-encrypt_hu3b62eb12f348f7d9b3aa610b0b943c26_15674_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/aes-gcm-speedup/win64-encrypt_hu3b62eb12f348f7d9b3aa610b0b943c26_15674_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;600&#34;
				height=&#34;371&#34;
				loading=&#34;lazy&#34;
				alt=&#34;Windows 64-bit encrypt&#34;&gt;
		&lt;/a&gt;
		
		&lt;figcaption&gt;Windows 64-bit encrypt&lt;/figcaption&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 161; flex-basis: 388px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/aes-gcm-speedup/win32-encrypt.png&#34; data-size=&#34;600x371&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/aes-gcm-speedup/win32-encrypt.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/aes-gcm-speedup/win32-encrypt_hu533803961d0a3074675e94ea5790f682_15875_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/aes-gcm-speedup/win32-encrypt_hu533803961d0a3074675e94ea5790f682_15875_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;600&#34;
				height=&#34;371&#34;
				loading=&#34;lazy&#34;
				alt=&#34;Windows 32-bit encrypt&#34;&gt;
		&lt;/a&gt;
		
		&lt;figcaption&gt;Windows 32-bit encrypt&lt;/figcaption&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Performance improvements on Mac (64-bit only) range from 60% in the best case to 44% when AES-NI or PCLMUL is not available.
&lt;figure style=&#34;flex-grow: 161; flex-basis: 388px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/aes-gcm-speedup/mac-encrypt.png&#34; data-size=&#34;600x371&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/aes-gcm-speedup/mac-encrypt.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/aes-gcm-speedup/mac-encrypt_hu4ba5f102de44d3485e65e8c5037b0668_14721_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/aes-gcm-speedup/mac-encrypt_hu4ba5f102de44d3485e65e8c5037b0668_14721_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;600&#34;
				height=&#34;371&#34;
				loading=&#34;lazy&#34;
				alt=&#34;OS-X encrypt&#34;&gt;
		&lt;/a&gt;
		
		&lt;figcaption&gt;OS-X encrypt&lt;/figcaption&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;h1 id=&#34;the-numbers-in-firefox&#34;&gt;The numbers in Firefox&lt;/h1&gt;
&lt;p&gt;NSS 3.32 (Firefox 56) will ship with the new AES-GCM code. It will provide significantly reduced CPU usage for most TLS connections or higher download rates. NSS 3.32 is more intelligent in detecting the CPU&amp;rsquo;s capabilities and using hardware acceleration whenever possible. Assuming that all intrinsics and mathematical operations (other than division) are constant-time on the CPU, the new code doesn&amp;rsquo;t have any timing side-channels.&lt;/p&gt;
&lt;p&gt;On the basic laptop with the AMD C-70 download rates increased from ~3MB/s to ~6MB/s. (Keep in mind that this is the software only 32-bit implementation.)&lt;/p&gt;
&lt;p&gt;The most immediate effect can be seen on Mac. &lt;code&gt;AES_Decrypt&lt;/code&gt; as part of a TLS connection with &lt;a class=&#34;link&#34; href=&#34;http://bit.ly/2rGm8S0&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;NSS 3.31 used 9% CPU&lt;/a&gt; while in &lt;a class=&#34;link&#34; href=&#34;http://bit.ly/2rGvGfz&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;NSS 3.32 it uses only 4%&lt;/a&gt;.
To see general performance improvements we can look at the case where AVX is not available (which is the case for about 2/3 of the Firefox population). Assuming that at least AES-NI and PCLMUL is supported by the CPU we see the CPU usage drop from &lt;a class=&#34;link&#34; href=&#34;https://perfht.ml/2rrqbWS&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;15%&lt;/a&gt; to &lt;a class=&#34;link&#34; href=&#34;https://perfht.ml/2sa3aoA&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;3%&lt;/a&gt; (measured on Linux).&lt;/p&gt;
</description>
        </item>
        <item>
        <title>On Constant Time Division</title>
        <link>https://www.franziskuskiefer.de/p/on-constant-time-division/</link>
        <pubDate>Wed, 28 Dec 2016 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/on-constant-time-division/</guid>
        <description>&lt;img src="https://www.franziskuskiefer.de/p/on-constant-time-division/plot_low-1.png" alt="Featured image of post On Constant Time Division" /&gt;&lt;p&gt;Writing constant time code is hard. We all know that. But I&amp;rsquo;m always amazed again on how difficult it is. In preparation for making NSS more constant time I looked into certain CPU instructions that are known to be not constant time.
So I wrote a little thing to measure the time (CPU cycles) needed for division.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-asm&#34; data-lang=&#34;asm&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;nf&#34;&gt;div&lt;/span&gt;     &lt;span class=&#34;no&#34;&gt;rcx&lt;/span&gt;                     &lt;span class=&#34;c&#34;&gt;; eax is now a/b
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The CPU I&amp;rsquo;m using in this post is an Intel i7-4790 (haswell). Running the same measurements on other processors architectures will most likely yield different results. I&amp;rsquo;m describing two experiments I did. First, I look at bits in the divisor and how they influence the timing of the division. And then I look at the dividend and its influence.&lt;/p&gt;
&lt;h1 id=&#34;the-divisor&#34;&gt;The Divisor&lt;/h1&gt;
&lt;p&gt;There are two interesting things we can look at here. The very small divisors as well as the pattern that we get in larger divisors.&lt;/p&gt;
&lt;h2 id=&#34;-129&#34;&gt;&amp;lt; 129&lt;/h2&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 189; flex-basis: 455px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/on-constant-time-division/plot_low-1.png&#34; data-size=&#34;2558x1347&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/on-constant-time-division/plot_low-1.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/on-constant-time-division/plot_low-1_huce53492d5f2ce19360b675e9dc98bbf5_27543_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/on-constant-time-division/plot_low-1_huce53492d5f2ce19360b675e9dc98bbf5_27543_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;2558&#34;
				height=&#34;1347&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;This graph plots the number of cycles needed for the division of numbers &amp;lt; 130. It&amp;rsquo;s easy to see that the number of cycles needed is in general around 300. However, there are a couple of &amp;ldquo;outliers&amp;rdquo; that need significantly less.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-C&#34; data-lang=&#34;C&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;mi&#34;&gt;128&lt;/span&gt;    &lt;span class=&#34;mi&#34;&gt;123&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;     &lt;span class=&#34;mi&#34;&gt;64&lt;/span&gt;    &lt;span class=&#34;mi&#34;&gt;135&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;     &lt;span class=&#34;mi&#34;&gt;32&lt;/span&gt;    &lt;span class=&#34;mi&#34;&gt;132&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;     &lt;span class=&#34;mi&#34;&gt;16&lt;/span&gt;    &lt;span class=&#34;mi&#34;&gt;132&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;      &lt;span class=&#34;mi&#34;&gt;8&lt;/span&gt;    &lt;span class=&#34;mi&#34;&gt;123&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;      &lt;span class=&#34;mi&#34;&gt;4&lt;/span&gt;    &lt;span class=&#34;mi&#34;&gt;123&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;      &lt;span class=&#34;mi&#34;&gt;2&lt;/span&gt;    &lt;span class=&#34;mi&#34;&gt;123&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;      &lt;span class=&#34;mi&#34;&gt;1&lt;/span&gt;    &lt;span class=&#34;mi&#34;&gt;126&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;You might have spotted the pattern already. The CPU probably doesn&amp;rsquo;t want to do this expensive division and simply shifts the dividend to get the result. This trend continues later on but is more difficult to observe. (And there&amp;rsquo;s a more interesting pattern there.)&lt;/p&gt;
&lt;h2 id=&#34;the-larger-pattern&#34;&gt;The larger pattern&lt;/h2&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 189; flex-basis: 455px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/on-constant-time-division/plot-1.png&#34; data-size=&#34;2558x1347&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/on-constant-time-division/plot-1.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/on-constant-time-division/plot-1_hu073c079b2c02c107a45a8bdb3c7ba1dd_166100_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/on-constant-time-division/plot-1_hu073c079b2c02c107a45a8bdb3c7ba1dd_166100_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;2558&#34;
				height=&#34;1347&#34;
				loading=&#34;lazy&#34;
				&gt;
		&lt;/a&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The graph shows a striking pattern and makes it obvious that division is not constant-time. Let&amp;rsquo;s try to understand what&amp;rsquo;s happening here.&lt;/p&gt;
&lt;p&gt;The first part of the pattern can be explained by changing bit-lengths in the divisor. At &lt;code&gt;8191&lt;/code&gt; and &lt;code&gt;16383&lt;/code&gt; for example a streak of fast division ends. This is probably because the &lt;code&gt;8192&lt;/code&gt; and &lt;code&gt;16384&lt;/code&gt; require an additional bit each.&lt;/p&gt;
&lt;p&gt;However, I&amp;rsquo;m clueless on how to explain the rest of the pattern.&lt;/p&gt;
&lt;p&gt;(I&amp;rsquo;ll update this post when I figured out what&amp;rsquo;s going on.)&lt;/p&gt;
</description>
        </item>
        <item>
        <title>NSS Static Analysis</title>
        <link>https://www.franziskuskiefer.de/p/nss-static-analysis/</link>
        <pubDate>Wed, 25 May 2016 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/nss-static-analysis/</guid>
        <description>&lt;img src="https://www.franziskuskiefer.de/p/nss-static-analysis/static-analysis.png" alt="Featured image of post NSS Static Analysis" /&gt;&lt;p&gt;When I started working on &lt;a class=&#34;link&#34; href=&#34;https://nss-crypto.org/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;NSS&lt;/a&gt; 7 months ago one of the tasks I was asked to do was to work through the related &lt;a class=&#34;link&#34; href=&#34;https://www.coverity.com/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Coverity&lt;/a&gt; issues. This post summarises some learnings from this as we&amp;rsquo;ve since come a long way since over the last months.&lt;/p&gt;
&lt;p&gt;Static analysis plays a crucial part in locating vulnerabilities and bugs during development. For NSS we currently use multiple &lt;a class=&#34;link&#34; href=&#34;https://scan.coverity.com/projects/nss/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;static&lt;/a&gt; &lt;a class=&#34;link&#34; href=&#34;http://clang-analyzer.llvm.org/scan-build.html&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;analysis&lt;/a&gt; &lt;a class=&#34;link&#34; href=&#34;http://fbinfer.com&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;tools&lt;/a&gt;. While scan-build as well as infer are great applications to find bugs, they require a lot of manual management. Features such as the &lt;code&gt;incremental&lt;/code&gt; analysis of infer help with that though. Nonetheless, Coverity with its rich interface is the tool driving day to day analysis of NSS.&lt;/p&gt;
&lt;p&gt;When I started working on static analysis issues in NSS we only had Coverity scans for NSS releases &lt;a class=&#34;link&#34; href=&#34;https://scan.coverity.com/projects/firefox/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;in Firefox&lt;/a&gt;, which meant that we had to wait for six weeks or more to get feedback from the analyser on possible bugs. Now we have regular scans of the &lt;a class=&#34;link&#34; href=&#34;https://scan.coverity.com/projects/nss/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;NSS tree&lt;/a&gt; as well as local scans with scan-build and infer.&lt;/p&gt;
&lt;h1 id=&#34;challenges-of-a-crypto-library&#34;&gt;Challenges of a crypto library&lt;/h1&gt;
&lt;p&gt;A big challenge when doing static analysis of a low-level (cryptographic) library is the high number of false positives. Errors like &lt;code&gt;tainted value&lt;/code&gt; can very likely be totally benign code that shifts around some bits as often necessary for efficiently and securely implemented crypto algorithms. Many false positives also mean a lot of work without actually improving the code and an increased probability of missing an actual bug.&lt;/p&gt;
&lt;h1 id=&#34;dealing-with-technical-debt&#34;&gt;Dealing with technical debt&lt;/h1&gt;
&lt;p&gt;A library as old as NSS naturally comes with a lot of technical debt, which creates a huge backlog of static analysis bugs. Mostly in code that hasn&amp;rsquo;t been of big interested to most developers so far.&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 143; flex-basis: 343px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/nss-static-analysis/static-analysis.png&#34; data-size=&#34;848x592&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/nss-static-analysis/static-analysis.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/nss-static-analysis/static-analysis_huc854eceb7630f71da830422ef5cde544_30572_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/nss-static-analysis/static-analysis_huc854eceb7630f71da830422ef5cde544_30572_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;848&#34;
				height=&#34;592&#34;
				loading=&#34;lazy&#34;
				alt=&#34;Coverity Analysis Overview&#34;&gt;
		&lt;/a&gt;
		
		&lt;figcaption&gt;Coverity Analysis Overview&lt;/figcaption&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;In our case tools such as Coverity come in especially handy as they allow for regular incremental scans with automatic updates on new bugs. We still have a long way to go to fix old bugs but the good news is that new bugs are rarely introduced and newly introduced bugs get fixed right away.&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 282; flex-basis: 678px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/nss-static-analysis/density.png&#34; data-size=&#34;848x300&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/nss-static-analysis/density.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/nss-static-analysis/density_hu59c06ea3c4ebb4d1c512c726b1aeb63f_25376_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/nss-static-analysis/density_hu59c06ea3c4ebb4d1c512c726b1aeb63f_25376_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;848&#34;
				height=&#34;300&#34;
				loading=&#34;lazy&#34;
				alt=&#34;Coverity density over time&#34;&gt;
		&lt;/a&gt;
		
		&lt;figcaption&gt;Coverity density over time&lt;/figcaption&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The long-term goal is obviously to reduce the backlog of bugs to an acceptable level by either fixing or removing the code. But I think static analysis tools already significantly improved the quality of all new code.&lt;/p&gt;
</description>
        </item>
        <item>
        <title>RawGit Firefox Extension</title>
        <link>https://www.franziskuskiefer.de/p/rawgit-firefox-extension/</link>
        <pubDate>Sat, 02 Jan 2016 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/rawgit-firefox-extension/</guid>
        <description>&lt;p&gt;~This extension doesn&amp;rsquo;t work from Firefox 57 on. I might update it when I find time.~&lt;/p&gt;
&lt;p&gt;Ever wanted to view HTML pages directly from GitHub? Me too. Unfortunately the &lt;code&gt;Raw&lt;/code&gt; button doesn&amp;rsquo;t render the HTML but only displays the source code. There are a bunch of Chrome extensions that add a button to open file from Github at &lt;code&gt;rawgit&lt;/code&gt; directly, but none for Firefox. So I wrote one. It&amp;rsquo;s still an early version and more of a hack than a real extension, but it works (mostly).&lt;/p&gt;
&lt;p&gt;Instead of
&lt;figure style=&#34;flex-grow: 667; flex-basis: 1602px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/rawgit-firefox-extension/Screenshot-from-2016-01-02-15-19-58.png&#34; data-size=&#34;247x37&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/rawgit-firefox-extension/Screenshot-from-2016-01-02-15-19-58.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/rawgit-firefox-extension/Screenshot-from-2016-01-02-15-19-58_hu98c9fb5ffe9aff8544657a18ef3ffb49_2758_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/rawgit-firefox-extension/Screenshot-from-2016-01-02-15-19-58_hu98c9fb5ffe9aff8544657a18ef3ffb49_2758_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;247&#34;
				height=&#34;37&#34;
				loading=&#34;lazy&#34;
				alt=&#34;without extension&#34;&gt;
		&lt;/a&gt;
		
		&lt;figcaption&gt;without extension&lt;/figcaption&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;you get now&lt;/p&gt;
&lt;p&gt;&lt;figure style=&#34;flex-grow: 866; flex-basis: 2080px&#34;&gt;
		&lt;a href=&#34;https://www.franziskuskiefer.de/p/rawgit-firefox-extension/Screenshot-from-2016-01-02-15-19-28.png&#34; data-size=&#34;312x36&#34;&gt;&lt;img src=&#34;https://www.franziskuskiefer.de/p/rawgit-firefox-extension/Screenshot-from-2016-01-02-15-19-28.png&#34;
				srcset=&#34;https://www.franziskuskiefer.de/p/rawgit-firefox-extension/Screenshot-from-2016-01-02-15-19-28_hu9b7f2beaeb90ce07178bb8e339826ea8_3128_480x0_resize_box_3.png 480w, https://www.franziskuskiefer.de/p/rawgit-firefox-extension/Screenshot-from-2016-01-02-15-19-28_hu9b7f2beaeb90ce07178bb8e339826ea8_3128_1024x0_resize_box_3.png 1024w&#34;
				width=&#34;312&#34;
				height=&#34;36&#34;
				loading=&#34;lazy&#34;
				alt=&#34;with extension&#34;&gt;
		&lt;/a&gt;
		
		&lt;figcaption&gt;with extension&lt;/figcaption&gt;
		
	&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Download the source code at &lt;a class=&#34;link&#34; href=&#34;https://github.com/franziskuskiefer/firefox-rawgit&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Github&lt;/a&gt; or download the &lt;a class=&#34;link&#34; href=&#34;https://github.com/franziskuskiefer/firefox-rawgit/releases&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;signed extension&lt;/a&gt;.&lt;/p&gt;
</description>
        </item>
        <item>
        <title>Submitting through Editorial Manager</title>
        <link>https://www.franziskuskiefer.de/p/submitting-through-editorial-manager/</link>
        <pubDate>Fri, 06 Mar 2015 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/submitting-through-editorial-manager/</guid>
        <description>&lt;p&gt;Today I had to submit a paper through the Editorial Manager (used by Springer) for the first time. Needless to say that it&amp;rsquo;s not as easy as it sounds. Therefore here some helpful links for everyone having to do the same. I ended up putting the references in the .tex file as nothing else worked for me.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a class=&#34;link&#34; href=&#34;http://www.bartneck.de/2010/09/30/submitting-your-latex-manuscript-to-editorial-manager-springer-elsevier/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;http://www.bartneck.de/2010/09/30/submitting-your-latex-manuscript-to-editorial-manager-springer-elsevier/&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a class=&#34;link&#34; href=&#34;http://drezha.me.uk/post/22719621060/submitting-a-springerlink-elsvier-journal-using&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;http://drezha.me.uk/post/22719621060/submitting-a-springerlink-elsvier-journal-using&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
</description>
        </item>
        <item>
        <title>OpenVPN HowTo</title>
        <link>https://www.franziskuskiefer.de/p/openvpn-howto/</link>
        <pubDate>Sun, 12 Oct 2014 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/openvpn-howto/</guid>
        <description>&lt;p&gt;&lt;a class=&#34;link&#34; href=&#34;https://openvpn.net&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;OpenPVN&lt;/a&gt; is an easy to set-up and use VPN solution that offer &lt;a class=&#34;link&#34; href=&#34;https://en.wikipedia.org/wiki/TUN/TAP&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;TUN/TAP&lt;/a&gt; support. In this tutorial I describe how to set-up an OpenVPN connection between a Ubuntu server and an Arch client.&lt;/p&gt;
&lt;h1 id=&#34;preparations-server&#34;&gt;Preparations (Server)&lt;/h1&gt;
&lt;p&gt;First we have to install OpenVPN on the server.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;c1&#34;&gt;# apt-get install openvpn&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;To see whether TUN/TAP is enabled in the kernel we can check the kernel log &lt;code&gt;grep tun /var/log/kern.log&lt;/code&gt; and load it if it doesn&amp;rsquo;t show up &lt;code&gt;modprobe tun&lt;/code&gt;.&lt;/p&gt;
&lt;h2 id=&#34;creating-a-pki&#34;&gt;Creating a PKI&lt;/h2&gt;
&lt;p&gt;To use OpenVPN we need a PKI and certificates. Fortunately there is a script for that.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;c1&#34;&gt;# apt-get install easy-rsa&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;First we create a folder to store our certificates in &lt;code&gt;mkdir easy-rsa&lt;/code&gt; and get the default variables file &lt;code&gt;cp /usr/share/easy-rsa/vars easy-rsa&lt;/code&gt;. The file is prefilled but one may want to change&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-C&#34; data-lang=&#34;C&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;n&#34;&gt;KEY_COUNTRY&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;n&#34;&gt;KEY_PROVINCE&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;n&#34;&gt;KEY_CITY&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;n&#34;&gt;KEY_ORG&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;n&#34;&gt;KEY_EMAIL&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;n&#34;&gt;KEY_OU&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;All other standard parameteres should usually be fine but can be changed if desired. Now we change to &lt;code&gt;/usr/share/easy-rsa&lt;/code&gt; and load the variables &lt;code&gt;# source &amp;lt;PATH_TO_VARS&amp;gt;/vars&lt;/code&gt; and run &lt;code&gt;./build-ca&lt;/code&gt;. If there have been keys before one should run &lt;code&gt;./clean-all&lt;/code&gt; first.&lt;/p&gt;
&lt;p&gt;Now we can start creating keys and sign them. First we create the server key with&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;c1&#34;&gt;# ./build-key-server my-test-server&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;and aswer with &lt;code&gt;yes&lt;/code&gt; two times. We do the same for a client key&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;c1&#34;&gt;# ./build-key my-test-client&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;To build Diffie-Hellman parameters we run &lt;code&gt;./build-dh&lt;/code&gt; &lt;em&gt;(this can take some time)&lt;/em&gt;. Eventually we create an HMAC key for our VPN and store it with the other keys&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;c1&#34;&gt;# openvpn --genkey --secret /usr/share/easy-rsa/keys/ta.key&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h1 id=&#34;configuring-openvpn-server&#34;&gt;Configuring OpenVPN (Server)&lt;/h1&gt;
&lt;p&gt;Everything is set-up now to configure and run the OpenVPN server. First we copy the sample configuration file to the correct folder&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;c1&#34;&gt;# cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;c1&#34;&gt;# gzip -d /etc/openvpn/server.conf.gz&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;At least the following changes to &lt;code&gt;server.conf&lt;/code&gt; should be made after copying keys, parameters and certificates.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;ca /etc/openvpn/ca.crt
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;cert /etc/openvpn/my-test-server.crt
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;key /etc/openvpn/my-test-server.key
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;dh /etc/openvpn/dh2048.pem
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;tls-auth /etc/openvpn/ta.key &lt;span class=&#34;m&#34;&gt;0&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;user nobody
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;group nobody
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h1 id=&#34;starting-openvpn-server&#34;&gt;Starting OpenVPN (Server)&lt;/h1&gt;
&lt;p&gt;The server can now be started with&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;openvpn /etc/openvpn/server.conf
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h1 id=&#34;configuring-openvpn-client&#34;&gt;Configuring OpenVPN (Client)&lt;/h1&gt;
&lt;p&gt;First we have to get key, certificate and parameters from the server to the client. Now we install OpenVPN on the client &lt;code&gt;pacman -S openpvpn&lt;/code&gt; copy the sample-configuration file somewhere nice &lt;code&gt;# cp /usr/share/openvpn/examples/client.conf /etc/openvpn/client.conf&lt;/code&gt; and modify at least the following&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;remote test-server-ip &lt;span class=&#34;m&#34;&gt;1194&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;ca /etc/openvpn/ca.crt
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;cert /etc/openvpn/my-test-client.crt
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;key /etc/openvpn/my-test-client.key
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;dh /etc/openvpn/dh2048.pem
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;tls-auth /etc/openvpn/ta.key &lt;span class=&#34;m&#34;&gt;1&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;user nobody
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;group nobody
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The &lt;em&gt;test-server-ip&lt;/em&gt; has to be replaced with the server&amp;rsquo;s IP or URL. Now we can also start the client &lt;code&gt;# openvpn /etc/openvpn/client.conf&lt;/code&gt;. The start-up should end with&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;Initialization Sequence Completed
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;</description>
        </item>
        <item>
        <title>Snort, Barnyard2 &amp; Snorby</title>
        <link>https://www.franziskuskiefer.de/p/snort-barnyard2-snorby/</link>
        <pubDate>Sun, 05 Oct 2014 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/snort-barnyard2-snorby/</guid>
        <description>&lt;p&gt;&lt;strong&gt;This post is work in progress but I never got around to finishing it. Sorry&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;After a first failed attempt to install Snorby on an Arch Linux server (Snorby requires Ruby 1.9.x, Arch uses 2.x and I&amp;rsquo;m not willing to use the AUR version for this) I&amp;rsquo;m doing this on a Ubuntu 14.04 Server.&lt;/p&gt;
&lt;h1 id=&#34;snort&#34;&gt;Snort&lt;/h1&gt;
&lt;p&gt;Before installing Snorby we have to install snort itself. This can be done with &lt;code&gt;sudo apt-get install snort&lt;/code&gt;. Snort asks for a network address range to use for &lt;code&gt;HOME_NET&lt;/code&gt;. Since I&amp;rsquo;m not sure what to use here (the network may change), I just use standard value. This can later be changed using snort config files.&lt;/p&gt;
&lt;p&gt;For testing purposes I add a new rule file in &lt;code&gt;/etc/snort/rules/&lt;/code&gt; with a very basic rule that logs everything. &lt;em&gt;You really shouldn&amp;rsquo;t do this in productive use, this will spam your snort output.&lt;/em&gt;&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;file: test.rules
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;alert ip any any -&amp;gt; any any &lt;span class=&#34;o&#34;&gt;(&lt;/span&gt;msg:&lt;span class=&#34;s2&#34;&gt;&amp;#34;Someone tried to access the server&amp;#34;&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt; sid:100001&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt; rev:1&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt; priority:2&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;To use the new rule file you have to include it in the snort config &lt;code&gt;/etc/snort/snort.conf&lt;/code&gt; by adding a line &lt;code&gt;include $RULE_PATH/test.rules&lt;/code&gt;.&lt;/p&gt;
&lt;h2 id=&#34;configuration&#34;&gt;Configuration&lt;/h2&gt;
&lt;p&gt;In order to inspect outgoing traffic I had to add the &lt;code&gt;-k none&lt;/code&gt; option to Snort in order to disable checksum tests for TCP connections (cf. &lt;a class=&#34;link&#34; href=&#34;https://serverfault.com/questions/554713/snort-not-detecting-outgoing-traffic&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;serverfault&lt;/a&gt;). The option can be permanently added by adding it to &lt;code&gt;PARAMS&lt;/code&gt; in &lt;code&gt;/etc/default/snort&lt;/code&gt;.&lt;/p&gt;
&lt;h2 id=&#34;rules&#34;&gt;Rules&lt;/h2&gt;
&lt;p&gt;A common requirement for rules on a server is to inspect outgoing documents for suspicious content. Checking for example if a website contains a certain string can be done as follows:&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;alert tcp any &lt;span class=&#34;m&#34;&gt;80&lt;/span&gt; -&amp;gt; any any &lt;span class=&#34;o&#34;&gt;(&lt;/span&gt;file_data&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt; content:&lt;span class=&#34;s2&#34;&gt;&amp;#34;Placeholder&amp;#34;&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt; flow:to_client,established&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt; msg:&lt;span class=&#34;s2&#34;&gt;&amp;#34;Detected placeholderwebsite&amp;#34;&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt; sid:1000002&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt; rev:1&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt; priority:2&lt;span class=&#34;p&#34;&gt;;&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;In order for this rule to work properly one has to make sure that &lt;code&gt;snort.conf&lt;/code&gt; contains at least the following elements for &lt;code&gt;http_inspect_server&lt;/code&gt;:&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;xtended_response_inspection &lt;span class=&#34;se&#34;&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;se&#34;&gt;&lt;/span&gt;inspect_gzip &lt;span class=&#34;se&#34;&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;se&#34;&gt;&lt;/span&gt;normalize_utf &lt;span class=&#34;se&#34;&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;se&#34;&gt;&lt;/span&gt;server_flow_depth &lt;span class=&#34;m&#34;&gt;0&lt;/span&gt; &lt;span class=&#34;se&#34;&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;se&#34;&gt;&lt;/span&gt;normalize_javascript
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h2 id=&#34;snorby&#34;&gt;Snorby&lt;/h2&gt;
&lt;p&gt;Before installing snorby I need to make sure that certain software is installed.&lt;/p&gt;
&lt;h3 id=&#34;prerequesite&#34;&gt;Prerequesite&lt;/h3&gt;
&lt;p&gt;The base system is a fresh Ubuntu 14.04 Server installation. Before installing Snorby we have to make sure that all requirements are installed. The &lt;a class=&#34;link&#34; href=&#34;http://snorby.org&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Snorby website&lt;/a&gt; lists the following dependencies: &lt;code&gt;git&lt;/code&gt;, &lt;code&gt;ruby&lt;/code&gt;, &lt;code&gt;ImageMagick&lt;/code&gt; and &lt;code&gt;Wkhtmltopdf&lt;/code&gt;. But installing dependencies is not as easy as it sounds. I&amp;rsquo;m on a headless server and don&amp;rsquo;t want to install video drivers. So what to do with the strange &lt;code&gt;Wkhtmltopdf&lt;/code&gt; package? And why the heck does a headless application need X? But luckily there is a ruby gem of wkhtmltopdf that does not need any X component (documentation of Snorby is really bad here). So we just use &lt;code&gt;sudo gem install wkhtmltopdf&lt;/code&gt; and we are good (ignore the errors during installation). We also have to install &lt;code&gt;ruby-dev&lt;/code&gt; and &lt;code&gt;make&lt;/code&gt; on Ubuntu. Further we need &lt;code&gt;mysql-server&lt;/code&gt; installed. To get rails and bundler we have to install them with &lt;code&gt;sudo gem install bundler&lt;/code&gt; and &lt;code&gt;sudo gem install rails&lt;/code&gt;.&lt;/p&gt;
&lt;h3 id=&#34;installing-snorby&#34;&gt;Installing Snorby&lt;/h3&gt;
&lt;p&gt;Now we need to get snorby sources&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;git clone https://github.com/Snorby/snorby
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;After changing to the &lt;code&gt;cd snorby&lt;/code&gt; directory we can install it using &lt;code&gt;bundle install&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;Now we have to configure snorby to be able to read events from the database. To do so we copy &lt;code&gt;database.yml.example&lt;/code&gt; in the &lt;code&gt;config&lt;/code&gt; folder to &lt;code&gt;database.yml&lt;/code&gt; and change the database configuration to access MySQL. Further we copy &lt;code&gt;snorby_config.yml.example&lt;/code&gt; to &lt;code&gt;snorby_config.yml&lt;/code&gt; and check that &lt;code&gt;wkhtmltopdf&lt;/code&gt; and &lt;code&gt;domain&lt;/code&gt; are correct in the &lt;code&gt;production&lt;/code&gt; section. It seems there are more dependencies needed (in particular &lt;code&gt;nokogiri&lt;/code&gt; needs more). So we have to install &lt;code&gt;libxml2-dev&lt;/code&gt;, &lt;code&gt;libxslt-dev&lt;/code&gt;, &lt;code&gt; libmysqlclient-dev&lt;/code&gt;, &lt;code&gt;g++&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;Now we should be able to run&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;bundle &lt;span class=&#34;nb&#34;&gt;exec&lt;/span&gt; rake snorby:setup
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;to set-up snorby and start it with&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;bundle &lt;span class=&#34;nb&#34;&gt;exec&lt;/span&gt; rails server -e production
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h2 id=&#34;instaling-barnyard2&#34;&gt;Instaling Barnyard2&lt;/h2&gt;
&lt;p&gt;To get the snort output into our Snorby interface we use &lt;a class=&#34;link&#34; href=&#34;https://github.com/firnsy/barnyard2&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;Barnyard2&lt;/a&gt;. Since there is no package for Ubuntu in the official repositories we have to build Barnyard2 from source.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;git clone https://github.com/firnsy/barnyard2
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;To build Barnyard2 we need some developement tools&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;sudo apt-get install build-essential libtool autoconf libpcap-dev libmysqld-dev
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;After changing to the Barnyard2 directory &lt;code&gt;cd barnyard2&lt;/code&gt; we run &lt;code&gt;./autogen.sh&lt;/code&gt;, configure it for MySQL &lt;code&gt;./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu/&lt;/code&gt; (the additional library and include path are necessary on Ubuntu to find MySQL) run &lt;code&gt;make&lt;/code&gt;. I only enable MySQL here, but other outpus are possible. To eventually install Barnyard to we use &lt;code&gt;sudo make install&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;After installing Barnyard2 it needs configuration. First I copy the example config file &lt;code&gt;sudo cp etc/barnyard2.conf /etc/&lt;/code&gt; before modifying it to run as a daemon and write to the database&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;config daemon
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;config hostname: localhost
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;config interface: eth0
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;output database: log, mysql, &lt;span class=&#34;nv&#34;&gt;user&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;root &lt;span class=&#34;nv&#34;&gt;password&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;root &lt;span class=&#34;nv&#34;&gt;dbname&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;snort &lt;span class=&#34;nv&#34;&gt;host&lt;/span&gt;&lt;span class=&#34;o&#34;&gt;=&lt;/span&gt;localhost
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;config logdir: /var/log/barnyard2/
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;config waldo_file: /var/log/barnyard2/barnyard2.waldo
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id=&#34;database-setup&#34;&gt;Database Setup&lt;/h3&gt;
&lt;p&gt;We have to set up the Barnyard2 database. We create a new database &lt;code&gt;create database snort;&lt;/code&gt;, get the Barnyard2 schema&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;wget https://raw.github.com/firnsy/barnyard2/master/schemas/create_mysql
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;and install it to our new database &lt;code&gt;mysql -u &amp;lt;user&amp;gt; -p snort &amp;lt; create_mysql&lt;/code&gt;.&lt;/p&gt;
&lt;h3 id=&#34;troubleshooting&#34;&gt;Troubleshooting&lt;/h3&gt;
&lt;p&gt;I ran into the problem that snort had no &lt;code&gt;sid-msg.map&lt;/code&gt;. This can be created with&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;c1&#34;&gt;# /usr/share/oinkmaster/create-sidmap.pl rules/ &amp;gt; sid-msg.map&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;in &lt;code&gt;/etc/snort&lt;/code&gt;. I ran into some further problems and had to create the waldo file manually, i.e.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;sudo touch /var/log/barnyard2/barnyard2.waldo
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;sudo chown snort:snort /var/log/barnyard2/barnyard2.waldo
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;This still throws a warning that the waldo file is corrupt, but Barnyard2 is at least running. I got a lot of warnings of the form&lt;/p&gt;
&lt;pre&gt;&lt;code&gt;WARNING: Can&#39;t extract timestamp extension from &#39;..&#39;using base &#39;&#39;
from old/corrupted snort log files. So I removed all logs from `/var/log/snort/`. Note that this warning is also shown when the snort log is empty!
&lt;/code&gt;&lt;/pre&gt;
&lt;p&gt;To start Barnyard2 now we use&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;sudo /usr/local/bin/barnyard2 -c /etc/barnyard2.conf -d /var/log/snort/ -f snort.out
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;where the first parameter sets the config file to use, the second tells barynard2 in which folder to look for snort output files and the last one gives the base-name of snort output in that folder.&lt;/p&gt;
&lt;h1 id=&#34;testing-the-setup&#34;&gt;Testing the setup&lt;/h1&gt;
&lt;p&gt;To test if Snorby is actually working I install and start Apache. This is not necessary since my snort rule from above is logging everything, but you may want to do this anyway to test some real rules. The Snorby web interface is located at &lt;code&gt;http://&amp;lt;server ip&amp;gt;:3000/&lt;/code&gt;. The default credentials are &lt;code&gt;Username: snorby@snorby.org, Password: snorby&lt;/code&gt;.&lt;/p&gt;
</description>
        </item>
        <item>
        <title>The curious case of pgflibraryfadings</title>
        <link>https://www.franziskuskiefer.de/p/the-curious-case-of-pgflibraryfadings/</link>
        <pubDate>Mon, 01 Sep 2014 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/the-curious-case-of-pgflibraryfadings/</guid>
        <description>&lt;p&gt;Over the last year I was battling a strange error of reverse synctex search with evince and several latex editors. Everything works perfect with synctex unless I want to do a reverse search (click in the pdf docutment and get the according tex position) on the first page. Instead of getting the correct position my latex editor always opens the file &lt;code&gt;pgflibraryfadings.code.tex&lt;/code&gt;. While I finally found the cause of the problem, I have no idea how to solve it. The problem seems to stem from the inclusion of the &lt;code&gt;shadows&lt;/code&gt; tikz library. Without the package included everything works flawless. I filed a bug report at &lt;a class=&#34;link&#34; href=&#34;https://sourceforge.net/p/pgf/bugs/333/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;sourceforge&lt;/a&gt;.&lt;/p&gt;
</description>
        </item>
        <item>
        <title>Display &amp; Inline Math</title>
        <link>https://www.franziskuskiefer.de/p/display-inline-math/</link>
        <pubDate>Sun, 17 Aug 2014 00:00:00 +0000</pubDate>
        
        <guid>https://www.franziskuskiefer.de/p/display-inline-math/</guid>
        <description>&lt;img src="https://www.franziskuskiefer.de/p/display-inline-math/hero.jpg" alt="Featured image of post Display &amp; Inline Math" /&gt;&lt;p&gt;Another day in latex wonderland &amp;hellip; Today I was writing an equation in an &lt;code&gt;aligned&lt;/code&gt; environment using &lt;code&gt;sum&lt;/code&gt; and those fancy things. Unfortunately &lt;code&gt;aligned&lt;/code&gt; is a display math environment such that the limits of &lt;code&gt;sum&lt;/code&gt; are displayed above and below, which was really not suitable in my case. So how do I display inline-math style in a display math environment?&lt;/p&gt;
&lt;p&gt;Let&amp;rsquo;s say we have an equation environment with an equation&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-latex&#34; data-lang=&#34;latex&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;\begin&lt;/span&gt;&lt;span class=&#34;nb&#34;&gt;{&lt;/span&gt;equation*&lt;span class=&#34;nb&#34;&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;k&#34;&gt;\sum&lt;/span&gt;&lt;span class=&#34;nb&#34;&gt;_{&lt;/span&gt;i=0&lt;span class=&#34;nb&#34;&gt;}^{&lt;/span&gt;n&lt;span class=&#34;nb&#34;&gt;}&lt;/span&gt; x&lt;span class=&#34;nb&#34;&gt;^&lt;/span&gt;i
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;\end&lt;/span&gt;&lt;span class=&#34;nb&#34;&gt;{&lt;/span&gt;equation*&lt;span class=&#34;nb&#34;&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;To display the &lt;code&gt;sum&lt;/code&gt; as inline math we can simply use &lt;code&gt;\textstyle&lt;/code&gt;.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-latex&#34; data-lang=&#34;latex&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;\begin&lt;/span&gt;&lt;span class=&#34;nb&#34;&gt;{&lt;/span&gt;equation*&lt;span class=&#34;nb&#34;&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;nb&#34;&gt;{&lt;/span&gt;&lt;span class=&#34;k&#34;&gt;\textstyle&lt;/span&gt; &lt;span class=&#34;k&#34;&gt;\sum&lt;/span&gt;&lt;span class=&#34;nb&#34;&gt;_{&lt;/span&gt;i=0&lt;span class=&#34;nb&#34;&gt;}^{&lt;/span&gt;n&lt;span class=&#34;nb&#34;&gt;}&lt;/span&gt; 2&lt;span class=&#34;nb&#34;&gt;^&lt;/span&gt;i&lt;span class=&#34;nb&#34;&gt;}&lt;/span&gt; &lt;span class=&#34;k&#34;&gt;\prod&lt;/span&gt;&lt;span class=&#34;nb&#34;&gt;_{&lt;/span&gt;i=0&lt;span class=&#34;nb&#34;&gt;}^{&lt;/span&gt;n&lt;span class=&#34;nb&#34;&gt;}&lt;/span&gt; i&lt;span class=&#34;nb&#34;&gt;^&lt;/span&gt;2
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;k&#34;&gt;\end&lt;/span&gt;&lt;span class=&#34;nb&#34;&gt;{&lt;/span&gt;equation*&lt;span class=&#34;nb&#34;&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Note that the &lt;code&gt;prod&lt;/code&gt; is display math again.&lt;/p&gt;
</description>
        </item>
        
    </channel>
</rss>