Skip to content

References

Matt Sicker edited this page Feb 13, 2021 · 6 revisions

O(1) Cryptography makes use of many academic concepts and standards. No novel cryptography algorithms are introduced by this library. The following papers and standards are either used in this library or provide foundations for other algorithms used in this library.

Symmetric Algorithms

  • Salsa20, by D. J. Bernstein (2007); this cipher was subsequently updated by
  • ChaCha20, by D. J. Bernstein (2008).
  • XSalsa20, by D. J. Bernstein (2008); this forms the basis for a later XChaCha20 variant.
  • Poly1305, by D. J. Bernstein (2005); this authenticator was updated to use ChaCha20 in place of AES by
  • RFC 7539, by Y. Nir and A. Langley (2015); this initially standardized ChaCha20, Poly1305, and AEAD using ChaCha20-Poly1305. This RFC was obsoleted by
  • RFC 8439, by Y. Nir and A. Langley (2018).
  • Argon2, by A. Biryukov, D. Dinu, and D. Khovratovich (2017), describes a memory-hard algorithm for password hashing which can also be used for password-based key derivation.
  • BLAKE3, by J. O'Connor, J.P. Aumasson, S. Neves, and Z. Wilcox-O'Hearn (2020).

Asymmetric Algorithms

  • Curve25519, by D. J. Bernstein (2006), provides a faster and safer choice of parameters for elliptic curve Diffie-Hellman calculations.
  • RFC 7748, by A. Langley, M. Hamburg, and S. Turner.
  • Group operations on Edwards curves, by D. J. Bernstein and T. Lange (2007), shows how Edwards curves can be quickly calculated with the provided group operations.
  • Inverted Edwards co-ordinates, by D. J. Bernstein and T. Lange (2007), inverts the values in the Edwards curve points which allows for even faster group operations.
  • Twisted Edwards curves, by D. J. Bernstein, P. Birkner, M. Joye, T. Lange, and C. Peters (2008), generalizes Edwards curves allowing for isogenies to and from Weierstrass curves.
  • Signcryption, by M. Toorani and A. A. Beheshti (2009), describes an integrated elliptic curve encryption and signing operation.
  • Ed25519, by D. J. Bernstein, N. Duif, T. Lange, P. Schwabe, and B. Yang (2011), introduces EdDSA, a variation of ECDSA that uses twisted Edwards curves instead of Weierstrass curves for increased performance and easier safe implementations.
  • Elligator, by D. J. Bernstein, M. Hamburg, A. Krasnova, and T. Lange (2013), provides an algorithm to encode and decode elliptic curve points into binary strings that are indistinguishable from uniform random strings, both simplifying key generation and increasing resistance to censorship.
  • EdDSA, by D. J. Bernstein, S. Josefsson, T. Lange, P. Schwabe, and B. Yang (2015), generalizes the EdDSA algorithm introduced in Ed25519 to support arbitrary finite fields of order q where q is odd.
  • RFC 8032, by S. Josefsson and I. Liusvaara (2017), provides a standardized EdDSA from CFRG.
  • Decaf, by M. Hamburg (2015), provides a unified point compression format for Edwards, twisted Edwards, and Weierstrass curves, which divides the curve's cofactor by 4, thus allowing cofactor-4 curves to be used for prime-order groups (e.g., in elliptic curve Diffie-Hellman).
  • Ristretto, by M. Hamburg, further generalizes Decaf to support cofactor-8 curves (including Curve25519) used as prime-order groups.
  • Montgomery curves and the Montgomery ladder, by D. J. Bernstein and T. Lange (2017), provides a detailed overview of the constant-time algorithms used for group operations on elliptic curves.
  • libsodium-signcryption, by F. Denis (2020), adapts the Toorani-Beheshti signcryption scheme to use the Ristretto group.

Justifications

This library does not encourage use of globally standardized algorithms like AES, ECDH, and ECDSA, due to many implementation failures in the real world where cryptography libraries are actually used. While the underlying mathematics still appear to be sound, these algorithms all have numerous implementation pitfalls, some of which are nearly impossible to guard against without hardware-specific support. The following papers describe in more detail these problems.

  • Cache-timing attacks on AES, by D. J. Bernstein (2005), provides numerous side channel attacks on typical AES implementations along with advice on how to safely implement AES. Common CPUs (e.g., x86-64 and aarch64) typically provide a set of AES-related operations to calculate AES and GCM operations in constant time while maintaining high performance. User-mode software implementations of AES are almost assuredly vulnerable to some form of cache-timing attacks.
  • Failures in NIST's ECC standards, by D. J. Bernstein and T. Lange (2016), covers numerous problems in standard ECDH and ECDSA algorithms.
  • Understanding brute force, by D. J. Bernstein (2005), provides intuition regarding adversarial resources to protect against.

Similar Projects

There are numerous libraries with similar goals that inspired this library. These libraries typically have different support goals in that they use less safe algorithms (as critiqued in the previous section), support several programming languages, offer too many algorithm choices, or rely on native code bindings (not that ideal in the Java ecosystem). However, if you need a consistent polyglot cryptography framework with similar API usability goals, the following projects are fairly well established in that space.

  • libsodium - C library supporting many of these algorithms along with facade APIs for simpler usage
  • libhydrogen - C library similar to libsodium but built using Gimli and Ed25519 primitives for minimal footprint
  • Themis - polyglot library primarily concerned with high level facades (see also its C library, soter, for lower level primitives)
  • Tink - polyglot library with facades for cryptographic primitives along with some nice integrations with common key managers (particularly cloud-based ones)