Last 12 weeks · 22 commits
4 of 6 standards met
## Summary Re-exports and from the crate root so consumers can name the SAS type and know its size at compile time. Changes return type from to . Callers using or comparisons are unaffected; direct bindings need . ## Test plan Existing tests pass. implements , , and , so all current usage patterns still compile.
Summary Adds to , , , , , , and . Discarding any of these return values is almost certainly a bug; the compiler will now warn. ## Summary Adds to , , , , , , and . Discarding any of these return values is almost certainly a bug. The compiler will now warn. ## Test plan Existing tests pass unchanged. No return values are discarded.
## Summary Add two new ciphersuites using DHKEM (RFC 9180 Section 4.1) with NIST curves: — DHKEM(P-256, HKDF-SHA256) + SHA-256 (128-bit security) — DHKEM(P-384, HKDF-SHA384) + SHA-384 (192-bit security) Shared secrets are produced via RFC 9180 ExtractAndExpand (HKDF) Extract shared macro to for reuse across ciphersuite modules ## Design decisions RFC 9180 DHKEM with HKDF rather than raw ECDH: produces uniform shared secrets and should enable modular security analysis Uncompressed SEC1 encoding for public keys/ciphertexts (65 bytes for P-256, 97 bytes for P-384) to match RFC 9180 parameters and enable interop testing against HPKE test vectors ## Test plan [x] RFC 9180 Appendix A.3.1 known-answer test vector validates ExtractAndExpand byte-for-byte [x] KEM roundtrip, key/ciphertext serialization, invalid point rejection, shared secret uniqueness (12 tests per curve) [x] Full 3-move protocol roundtrip, commitment mismatch, cross-session SAS divergence for each suite [x] Deterministic pinned test vectors (ChaCha20Rng seeded ) catch non-backwards-compatible changes [x] Serde round-trip for Initiator/Responder state with DHKEM suites [x] Zeroize verification for DecapsulationKey, SharedSecret, and Initiator state [x] CI matrix extended with and feature combinations + no_std build [x] 72 tests pass across all feature combinations; clippy clean
Summary Pin SAS and shared secret test vectors against hard-coded expected hex values If any protocol computation changes (KEM, commitment, SAS derivation, key output), the test fails immediately Uses the existing deterministic with seed 0 Follows the pattern from opaque-ke. Test plan passes with pinned values Clippy clean
Repository: facebook/shortcake. Description: An implementation of a SAS-based authenticated key exchange Stars: 8, Forks: 5. Primary language: Rust. Languages: Rust (100%). License: Apache-2.0. Open PRs: 5, open issues: 0. Last activity: 1w ago. Community health: 75%. Top contributors: spencerpeters, kevinlewi.