Hello! I'm one of the leads of https://github.com/RustCrypto
First let me start by saying I've read this:
We're currently still in the process on making the ARM® CryptoCell-310 embedded in the Nordic nRF52840 chip work to get hardware-accelerated cryptography. In the meantime we implemented the required cryptography algorithms (ECDSA, ECC secp256r1, HMAC-SHA256 and AES256) in Rust as a placeholder. Those implementations are research-quality code and haven't been reviewed. They don't provide constant-time guarantees and are not designed to be resistant against side-channel attacks.
I am also chasing down a security reference manual for a different chip from a different vendor and encountering bugs in their web site so I totally get it.
All that said, I'm wondering if you'd consider using some slightly better implementations of various algorithms than you are currently using. I was eyeing things like this in particular:
https://github.com/google/OpenSK/blob/f91d2fd/libraries/crypto/src/aes256.rs#L108
I'm aware table-based lookups in SBoxes are less of a sidechannel issue on this chipset owing to what I believe is an absence of data cache, but perhaps it'd generally be better to provide a bitsliced version anyway unless you have reasons not to do so.
I just wanted to note there's one available in the aes-soft crate, which may not be the most performant one in the world but is at least Apache 2.0+MIT licensed:
https://github.com/RustCrypto/block-ciphers/blob/master/aes/aes-soft/src/bitslice.rs
If you're amenable to this kind of thing, we would love to collaborate on high-quality pure Rust cryptography implementations, particularly ones with a focus on embedded targets, and where there are gaps in Rust as a language today for these purposes, we're also working on addressing them and would love to collaborate on that too.
Anyway, this is a very interesting project and I'm sure you're looking forward to getting the CryptoCell going!
Hello! I'm one of the leads of https://github.com/RustCrypto
First let me start by saying I've read this:
I am also chasing down a security reference manual for a different chip from a different vendor and encountering bugs in their web site so I totally get it.
All that said, I'm wondering if you'd consider using some slightly better implementations of various algorithms than you are currently using. I was eyeing things like this in particular:
https://github.com/google/OpenSK/blob/f91d2fd/libraries/crypto/src/aes256.rs#L108
I'm aware table-based lookups in SBoxes are less of a sidechannel issue on this chipset owing to what I believe is an absence of data cache, but perhaps it'd generally be better to provide a bitsliced version anyway unless you have reasons not to do so.
I just wanted to note there's one available in the
aes-softcrate, which may not be the most performant one in the world but is at least Apache 2.0+MIT licensed:https://github.com/RustCrypto/block-ciphers/blob/master/aes/aes-soft/src/bitslice.rs
If you're amenable to this kind of thing, we would love to collaborate on high-quality pure Rust cryptography implementations, particularly ones with a focus on embedded targets, and where there are gaps in Rust as a language today for these purposes, we're also working on addressing them and would love to collaborate on that too.
Anyway, this is a very interesting project and I'm sure you're looking forward to getting the CryptoCell going!