Zeroize secret data

Cargo.toml

@@ -12,3 +12,4 @@ rand_core = { version = "0.6", default-features = false }
 serde = { version = "1.0.217", default-features = false }
 sha2 = { version = "0.10.8", default-features = false }
 subtle = { version = "2.6.1", default-features = false }
+zeroize = { version = "1.8.1", default-features = false }

Makefile

@@ -1,4 +1,4 @@
-ALL_FEATURES := serde,random-flag-ciphertexts
+ALL_FEATURES := serde,random-flag-ciphertexts,zeroize
 
 .PHONY: all
 all: clippy-no-std-all-features

polyfuzzy/Cargo.toml

@@ -12,13 +12,15 @@ edition = "2021"
 serde = ["dep:serde", "curve25519-dalek/serde"]
 sha2-force-soft = ["sha2/force-soft"]
 random-flag-ciphertexts = []
+zeroize = ["dep:zeroize", "curve25519-dalek/zeroize"]
 
 [dependencies]
 curve25519-dalek = { workspace = true, features = ["rand_core"] }
 rand_core = { workspace = true }
 serde = { workspace = true, features = ["derive", "alloc"], optional = true }
 sha2 = { workspace = true }
 subtle = { workspace = true }
+zeroize = { workspace = true, features = ["alloc", "derive"], optional = true }
 
 [dev-dependencies]
 criterion = { workspace = true }

polyfuzzy/src/fmd2_compact/mod.rs

@@ -9,6 +9,8 @@ use polynomial::{EncodedPolynomial, PointEvaluations, Polynomial};
 use serde::{Deserialize, Serialize};
 use sha2::{Digest, Sha256};
 use subtle::ConstantTimeEq;
+#[cfg(feature = "zeroize")]
+use zeroize::Zeroize;
 
 mod polynomial;
 use crate::{
@@ -21,7 +23,8 @@ use crate::{
 /// A polynomial over the scalar field of Ristretto of degree = `t` (the threshold parameter).
 #[derive(Debug, Clone, PartialEq, Eq, Hash)]
 #[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
-pub struct CompactSecretKey(Polynomial);
+#[cfg_attr(feature = "zeroize", derive(Zeroize))]
+pub struct CompactSecretKey(#[cfg_attr(feature = "zeroize", zeroize)] Polynomial);
 
 impl CompactSecretKey {
     /// Get the public key counterpart of this key
@@ -233,11 +236,10 @@ impl MultiFmdScheme<CompactPublicKey, FlagCiphertexts> for MultiFmd2CompactSchem
             basepoint_eg: expanded_pk_ref.randomized_key.0.basepoint,
             keys: expanded_pk_ref.randomized_key.0.results.clone(),
         };
-        let trapdoor = Scalar::random(rng);
 
         let flag = FlagCiphertexts(GenericFlagCiphertexts::generate_flag(
             &gpk,
-            &ChamaleonHashBasepoint::new(&gpk, &trapdoor),
+            &ChamaleonHashBasepoint::new(rng, &gpk),
             rng,
         ));
 

polyfuzzy/src/fmd2_compact/polynomial.rs

@@ -3,11 +3,15 @@ use alloc::vec::Vec;
 use curve25519_dalek::{RistrettoPoint, Scalar};
 #[cfg(feature = "serde")]
 use serde::{Deserialize, Serialize};
+#[cfg(feature = "zeroize")]
+use zeroize::Zeroize;
 
 /// A degree `t` polynomial p(X) in Z_q[X] given by its t+1 coefficients.
 #[derive(Debug, Clone, PartialEq, Eq, Hash)]
 #[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
+#[cfg_attr(feature = "zeroize", derive(Zeroize))]
 pub(crate) struct Polynomial {
+    #[cfg_attr(feature = "zeroize", zeroize)]
     coeffs: Vec<Scalar>,
 }
 
@@ -22,7 +26,9 @@ pub(crate) struct EncodedPolynomial {
 /// γ scalar evaluations of the polynomial p(X) at public scalars.
 /// result[i] = p(public_scalar[i])
 #[derive(Debug, Clone, PartialEq, Eq, Hash)]
+#[cfg_attr(feature = "zeroize", derive(Zeroize))]
 pub(crate) struct ScalarEvaluations {
+    #[cfg_attr(feature = "zeroize", zeroize)]
     pub(crate) results: Vec<Scalar>,
 }
 

polyfuzzy/src/fmd2_generic.rs

@@ -12,6 +12,8 @@ use rand_core::{CryptoRng, RngCore};
 #[cfg(feature = "serde")]
 use serde::{Deserialize, Serialize};
 use sha2::{Digest, Sha256, Sha512};
+#[cfg(feature = "zeroize")]
+use zeroize::{Zeroize, Zeroizing};
 
 /// Compressed representation of the γ bit-ciphertexts of a [`GenericFlagCiphertexts`].
 #[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord, Hash)]
@@ -57,8 +59,9 @@ impl CiphertextBits {
 
 #[derive(Debug, Clone, PartialEq, Eq, Hash)]
 #[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
+#[cfg_attr(feature = "zeroize", derive(Zeroize))]
 /// γ secret subkeys (scalars). For minimum false-positive rate p:=2^{-γ}.
-pub struct FmdSecretKey(pub(crate) Vec<Scalar>);
+pub struct FmdSecretKey(#[cfg_attr(feature = "zeroize", zeroize)] pub(crate) Vec<Scalar>);
 
 impl FmdSecretKey {
     pub(crate) fn generate_keys<R: RngCore + CryptoRng>(gamma: usize, rng: &mut R) -> Self {
@@ -137,9 +140,11 @@ impl FmdSecretKey {
 
 #[derive(Debug, Clone, PartialEq, Eq, Hash)]
 #[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
+#[cfg_attr(feature = "zeroize", derive(Zeroize))]
 /// A subset of n-out-γ secret subkeys, and the positions
 /// they occupy in [FmdSecretKey].
 pub struct DetectionKey {
+    #[cfg_attr(feature = "zeroize", zeroize)]
     pub(crate) subkeys: Vec<Scalar>,
 
     pub(crate) indices: Vec<usize>,
@@ -200,16 +205,41 @@ pub(crate) struct GenericFmdPublicKey {
 }
 
 #[derive(Debug, Clone, PartialEq, Eq)]
+#[cfg_attr(feature = "zeroize", derive(Zeroize))]
 pub(crate) struct ChamaleonHashBasepoint {
-    base: RistrettoPoint, // Basepoint for the Chamaleon Hash.
-    dlog: Scalar,         // Discrete log of `basepoint_ch` in base `GenericPublicKey.basepoint_eg`.
+    /// Basepoint for the Chamaleon Hash.
+    base: RistrettoPoint,
+    /// Discrete log of `basepoint_ch` in base `GenericPublicKey.basepoint_eg`.
+    #[cfg_attr(feature = "zeroize", zeroize)]
+    dlog: Scalar,
 }
 
+#[cfg(feature = "zeroize")]
+type NewChamaleonHashBasepoint = Zeroizing<ChamaleonHashBasepoint>;
+
+#[cfg(not(feature = "zeroize"))]
+type NewChamaleonHashBasepoint = ChamaleonHashBasepoint;
+
 impl ChamaleonHashBasepoint {
-    pub(crate) fn new(pk: &GenericFmdPublicKey, dlog: &Scalar) -> ChamaleonHashBasepoint {
-        ChamaleonHashBasepoint {
+    pub(crate) fn new<R: CryptoRng + RngCore>(
+        rng: &mut R,
+        pk: &GenericFmdPublicKey,
+    ) -> NewChamaleonHashBasepoint {
+        let dlog = Scalar::random(rng);
+
+        let hash = ChamaleonHashBasepoint {
             base: pk.basepoint_eg * dlog,
-            dlog: *dlog,
+            dlog,
+        };
+
+        #[cfg(feature = "zeroize")]
+        {
+            Zeroizing::new(hash)
+        }
+
+        #[cfg(not(feature = "zeroize"))]
+        {
+            hash
         }
     }
 }