HippoFrog v2.2

HippoFrog v2.2 — Twist‑Safe ECDH + AES‑GCM (ECCFrog522PP)

Date: 2025-08-25

This is the first public release of HippoFrog built around the research-grade curve ECCFrog522PP (Presunto Power), featuring twist-safe ECDH, HKDF(SHA‑256), and AES‑256‑GCM with authenticated headers and ephemeral public keys.

Highlights

• Custom curve: ECCFrog522PP (~522‑bit prime field, a = -9, cofactor h = 1, prime order n).
• Key exchange: Ephemeral ECDH → HKDF‑SHA‑256 (salt=32B, info=param_hash || "HippoFrog v2.2 AES-256-GCM").
• AEAD: AES‑256‑GCM (IV=12B, tag=16B) with AAD = Header + EphemeralPublicCompressed.
• Public‑key hygiene: on‑curve check, subgroup check (n·Q=O), identity rejection.
• Parameter binding: param_hash = SHA256(P|A|B|N|GX|GY), verified at decrypt.
• Self‑describing file format: 86‑byte header + ephemeral (compressed) + ciphertext + tag.
• CLI: --generate-keys, --validate-keys, --encrypt, --decrypt, --b (bench).
• Docs: Deep README with full curve specification; SECURITY, CONTRIBUTING, Code of Conduct; CI workflow.

---

Changelog

Added

• ECCFrog522PP curve parameters and deterministic parameter hash binding.
• Ephemeral ECDH + HKDF(SHA‑256) → 32‑byte AES key.
• AES‑256‑GCM with 12‑byte IV and 16‑byte tag; AAD covers header + ephemeral public key.
• Header (86B): magic="HFv1", version=1, param_hash(32), salt(32), iv(12), eph_len(2).
• Key validation: on‑curve, subgroup (n·Q=O), identity rejection.
• CLI commands: --generate-keys, --validate-keys, --encrypt, --decrypt, --b.
• GitHub Actions workflow for build + smoke tests.
• Comprehensive README including Full Specification of ECCFrog522PP (Presunto Power).

Changed

• Curve construction: fixed BIGNUM handling (use BN_dec2bn/BN_set_word on BIGNUM*; pass actual pointers to EC_GROUP_new_curve_GFp).
• Negative a handling: set a = -9 using BN_set_word(abs(a)) + BN_set_negative(…,1) to avoid modular misinterpretation.
• Makefile: enforces -std=c++20, links -lssl -lcrypto, and silences OpenSSL 3.x deprecation warnings for legacy EC calls.

Fixed

• Key generation failure caused by incorrect handling of negative a (now correctly represented as negative BIGNUM).
• Compile‑time errors from passing int returns of BN_* into APIs expecting BIGNUM*.
• Assorted minor robustness improvements in EC parameter initialization and memory hygiene.

Security

• Twist/invalid‑curve protections: on‑curve test; subgroup check (n·Q=O) with cofactor h=1; identity rejection.
• AAD coverage for header + ephemeral public; param hash mismatch aborts decryption.
• Explicit disclaimer: custom curve; research/experimental only; no public cryptanalysis claimed.

Documentation

• README now documents end‑to‑end flow, file format, AAD, parameter binding, and full ECCFrog522PP spec.
• Added SECURITY.md, CONTRIBUTING.md, CODE_OF_CONDUCT.md, issue templates.

CI

• Ubuntu build with libssl-dev, runs: keygen → validate → encrypt/decrypt round‑trip.

Known Issues

• eph_len in the header uses host endianness (typically little‑endian on x86_64). Producers and consumers must be consistent; a later version may switch to network byte order.
• Uses OpenSSL EC legacy APIs (3.x deprecation warnings are suppressed). A future provider‑based refactor is planned.
• No chunked streaming for very large files (encrypts the whole buffer in memory).
• Private keys are stored as unencrypted PEM; handle with care (file permissions, backups).

Upgrade Notes

• If you were on a pre‑release or local fork, rebuild with the updated Makefile and regenerate keys to ensure the fixed curve initialization (negative a) is in effect.

---

Assets

Suggested release assets:

• HippoFrog-v2.2-linux-x86_64.zip (binary + README.md)
• Source code (zip) / Source code (tar.gz) (GitHub autogenerated)
• SHA256SUMS (checksums for all assets)

You can compute checksums with:

sha256sum HippoFrog-v2.2-linux-x86_64.zip > SHA256SUMS

Verification / Smoke Test

./bin/HippoFrog --generate-keys
./bin/HippoFrog --validate-keys
echo "ok" > t.txt
./bin/HippoFrog --encrypt t.txt
./bin/HippoFrog --decrypt t.txt.hf
diff -q t.txt t.txt.dec && echo OK

Thanks

Thanks to early testers and reviewers who kicked the tires on keygen and the decrypt path.

HippoFrog v3.0

CHANGELOG

2025-08-26

Security / Crypto

• Enforced prime-order subgroup validation for all external public keys ([N]Q = O) in addition to on-curve and non-infinity checks.
• Enforced canonical compressed public key format (67 bytes, prefix 0x02/0x03).
• Eliminated group mixing: PEM/SPKI public keys are re-serialized and then re-parsed on HippoFrog’s EC group before any validation or multiplication.
• HKDF binding strengthened: info = param_hash || "HippoFrog v2.2 AES-256-GCM" to tie derived keys to curve parameters.
• AEAD AAD explicitly set to header || ephemeral so metadata is authenticated with the ciphertext.

Header / File Format (backwards compatible)

• Replaced struct-based header packing with deterministic byte-wise encoding (fixed 86 bytes):
  "HFv1"(4) | version(1) | reserved(3) | param_hash(32) | salt(32) | iv(12) | eph_len(LE,2=67).
• On-disk format remains the same for users; existing .hf files and keys stay valid.

RNG & Secrets

• RNG usage hardened: operations proceed only when RAND_bytes(...) == 1.
• Sensitive material (private scalars, shared secrets, AEAD keys) is zeroized after use.
• Generated private key keys/priv.pem is written with POSIX permission 0600.

Build / Toolchain Hardening

• Executable is now PIE (-fPIE/-pie) with linker hardening: -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack.
• Additional protections where supported: -fstack-protector-strong, -D_FORTIFY_SOURCE=2, -fstack-clash-protection, -fcf-protection=full.
• build.sh improvements: prefers clang++ and lld; discovers OpenSSL via pkg-config; modes:
  • default (portable),
  • release (-march=native -flto),
  • strict (warnings-as-errors),
  • asan (dev-only Address/UB sanitizers).

CLI & UX (unchanged)

• Binary: ./bin/HippoFrog
• Commands:
  • ./HippoFrog --generate-keys
  • ./HippoFrog --validate-keys
  • ./HippoFrog --b
  • ./HippoFrog --encrypt <file>
  • ./HippoFrog --decrypt <file.hf>