chore: erase ephemeral secrets from memory in schnorr and aes

barretenberg/cpp/src/barretenberg/bbapi/bbapi_schnorr.cpp

@@ -18,6 +18,7 @@ SchnorrConstructSignature::Response SchnorrConstructSignature::execute(BB_UNUSED
 
     std::string message_str(reinterpret_cast<const char*>(message.data()), message.size());
     auto sig = crypto::schnorr_construct_signature<crypto::Blake2sHasher, grumpkin::fq>(message_str, key_pair);
+    crypto::secure_erase_bytes(&key_pair.private_key, sizeof(key_pair.private_key));
 
     return { sig.s, sig.e };
 }

barretenberg/cpp/src/barretenberg/crypto/aes128/aes128.cpp

@@ -6,13 +6,12 @@
 
 #include "aes128.hpp"
 
+#include "barretenberg/crypto/hmac/hmac.hpp"
 #include "memory.h"
 #include <array>
 #include <cstddef>
 #include <cstdint>
 
-#include <iostream>
-
 namespace {
 
 static constexpr uint8_t round_constants[11] = { 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36 };
@@ -248,6 +247,7 @@ void aes128_encrypt_buffer_cbc(uint8_t* buffer, uint8_t* iv, const uint8_t* key,
         memcpy((void*)(buffer + (i * 16)), (void*)block_state, 16);
         memcpy((void*)iv, (void*)block_state, 16);
     }
+    secure_erase_bytes(round_key, sizeof(round_key));
 }
 
 void aes128_decrypt_buffer_cbc(uint8_t* buffer, uint8_t* iv, const uint8_t* key, const size_t length)
@@ -266,6 +266,7 @@ void aes128_decrypt_buffer_cbc(uint8_t* buffer, uint8_t* iv, const uint8_t* key,
         memcpy((void*)(buffer + (i * 16)), (void*)block_state, 16);
         memcpy((void*)iv, (void*)next_iv, 16);
     }
+    secure_erase_bytes(round_key, sizeof(round_key));
 }
 
 } // namespace bb::crypto

barretenberg/cpp/src/barretenberg/crypto/schnorr/multisig.hpp

@@ -311,19 +311,19 @@ template <typename G1, typename HashRegNon, typename HashSig = Blake2sHasher> cl
     static std::pair<RoundOnePublicOutput, RoundOnePrivateOutput> construct_signature_round_1()
     {
         // r_user ← 𝔽
-        // TODO: securely erase `r_user`
         Fr r_user = Fr::random_element();
         // R_user ← r_user⋅G
         affine_element R_user = G1::one * r_user;
 
         // s_user ← 𝔽
-        // TODO: securely erase `s_user`
         Fr s_user = Fr::random_element();
         // S_user ← s_user⋅G
         affine_element S_user = G1::one * s_user;
 
         RoundOnePublicOutput pubOut{ R_user, S_user };
         RoundOnePrivateOutput privOut{ r_user, s_user };
+        secure_erase_bytes(&r_user, sizeof(r_user));
+        secure_erase_bytes(&s_user, sizeof(s_user));
         return { pubOut, privOut };
     }
 

barretenberg/cpp/src/barretenberg/crypto/schnorr/proof_of_possession.hpp

@@ -48,7 +48,6 @@ template <typename G1, typename Hash> struct SchnorrProofOfPossession {
         // uniformly random bits. For example, when compiling into a wasm binary, it is essential that the random_get
         // method is overloaded to utilise a suitable entropy source
         // (see https://github.com/WebAssembly/WASI/blob/main/phases/snapshot/docs.md)
-        // TODO: securely erase `k`
         Fr k = Fr::random_element();
 
         affine_element R = G1::one * k;
@@ -58,6 +57,8 @@ template <typename G1, typename Hash> struct SchnorrProofOfPossession {
 
         Fr challenge_fr = Fr::serialize_from_buffer(&challenge_bytes[0]);
         response = k - challenge_fr * secret_key;
+        secure_erase_bytes(&k, sizeof(k));
+        secure_erase_bytes(&secret_key, sizeof(secret_key));
     }
 
     /**

barretenberg/cpp/src/barretenberg/crypto/schnorr/schnorr.tcc

@@ -88,7 +88,6 @@ schnorr_signature schnorr_construct_signature(const std::string& message, const
     // method is overloaded to utilise a suitable entropy source
     // (see https://github.com/WebAssembly/WASI/blob/main/phases/snapshot/docs.md)
     //
-    // TODO(https://github.com/AztecProtocol/barretenberg/issues/895): securely erase `k`
     Fr k = Fr::random_element();
 
     typename G1::affine_element R(G1::one * k);
@@ -97,6 +96,7 @@ schnorr_signature schnorr_construct_signature(const std::string& message, const
     // the conversion from e_raw results in a biased field element e
     Fr e = Fr::serialize_from_buffer(&e_raw[0]);
     Fr s = k - (private_key * e);
+    secure_erase_bytes(&k, sizeof(k));
 
     // we serialize e_raw rather than e, so that no binary conversion needs to be
     // performed during verification.