ecies · kigawas · Mar 28, 2025 · Mar 26, 2025
diff --git a/.cspell.jsonc b/.cspell.jsonc
@@ -16,6 +16,7 @@
     "diffie",
     "docsrs",
     "ecies",
+    "eciesjs",
     "eciespy",
     "eciesrs",
     "getrandom",
@@ -32,7 +33,8 @@
     "struct",
     "symm",
     "typenum",
-    "xchacha"
+    "xchacha",
+    "wasip2"
   ],
   // flagWords - list of words to be always considered incorrect
   // This is useful for offensive words and common spelling errors.

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -54,20 +54,8 @@ jobs:
       - name: Check doc
         run: cargo doc --no-deps
 
-      - run: sh ./scripts/test.sh
-        env:
-          CURVE: secp256k1
-      - run: sh ./scripts/test.sh
-        env:
-          CURVE: x25519
-
       - run: cargo install wasm-bindgen-cli || true
-      - run: sh ./scripts/test-wasm.sh
-        env:
-          CURVE: secp256k1
-      - run: sh ./scripts/test-wasm.sh
-        env:
-          CURVE: x25519
+      - run: sh ./scripts/test-all.sh
 
       # Coverage
       - run: cargo llvm-cov --no-default-features --features pure --lcov --output-path .lcov.info

diff --git a/Cargo.toml b/Cargo.toml
@@ -8,9 +8,9 @@ edition = "2021"
 keywords = [ # at most five
   "secp256k1",
   "curve25519",
-  "crypto",
+  "x25519",
   "ecies",
-  "cryptocurrency",
+  "cryptography",
 ]
 license = "MIT"
 readme = "README.md"
@@ -24,6 +24,7 @@ repository = "https://github.com/ecies/rs"
 libsecp256k1 = { version = "0.7.2", default-features = false, features = [
   "static-context",
 ] }
+curve25519-dalek = { version = "4.1.3", default-features = false, optional = true }
 x25519-dalek = { version = "2.0.1", default-features = false, features = [
   "static_secrets",
 ], optional = true }
@@ -32,7 +33,9 @@ x25519-dalek = { version = "2.0.1", default-features = false, features = [
 # aes (openssl)
 openssl = { version = "0.10.71", default-features = false, optional = true }
 # aes (pure Rust)
-aes-gcm = { version = "0.10.3", default-features = false, optional = true }
+aes-gcm = { version = "0.10.3", default-features = false, features = [
+  "aes",
+], optional = true }
 typenum = { version = "1.18.0", default-features = false, optional = true }
 # xchacha20
 chacha20poly1305 = { version = "0.10.1", default-features = false, optional = true }
@@ -68,19 +71,20 @@ default = ["openssl"]
 std = ["hkdf/std", "sha2/std", "once_cell/std"]
 
 # curves
-# no usage, TODO: make optional after 0.3.0
-secp256k1 = []                #  ["dep:libsecp256k1"]
-x25519 = ["dep:x25519-dalek"]
+# no usage, TODO: make optional after 0.3.0: secp256k1 = ["dep:libsecp256k1"]
+secp256k1 = []
+x25519 = ["dep:curve25519-dalek", "dep:x25519-dalek"]
 
 # aes
 # TODO: rename to `aes-openssl` and `aes-rust`
 openssl = ["dep:openssl"]
-pure = ["aes-gcm/aes", "typenum"] # TODO: use dep syntax
+pure = ["aes-gcm", "typenum"] # TODO: dep syntax
+
 # with feature "openssl" or "pure" (aes-256-gcm)
 aes-12bytes-nonce = [] # default: 16 bytes without this
 
 # xchacha20
-xchacha20 = ["chacha20poly1305/alloc"]
+xchacha20 = ["chacha20poly1305"] # TODO: dep syntax
 
 [dev-dependencies]
 criterion = { version = "0.5.1", default-features = false }

diff --git a/README.md b/README.md
@@ -2,16 +2,17 @@
 
 [![Codacy Badge](https://api.codacy.com/project/badge/Grade/1c6d6ed949dd4836ab97421039e8be75)](https://app.codacy.com/gh/ecies/rs/dashboard)
 [![License](https://img.shields.io/github/license/ecies/rs.svg)](https://github.com/ecies/rs)
-[![CI](https://img.shields.io/github/actions/workflow/status/ecies/rs/ci.yml)](https://github.com/ecies/rs/actions)
-[![Codecov](https://img.shields.io/codecov/c/github/ecies/rs.svg)](https://codecov.io/gh/ecies/rs)
 [![Crates](https://img.shields.io/crates/v/ecies)](https://crates.io/crates/ecies)
+[![Recent Downloads](https://img.shields.io/crates/dr/ecies)](https://lib.rs/crates/ecies)
 [![Doc](https://docs.rs/ecies/badge.svg)](https://docs.rs/ecies/latest/ecies/)
+[![CI](https://img.shields.io/github/actions/workflow/status/ecies/rs/ci.yml)](https://github.com/ecies/rs/actions)
+[![Codecov](https://img.shields.io/codecov/c/github/ecies/rs.svg)](https://codecov.io/gh/ecies/rs)
 
 Elliptic Curve Integrated Encryption Scheme for secp256k1/x25519 in Rust, based on pure-Rust secp256k1/x25519 implementation.
 
 ECIES functionalities are built upon AES-256-GCM/XChaCha20-Poly1305 and HKDF-SHA256.
 
-This is the Rust version of [eciespy](https://github.com/ecies/py).
+This is the Rust version of [eciesjs](https://github.com/ecies/js).
 
 This library can be compiled to the WASM target at your option, see [WASM compatibility](#wasm-compatibility).
 
@@ -45,7 +46,7 @@ assert_eq!(
 You can choose to use x25519 (key exchange function on curve25519) instead of secp256k1:
 
 ```toml
-ecies = {version = "0.2", default-features = false, features = ["x25519"]}
+ecies = {version = "0.2", features = ["x25519"]}
 ```
 
 ## Optional pure Rust AES backend

diff --git a/scripts/test-all.sh b/scripts/test-all.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+set -e
+
+./scripts/test.sh
+./scripts/test-wasm.sh
+
+CURVE=x25519 ./scripts/test.sh
+CURVE=x25519 ./scripts/test-wasm.sh
+
+# CURVE=ed25519 ./scripts/test.sh
+# CURVE=ed25519 ./scripts/test-wasm.sh
diff --git a/scripts/test.sh b/scripts/test.sh
@@ -5,13 +5,13 @@ set -e
 cargo test --no-default-features --features $CURVE,openssl
 cargo test --no-default-features --features $CURVE,openssl,std
 cargo test --no-default-features --features $CURVE,openssl,aes-12bytes-nonce
-cargo test --no-default-features --features $CURVE,openssl,std,aes-12bytes-nonce
+cargo test --no-default-features --features $CURVE,openssl,aes-12bytes-nonce,std
 
 # Pure Rust AES
 cargo test --no-default-features --features $CURVE,pure
 cargo test --no-default-features --features $CURVE,pure,std
 cargo test --no-default-features --features $CURVE,pure,aes-12bytes-nonce
-cargo test --no-default-features --features $CURVE,pure,std,aes-12bytes-nonce
+cargo test --no-default-features --features $CURVE,pure,aes-12bytes-nonce,std
 
 # XChaCha20
 cargo test --no-default-features --features $CURVE,xchacha20

diff --git a/src/consts.rs b/src/consts.rs
@@ -28,3 +28,5 @@ pub const EMPTY_BYTES: [u8; 0] = [];
 
 /// Shared secret derived from key exchange by hkdf
 pub type SharedSecret = [u8; 32];
+
+pub(crate) const ZERO_SECRET: [u8; 32] = [0u8; 32];
diff --git a/src/elliptic/secp256k1.rs b/src/elliptic/secp256k1.rs
@@ -1,13 +1,12 @@
-pub use libsecp256k1::{PublicKey, SecretKey};
 use rand_core::OsRng;
 
+pub use libsecp256k1::{Error, PublicKey, SecretKey};
+
 use crate::compat::Vec;
 use crate::config::is_hkdf_key_compressed;
 use crate::consts::SharedSecret;
 use crate::symmetric::hkdf_derive;
 
-pub use libsecp256k1::Error;
-
 /// Generate a `(SecretKey, PublicKey)` pair
 pub fn generate_keypair() -> (SecretKey, PublicKey) {
     let sk = SecretKey::random(&mut OsRng);
@@ -20,14 +19,16 @@ pub fn encapsulate(sk: &SecretKey, peer_pk: &PublicKey) -> Result<SharedSecret,
     let mut shared_point = *peer_pk;
     shared_point.tweak_mul_assign(sk)?;
     let sender_point = &PublicKey::from_secret_key(sk);
-    Ok(get_shared_secret(sender_point, &shared_point))
+    // TODO: move compressed: bool to arg
+    Ok(get_shared_secret(sender_point, &shared_point, is_hkdf_key_compressed()))
 }
 
 /// Calculate a shared symmetric key of our public key and peer's secret key by hkdf
 pub fn decapsulate(pk: &PublicKey, peer_sk: &SecretKey) -> Result<SharedSecret, Error> {
     let mut shared_point = *pk;
     shared_point.tweak_mul_assign(peer_sk)?;
-    Ok(get_shared_secret(pk, &shared_point))
+    // TODO: move compressed: bool to arg
+    Ok(get_shared_secret(pk, &shared_point, is_hkdf_key_compressed()))
 }
 
 /// Parse secret key bytes
@@ -49,8 +50,8 @@ pub fn pk_to_vec(pk: &PublicKey, compressed: bool) -> Vec<u8> {
     }
 }
 
-fn get_shared_secret(sender_point: &PublicKey, shared_point: &PublicKey) -> SharedSecret {
-    if is_hkdf_key_compressed() {
+fn get_shared_secret(sender_point: &PublicKey, shared_point: &PublicKey, compressed: bool) -> SharedSecret {
+    if compressed {
         hkdf_derive(
             &sender_point.serialize_compressed(),
             &shared_point.serialize_compressed(),
@@ -64,19 +65,19 @@ fn get_shared_secret(sender_point: &PublicKey, shared_point: &PublicKey) -> Shar
 mod known_tests {
     use super::{encapsulate, parse_sk, Error, PublicKey, SecretKey};
 
+    use crate::consts::ZERO_SECRET;
     use crate::decrypt;
     use crate::utils::tests::decode_hex;
-
     pub fn get_sk(i: u8) -> SecretKey {
-        let mut sk = [0u8; 32];
+        let mut sk = ZERO_SECRET;
         sk[31] = i;
         SecretKey::parse_slice(&sk).unwrap()
     }
 
     #[test]
     fn test_invalid_secret() {
         // 0 < private key < group order is valid
-        let zero = [0u8; 32];
+        let zero = ZERO_SECRET;
         let group_order = decode_hex("0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141");
         let invalid_sks = [zero.to_vec(), group_order];
 
@@ -112,25 +113,25 @@ mod known_tests {
     #[cfg(all(not(feature = "xchacha20"), not(feature = "aes-12bytes-nonce")))]
     #[test]
     pub fn test_known_encrypted() {
-        let sk2 = decode_hex("e520872701d9ec44dbac2eab85512ad14ad0c42e01de56d7b528abd8524fcb47");
+        let sk = decode_hex("e520872701d9ec44dbac2eab85512ad14ad0c42e01de56d7b528abd8524fcb47");
         let encrypted = decode_hex("0x047be1885aeb48d4d4db0c992996725d3264784fef88c5b60782f8d0f940c213227fc3f904f846d5ec3d0fba6653754501e8ebadc421aa3892a20fef33cff0206047058a4cfb4efbeae96b2d019b4ab2edce33328748a0d008a69c8f5816b72d45bd9b5a41bb6ea0127ab23057ec6fcd");
-        assert_eq!(decrypt(&sk2, &encrypted).unwrap(), "hello world🌍".as_bytes());
+        assert_eq!(decrypt(&sk, &encrypted).unwrap(), "hello world🌍".as_bytes());
     }
 
     #[cfg(all(not(feature = "xchacha20"), feature = "aes-12bytes-nonce"))]
     #[test]
     pub fn test_known_encrypted_short_nonce() {
-        let sk2 = decode_hex("562b6cd3611d463f2c59218f1be2816472ad4a489450873dd585de7df662bb68");
+        let sk = decode_hex("562b6cd3611d463f2c59218f1be2816472ad4a489450873dd585de7df662bb68");
         let encrypted = decode_hex("04e1b4678e49066bb9e12cc39aa303bf46b1bf4f565ffa56b9e5ebfa05b756612a548b06dfdd1d06afb64ab7a7e52e26e3a1c69da8fe0c3ea125848d44066f90c826f9a8b0c8951a06d9b20b3d434dc650862d85fcd4fb4b3f30e0658661d24cb9c31bcae0bf56564495c64b");
-        assert_eq!(decrypt(&sk2, &encrypted).unwrap(), "hello world🌍".as_bytes());
+        assert_eq!(decrypt(&sk, &encrypted).unwrap(), "hello world🌍".as_bytes());
     }
 
     #[cfg(feature = "xchacha20")]
     #[test]
     pub fn test_known_encrypted_xchacha20() {
-        let sk2 = decode_hex("9445d8b9911622546a266b2e663bf2b498073a64279409afb9ef20f8259c651f");
+        let sk = decode_hex("9445d8b9911622546a266b2e663bf2b498073a64279409afb9ef20f8259c651f");
         let encrypted = decode_hex("04eaf35ad4dde0ace3f673fec6be164dc68e11aa9c1988d4c1b91f0ccdef94cf591aae4e9daf5f8a87837136fc70811df852015a8b4e2cb374c27db16933536085f34470ffef72667bbe984c145302fc8d37f66563339c47f41ef871ee0ebda8c1bad133c3b203c769cb694e5adbd6c9f02b2eedd939875a");
-        assert_eq!(decrypt(&sk2, &encrypted).unwrap(), "hello world🌍".as_bytes());
+        assert_eq!(decrypt(&sk, &encrypted).unwrap(), "hello world🌍".as_bytes());
     }
 }
 

diff --git a/src/elliptic/x25519.rs b/src/elliptic/x25519.rs
@@ -1,8 +1,9 @@
 use rand_core::OsRng;
+
 pub use x25519_dalek::{PublicKey, StaticSecret as SecretKey};
 
 use crate::compat::Vec;
-use crate::consts::SharedSecret;
+use crate::consts::{SharedSecret, ZERO_SECRET};
 use crate::symmetric::hkdf_derive;
 
 #[derive(Debug, Clone, Copy, Eq, PartialEq)]
@@ -32,25 +33,25 @@ pub fn generate_keypair() -> (SecretKey, PublicKey) {
 pub fn encapsulate(sk: &SecretKey, peer_pk: &PublicKey) -> Result<SharedSecret, Error> {
     let shared_point = sk.diffie_hellman(&peer_pk);
     let sender_point = PublicKey::from(sk);
-    Ok(get_shared_secret(sender_point.as_bytes(), shared_point.as_bytes()))
+    Ok(hkdf_derive(sender_point.as_bytes(), shared_point.as_bytes()))
 }
 
 /// Calculate a shared symmetric key of our public key and peer's secret key by hkdf
 pub fn decapsulate(pk: &PublicKey, peer_sk: &SecretKey) -> Result<SharedSecret, Error> {
     let shared_point = peer_sk.diffie_hellman(&pk);
-    Ok(get_shared_secret(pk.as_bytes(), shared_point.as_bytes()))
+    Ok(hkdf_derive(pk.as_bytes(), shared_point.as_bytes()))
 }
 
 /// Parse secret key bytes
 pub fn parse_sk(sk: &[u8]) -> Result<SecretKey, Error> {
-    let mut data = [0u8; 32];
+    let mut data = ZERO_SECRET;
     data.copy_from_slice(sk);
     Ok(SecretKey::from(data))
 }
 
 /// Parse public key bytes
 pub fn parse_pk(pk: &[u8]) -> Result<PublicKey, Error> {
-    let mut data = [0u8; 32];
+    let mut data = ZERO_SECRET;
     data.copy_from_slice(pk);
     Ok(PublicKey::from(data))
 }
@@ -60,10 +61,6 @@ pub fn pk_to_vec(pk: &PublicKey, _compressed: bool) -> Vec<u8> {
     pk.as_bytes().to_vec()
 }
 
-fn get_shared_secret(sender_point: &[u8], shared_point: &[u8]) -> SharedSecret {
-    hkdf_derive(sender_point, shared_point)
-}
-
 #[cfg(test)]
 mod random_tests {
     use super::generate_keypair;
@@ -80,6 +77,15 @@ mod random_tests {
         assert_eq!(msg.to_vec(), decrypt(sk, &encrypt(pk, msg).unwrap()).unwrap());
     }
 
+    #[test]
+    pub fn test_keypair() {
+        let (sk1, pk1) = generate_keypair();
+        let (sk2, pk2) = generate_keypair();
+
+        assert_ne!(sk1.to_bytes(), sk2.to_bytes());
+        assert_ne!(pk1.to_bytes(), pk2.to_bytes());
+    }
+
     #[test]
     pub fn test_random() {
         let (sk, pk) = generate_keypair();
@@ -91,6 +97,8 @@ mod random_tests {
 #[cfg(test)]
 mod known_tests {
     use super::{parse_pk, parse_sk};
+
+    use crate::decrypt;
     use crate::utils::tests::decode_hex;
 
     fn test_known(sk: &str, pk: &str, shared: &str) {
@@ -113,32 +121,46 @@ mod known_tests {
     #[cfg(all(not(feature = "xchacha20"), not(feature = "aes-12bytes-nonce")))]
     #[test]
     pub fn test_known_encrypted() {
-        use crate::decrypt;
-
         let sk = decode_hex("9434b8fc5036bf967b8483a1bf7378f094d90e01393e4e880db0080022ce6330");
         let encrypted = decode_hex("02c351532928d20b9be0c354e029fd387e032d5318d71ca0ea361b8c62bae86794f6208f17b01affe66ab9edc728a25fac317b41dee123c3aee8684e9c771cfbc2c94c0fe0945ea7cad55b3eb11712");
         assert_eq!(decrypt(&sk, &encrypted).unwrap(), "hello world🌍".as_bytes());
     }
+
+    #[cfg(all(not(feature = "xchacha20"), feature = "aes-12bytes-nonce"))]
+    #[test]
+    pub fn test_known_encrypted_short_nonce() {
+        let sk = decode_hex("abba7856619f7923038f03e7365bb166334075cc6b2d57a5c801776a8b506a52");
+        let encrypted = decode_hex("0a16e5b8df916e845aca761353a4776f61785601768e21ca2b359c893d8a304b3cda271597715650d17f43b37379cd587d5466579e3a59da051b5ed49739a91c996cb34c65c8b7ae68fdf3");
+        assert_eq!(decrypt(&sk, &encrypted).unwrap(), "hello world🌍".as_bytes());
+    }
+
+    #[cfg(feature = "xchacha20")]
+    #[test]
+    pub fn test_known_encrypted_xchacha20() {
+        let sk = decode_hex("6e180c5ae2528fd4799111629b397b2faa48d8074f37cc686aa4139c74103049");
+        let encrypted = decode_hex("6093c37db0385e92860f1213a6e3c75f82b529fad9ddcfdfbcf997dcdf5d8166e275a5ff509362bb50fbbe4f9ef1617ae10c6a7e93f1ef7e5bed7da681278126cd8114f41843d7797007509565b4aca0a3dd473f48265b");
+        assert_eq!(decrypt(&sk, &encrypted).unwrap(), "hello world🌍".as_bytes());
+    }
 }
 
 #[cfg(test)]
 mod error_tests {
     use super::{generate_keypair, Error};
-    use crate::{decrypt, encrypt};
+    use crate::{consts::ZERO_SECRET, decrypt, encrypt};
 
     const MSG: &str = "helloworld🌍";
 
     #[test]
     pub fn attempts_to_decrypt_with_invalid_key() {
-        assert_eq!(decrypt(&[0u8; 32], &[]), Err(Error::InvalidMessage));
+        assert_eq!(decrypt(&ZERO_SECRET, &[]), Err(Error::InvalidMessage));
     }
 
     #[test]
     pub fn attempts_to_decrypt_incorrect_message() {
         let (sk, _) = generate_keypair();
 
         assert_eq!(decrypt(sk.as_bytes(), &[]), Err(Error::InvalidMessage));
-        assert_eq!(decrypt(sk.as_bytes(), &[0u8; 32]), Err(Error::InvalidMessage));
+        assert_eq!(decrypt(sk.as_bytes(), &ZERO_SECRET), Err(Error::InvalidMessage));
     }
 
     #[test]
@@ -157,6 +179,7 @@ mod wasm_tests {
 
     #[wasm_bindgen_test]
     fn test_random() {
+        super::random_tests::test_keypair();
         super::random_tests::test_random();
     }
 
@@ -165,6 +188,10 @@ mod wasm_tests {
         super::known_tests::test_known_shared_point();
         #[cfg(all(not(feature = "xchacha20"), not(feature = "aes-12bytes-nonce")))]
         super::known_tests::test_known_encrypted();
+        #[cfg(all(not(feature = "xchacha20"), feature = "aes-12bytes-nonce"))]
+        super::known_tests::test_known_encrypted_short_nonce();
+        #[cfg(feature = "xchacha20")]
+        super::known_tests::test_known_encrypted_xchacha20();
     }
 
     #[wasm_bindgen_test]

diff --git a/src/symmetric/hash.rs b/src/symmetric/hash.rs
@@ -2,19 +2,19 @@ use hkdf::Hkdf;
 use sha2::Sha256;
 
 use crate::compat::Vec;
-use crate::consts::{SharedSecret, EMPTY_BYTES};
+use crate::consts::{SharedSecret, EMPTY_BYTES, ZERO_SECRET};
 
-pub fn hkdf_derive(sender_point: &[u8], shared_point: &[u8]) -> SharedSecret {
-    let size = sender_point.len() + shared_point.len();
+pub fn hkdf_derive(part1: &[u8], part2: &[u8]) -> SharedSecret {
+    let size = part1.len() + part2.len();
     let mut master = Vec::with_capacity(size);
-    master.extend(sender_point);
-    master.extend(shared_point);
+    master.extend(part1);
+    master.extend(part2);
     hkdf_sha256(&master)
 }
 
 fn hkdf_sha256(master: &[u8]) -> SharedSecret {
     let h = Hkdf::<Sha256>::new(None, master);
-    let mut out = [0u8; 32];
+    let mut out = ZERO_SECRET;
     // never fails because 32 < 255 * chunk_len, which is 32 on SHA256
     h.expand(&EMPTY_BYTES, &mut out).unwrap();
     out

diff --git a/src/symmetric/mod.rs b/src/symmetric/mod.rs
@@ -36,7 +36,10 @@ pub fn sym_decrypt(key: &[u8], encrypted: &[u8]) -> Option<Vec<u8>> {
 #[cfg(test)]
 mod tests {
     use super::*;
-    use crate::{consts::NONCE_TAG_LENGTH, utils::tests::decode_hex};
+    use crate::{
+        consts::{NONCE_TAG_LENGTH, ZERO_SECRET},
+        utils::tests::decode_hex,
+    };
 
     #[test]
     pub(super) fn attempts_to_decrypt_invalid_message() {
@@ -47,7 +50,7 @@ mod tests {
 
     #[test]
     pub(super) fn test_random_key() {
-        let mut key = [0u8; 32];
+        let mut key = ZERO_SECRET;
 
         let texts = [b"this is a text", "😀😀😀😀".as_bytes()];
         for msg in texts.iter() {
Original file line number	Diff line number	Diff line change
		@@ -28,3 +28,5 @@ pub const EMPTY_BYTES: [u8; 0] = [];

		/// Shared secret derived from key exchange by hkdf
		pub type SharedSecret = [u8; 32];

		pub(crate) const ZERO_SECRET: [u8; 32] = [0u8; 32];