README
¶
CIRCL
CIRCL (Cloudflare Interoperable, Reusable Cryptographic Library) is a collection of cryptographic primitives written in Go. The goal of this library is to be used as a tool for experimental deployment of cryptographic algorithms targeting Post-Quantum (PQ) and Elliptic Curve Cryptography (ECC).
Security Disclaimer
🚨 This library is offered as-is, and without a guarantee. Therefore, it is expected that changes in the code, repository, and API occur in the future. We recommend to take caution before using this library in a production application since part of its content is experimental. All security issues must be reported, please notify us immediately following the instructions given in our Security Policy.
Installation
You can get CIRCL by fetching:
go get -u github.com/cloudflare/circl
Alternatively, look at the Cloudflare Go fork to see how to integrate CIRCL natively in Go.
List of Algorithms
Elliptic Curve Cryptography
| Diffie-Hellman Protocol |
|---|
- X25519 and X448 functions. (RFC-7748)
- Curve4Q function based on FourQ curve. (draft-ladd-cfrg-4q)
| Digital Signature Schemes |
|---|
| Prime Groups |
|---|
- P-256, P-384, P-521. (FIPS 186-5)
- Ristretto group. (RFC-9496)
- Bilinear pairings: with the BLS12-381 curve, and hash to G1 and G2.
- Hash to curve, hash to field, XMD and XOF expanders. (RFC-9380)
| High-Level Protocols |
|---|
- HPKE: Hybrid Public-Key Encryption (RFC-9180)
- VOPRF: Verifiable Oblivious Pseudorandom functions. (RFC-9497)
- RSA Blind Signatures. (RFC-9474)
- Partilly-blind Signatures. (draft-cfrg-partially-blind-rsa)
- CPABE: Ciphertext-Policy Attribute-Based Encryption. (ia.cr/2019/966)
- OT: Simplest Oblivious Transfer (ia.cr/2015/267).
- Threshold RSA Signatures (Shoup Eurocrypt 2000).
Post-Quantum Cryptography
| KEM: Key Encapsulation Methods |
|---|
- CSIDH: Post-Quantum Commutative Group Action (CSIDH).
- Kyber KEM: modes 512, 768, 1024 (KYBER).
- FrodoKEM: modes 640-SHAKE. (FrodoKEM)
- (insecure, deprecated)
SIDH/SIKE: Supersingular Key Encapsulation with primes p434, p503, p751 (SIKE).
| Digital Signature Schemes |
|---|
Zero-knowledge Proofs
- Schnorr: Prove knowledge of the Discrete Logarithm. (RFC-8235)
- DLEQ: Prove knowledge of the Discrete Logarithm Equality. (RFC-9497)
- DLEQ in Qn: Prove knowledge of the Discrete Logarithm Equality for subgroup of squares in (Z/nZ)*.
Symmetric Cryptography
| XOF: eXtendable Output Functions |
|---|
- SHAKE128 and SHAKE256 (FIPS 202).
- BLAKE2X: BLAKE2XB and BLAKE2XS (Blake2x)
- KangarooTwelve: fast hashing based on Keccak-p. (KangarooTwelve).
- SIMD Keccak f1600 Permutation.
| LWC: Lightweight Cryptography |
|---|
- Ascon v1.2: Family of AEAD block ciphers (ASCON)
Misc
| Integers |
|---|
- Safe primes generation.
- Integer encoding: wNAF, regular signed digit, mLSBSet representations.
| Finite Fields |
|---|
- Fp25519, Fp448, Fp511, Fp434, Fp503, Fp751.
- Fp381, and its quadratic, sextic and twelveth extensions.
- Polynomials in monomial and Lagrange basis.
| Elliptic Curves |
|---|
- P-384 Curve
- FourQ
- Goldilocks
- BLS12-381
Testing and Benchmarking
Library comes with number of make targets which can be used for testing and benchmarking:
testperforms testing of the binary.benchruns benchmarks.coverproduces coverage.lintruns set of linters on the code base.
Contributing
To contribute, fork this repository and make your changes, and then make a Pull Request. A Pull Request requires approval of the admin team and a successful CI build.
How to Cite
To cite CIRCL, use one of the following formats and update the version and date you accessed this project.
APA Style
Faz-Hernández, A. and Kwiatkowski, K. (2019). Introducing CIRCL:
An Advanced Cryptographic Library. Cloudflare. Available at
https://github.com/cloudflare/circl. v1.3.7 Accessed Dec, 2023.
Bibtex Source
@manual{circl,
title = {Introducing CIRCL: An Advanced Cryptographic Library},
author = {Armando Faz-Hern\'{a}ndez and Kris Kwiatkowski},
organization = {Cloudflare},
abstract = {{CIRCL (Cloudflare Interoperable, Reusable Cryptographic Library) is
a collection of cryptographic primitives written in Go. The goal
of this library is to be used as a tool for experimental
deployment of cryptographic algorithms targeting Post-Quantum (PQ)
and Elliptic Curve Cryptography (ECC).}},
note = {Available at \url{https://github.com/cloudflare/circl}. v1.3.7 Accessed Dec, 2023},
month = jun,
year = {2019}
}
CFF Style
See attached CITATION.cff file.
License
The project is licensed under the BSD-3-Clause License.
Documentation
¶
Overview ¶
Package circl provides a collection of cryptographic primitives. The goal of this module is to be used as a tool for experimental deployment of cryptographic algorithms targeting Post-Quantum (PQ) and Elliptic Curve Cryptography (ECC).
Following blog post describes ideas behind CIRCL in more details: https://blog.cloudflare.com/introducing-circl/
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package abe provides Attribute-based data encryption algorithms.
|
Package abe provides Attribute-based data encryption algorithms. |
|
cpabe
Package cpabe provides Ciphertext-Policy Attribute-based Encryption algorithms.
|
Package cpabe provides Ciphertext-Policy Attribute-based Encryption algorithms. |
|
cpabe/tkn20
Package tkn20 implements a ciphertext-policy ABE by Tomida, Kawahara, Nishimaki.
|
Package tkn20 implements a ciphertext-policy ABE by Tomida, Kawahara, Nishimaki. |
|
Package blindsign provides blind signature schemes.
|
Package blindsign provides blind signature schemes. |
|
blindrsa
Package blindrsa implements the RSA Blind Signature Protocol as defined in [RFC9474].
|
Package blindrsa implements the RSA Blind Signature Protocol as defined in [RFC9474]. |
|
blindrsa/partiallyblindrsa
Package partiallyblindrsa implements a partially blind RSA protocol.
|
Package partiallyblindrsa implements a partially blind RSA protocol. |
|
Package cipher provides data encryption algorithms.
|
Package cipher provides data encryption algorithms. |
|
ascon
Package ascon provides ASCON family of light-weight AEAD ciphers.
|
Package ascon provides ASCON family of light-weight AEAD ciphers. |
|
Package dh provides variety of Diffie-Hellman key exchange methods.
|
Package dh provides variety of Diffie-Hellman key exchange methods. |
|
csidh
Package csidh implements commutative supersingular isogeny-based Diffie-Hellman key exchange algorithm (CSIDH) resulting from the group action.
|
Package csidh implements commutative supersingular isogeny-based Diffie-Hellman key exchange algorithm (CSIDH) resulting from the group action. |
|
curve4q
Package curve4q implements Diffie-Hellman operations using the FourQ curve at the 128-bit security level.
|
Package curve4q implements Diffie-Hellman operations using the FourQ curve at the 128-bit security level. |
|
sidh
Package sidh is deprecated, it provides SIDH and SIKE key encapsulation mechanisms.
|
Package sidh is deprecated, it provides SIDH and SIKE key encapsulation mechanisms. |
|
sidh/internal/common
Package common provides types, variables, constants and functions commonly used in SIDH or SIKE.
|
Package common provides types, variables, constants and functions commonly used in SIDH or SIKE. |
|
sidh/internal/p503
Package p503 provides implementation of field arithmetic used in SIDH and SIKE.
|
Package p503 provides implementation of field arithmetic used in SIDH and SIKE. |
|
sidh/internal/p751
Package p751 provides implementation of field arithmetic used in SIDH and SIKE.
|
Package p751 provides implementation of field arithmetic used in SIDH and SIKE. |
|
x25519
Package x25519 provides Diffie-Hellman functions as specified in RFC-7748.
|
Package x25519 provides Diffie-Hellman functions as specified in RFC-7748. |
|
x448
Package x448 provides Diffie-Hellman functions as specified in RFC-7748.
|
Package x448 provides Diffie-Hellman functions as specified in RFC-7748. |
|
Package ecc provides implementation of arithmetic on some elliptic curves.
|
Package ecc provides implementation of arithmetic on some elliptic curves. |
|
bls12381
Package bls12381 provides bilinear pairings using the BLS12-381 curve.
|
Package bls12381 provides bilinear pairings using the BLS12-381 curve. |
|
bls12381/ff
Package ff provides finite fields of characteristic P381.
|
Package ff provides finite fields of characteristic P381. |
|
fourq
Package fourq provides elliptic curve operations over FourQ curve.
|
Package fourq provides elliptic curve operations over FourQ curve. |
|
goldilocks
Package goldilocks provides elliptic curve operations over the goldilocks curve.
|
Package goldilocks provides elliptic curve operations over the goldilocks curve. |
|
p384
Package p384 provides optimized elliptic curve operations on the P-384 curve.
|
Package p384 provides optimized elliptic curve operations on the P-384 curve. |
|
Package expander generates arbitrary bytes from an XOF or Hash function.
|
Package expander generates arbitrary bytes from an XOF or Hash function. |
|
Package group provides prime-order groups based on elliptic curves.
|
Package group provides prime-order groups based on elliptic curves. |
|
Package hpke implements the Hybrid Public Key Encryption (HPKE) standard specified by draft-irtf-cfrg-hpke-07.
|
Package hpke implements the Hybrid Public Key Encryption (HPKE) standard specified by draft-irtf-cfrg-hpke-07. |
|
internal
|
|
|
nist
Package nist implements helpers to generate NIST's Known Answer Tests (KATs).
|
Package nist implements helpers to generate NIST's Known Answer Tests (KATs). |
|
sha3
Package sha3 implements the SHA-3 fixed-output-length hash functions and the SHAKE variable-output-length hash functions defined by FIPS-202.
|
Package sha3 implements the SHA-3 fixed-output-length hash functions and the SHAKE variable-output-length hash functions defined by FIPS-202. |
|
Package kem provides a unified interface for KEM schemes.
|
Package kem provides a unified interface for KEM schemes. |
|
frodo
Package frodo provides the key encapsulation mechanism FrodoKEM.
|
Package frodo provides the key encapsulation mechanism FrodoKEM. |
|
frodo/frodo640shake
Package frodo640shake implements the variant FrodoKEM-640 with SHAKE.
|
Package frodo640shake implements the variant FrodoKEM-640 with SHAKE. |
|
hybrid
Package hybrid defines several hybrid classical/quantum KEMs.
|
Package hybrid defines several hybrid classical/quantum KEMs. |
|
kyber
Package kyber implements the CRYSTALS-Kyber.CCAKEM IND-CCA2 secure key encapsulation mechanism (KEM) as submitted to round 3 of the NIST PQC competition and described in
|
Package kyber implements the CRYSTALS-Kyber.CCAKEM IND-CCA2 secure key encapsulation mechanism (KEM) as submitted to round 3 of the NIST PQC competition and described in |
|
kyber/kyber1024
Package kyber1024 implements the IND-CCA2 secure key encapsulation mechanism Kyber1024.CCAKEM as submitted to round 3 of the NIST PQC competition and described in
|
Package kyber1024 implements the IND-CCA2 secure key encapsulation mechanism Kyber1024.CCAKEM as submitted to round 3 of the NIST PQC competition and described in |
|
kyber/kyber512
Package kyber512 implements the IND-CCA2 secure key encapsulation mechanism Kyber512.CCAKEM as submitted to round 3 of the NIST PQC competition and described in
|
Package kyber512 implements the IND-CCA2 secure key encapsulation mechanism Kyber512.CCAKEM as submitted to round 3 of the NIST PQC competition and described in |
|
kyber/kyber768
Package kyber768 implements the IND-CCA2 secure key encapsulation mechanism Kyber768.CCAKEM as submitted to round 3 of the NIST PQC competition and described in
|
Package kyber768 implements the IND-CCA2 secure key encapsulation mechanism Kyber768.CCAKEM as submitted to round 3 of the NIST PQC competition and described in |
|
schemes
Package schemes contains a register of KEM schemes.
|
Package schemes contains a register of KEM schemes. |
|
sike
Package sike is deprecated, it contains the SIKE key encapsulation mechanism.
|
Package sike is deprecated, it contains the SIKE key encapsulation mechanism. |
|
sike/sikep434
Package sikep434 is deprecated, it implements the key encapsulation mechanism SIKEp434.
|
Package sikep434 is deprecated, it implements the key encapsulation mechanism SIKEp434. |
|
sike/sikep503
Package sikep503 is deprecated, it implements the key encapsulation mechanism SIKEp503.
|
Package sikep503 is deprecated, it implements the key encapsulation mechanism SIKEp503. |
|
sike/sikep751
Package sikep751 is deprecated, it implements the key encapsulation mechanism SIKEp751.
|
Package sikep751 is deprecated, it implements the key encapsulation mechanism SIKEp751. |
|
Package math provides some utility functions for big integers.
|
Package math provides some utility functions for big integers. |
|
fp25519
Package fp25519 provides prime field arithmetic over GF(2^255-19).
|
Package fp25519 provides prime field arithmetic over GF(2^255-19). |
|
fp448
Package fp448 provides prime field arithmetic over GF(2^448-2^224-1).
|
Package fp448 provides prime field arithmetic over GF(2^448-2^224-1). |
|
mlsbset
Package mlsbset provides a constant-time exponentiation method with precomputation.
|
Package mlsbset provides a constant-time exponentiation method with precomputation. |
|
polynomial
Package polynomial provides representations of polynomials over the scalars of a group.
|
Package polynomial provides representations of polynomials over the scalars of a group. |
|
Package oprf provides Verifiable, Oblivious Pseudo-Random Functions.
|
Package oprf provides Verifiable, Oblivious Pseudo-Random Functions. |
|
Package ot provides oblivious-transfer protocols.
|
Package ot provides oblivious-transfer protocols. |
|
Package pke provides a variety of public key encryption mechanisms.
|
Package pke provides a variety of public key encryption mechanisms. |
|
kyber
Package kyber implements the CRYSTALS-Kyber.CPAPKE public key encryption as submitted to round 3 of the NIST PQC competition and described in
|
Package kyber implements the CRYSTALS-Kyber.CPAPKE public key encryption as submitted to round 3 of the NIST PQC competition and described in |
|
kyber/kyber1024
kyber1024 implements the IND-CPA-secure Public Key Encryption scheme Kyber1024.CPAPKE as submitted to round 3 of the NIST PQC competition and described in
|
kyber1024 implements the IND-CPA-secure Public Key Encryption scheme Kyber1024.CPAPKE as submitted to round 3 of the NIST PQC competition and described in |
|
kyber/kyber512
kyber512 implements the IND-CPA-secure Public Key Encryption scheme Kyber512.CPAPKE as submitted to round 3 of the NIST PQC competition and described in
|
kyber512 implements the IND-CPA-secure Public Key Encryption scheme Kyber512.CPAPKE as submitted to round 3 of the NIST PQC competition and described in |
|
kyber/kyber768
kyber768 implements the IND-CPA-secure Public Key Encryption scheme Kyber768.CPAPKE as submitted to round 3 of the NIST PQC competition and described in
|
kyber768 implements the IND-CPA-secure Public Key Encryption scheme Kyber768.CPAPKE as submitted to round 3 of the NIST PQC competition and described in |
|
kyber/internal/common/asm
Module
|
|
|
Package secretsharing provides methods to split secrets into shares.
|
Package secretsharing provides methods to split secrets into shares. |
|
Package sign provides unified interfaces for signature schemes.
|
Package sign provides unified interfaces for signature schemes. |
|
bls
Package bls provides BLS signatures using the BLS12-381 pairing curve.
|
Package bls provides BLS signatures using the BLS12-381 pairing curve. |
|
dilithium
dilithium implements the CRYSTALS-Dilithium signature schemes as submitted to round3 of the NIST PQC competition and described in
|
dilithium implements the CRYSTALS-Dilithium signature schemes as submitted to round3 of the NIST PQC competition and described in |
|
dilithium/mode2
mode2 implements the CRYSTALS-Dilithium signature scheme Dilithium2 as submitted to round3 of the NIST PQC competition and described in
|
mode2 implements the CRYSTALS-Dilithium signature scheme Dilithium2 as submitted to round3 of the NIST PQC competition and described in |
|
dilithium/mode2aes
mode2aes implements the CRYSTALS-Dilithium signature scheme Dilithium2-AES as submitted to round3 of the NIST PQC competition and described in
|
mode2aes implements the CRYSTALS-Dilithium signature scheme Dilithium2-AES as submitted to round3 of the NIST PQC competition and described in |
|
dilithium/mode3
mode3 implements the CRYSTALS-Dilithium signature scheme Dilithium3 as submitted to round3 of the NIST PQC competition and described in
|
mode3 implements the CRYSTALS-Dilithium signature scheme Dilithium3 as submitted to round3 of the NIST PQC competition and described in |
|
dilithium/mode3aes
mode3aes implements the CRYSTALS-Dilithium signature scheme Dilithium3-AES as submitted to round3 of the NIST PQC competition and described in
|
mode3aes implements the CRYSTALS-Dilithium signature scheme Dilithium3-AES as submitted to round3 of the NIST PQC competition and described in |
|
dilithium/mode5
mode5 implements the CRYSTALS-Dilithium signature scheme Dilithium5 as submitted to round3 of the NIST PQC competition and described in
|
mode5 implements the CRYSTALS-Dilithium signature scheme Dilithium5 as submitted to round3 of the NIST PQC competition and described in |
|
dilithium/mode5aes
mode5aes implements the CRYSTALS-Dilithium signature scheme Dilithium5-AES as submitted to round3 of the NIST PQC competition and described in
|
mode5aes implements the CRYSTALS-Dilithium signature scheme Dilithium5-AES as submitted to round3 of the NIST PQC competition and described in |
|
ed25519
Package ed25519 implements Ed25519 signature scheme as described in RFC-8032.
|
Package ed25519 implements Ed25519 signature scheme as described in RFC-8032. |
|
ed448
Package ed448 implements Ed448 signature scheme as described in RFC-8032.
|
Package ed448 implements Ed448 signature scheme as described in RFC-8032. |
|
eddilithium2
Package eddilithium2 implements the hybrid signature scheme Ed25519-Dilithium2.
|
Package eddilithium2 implements the hybrid signature scheme Ed25519-Dilithium2. |
|
eddilithium3
Package eddilithium3 implements the hybrid signature scheme Ed448-Dilithium3.
|
Package eddilithium3 implements the hybrid signature scheme Ed448-Dilithium3. |
|
schemes
Package schemes contains a register of signature algorithms.
|
Package schemes contains a register of signature algorithms. |
|
Package simd provides parallel implementations of some primitives.
|
Package simd provides parallel implementations of some primitives. |
|
keccakf1600
Package keccakf1600 provides a two and four-way Keccak-f[1600] permutation in parallel.
|
Package keccakf1600 provides a two and four-way Keccak-f[1600] permutation in parallel. |
|
keccakf1600/internal/asm
Module
|
|
|
Package tss provides threshold signature schemes.
|
Package tss provides threshold signature schemes. |
|
rsa
Package rsa provides RSA threshold signature scheme.
|
Package rsa provides RSA threshold signature scheme. |
|
Package xof provides an interface for eXtendable-Output Functions.
|
Package xof provides an interface for eXtendable-Output Functions. |
|
k12
k12 implements the KangarooTwelve XOF.
|
k12 implements the KangarooTwelve XOF. |
|
Package zk provides primitives for zero-knowledge proofs of knowledge.
|
Package zk provides primitives for zero-knowledge proofs of knowledge. |
|
dl
Package dl provides a Schnorr NIZK discrete-log proof.
|
Package dl provides a Schnorr NIZK discrete-log proof. |
|
dleq
Package dleq provides zero-knowledge proofs of Discrete-Logarithm Equivalence (DLEQ).
|
Package dleq provides zero-knowledge proofs of Discrete-Logarithm Equivalence (DLEQ). |
|
qndleq
Package qndleq provides zero-knowledge proofs of Discrete-Logarithm Equivalence (DLEQ) on Qn.
|
Package qndleq provides zero-knowledge proofs of Discrete-Logarithm Equivalence (DLEQ) on Qn. |
Click to show internal directories.
Click to hide internal directories.