Upgrade to universal-hash v0.4.0-pre

- (Vicariously) bumps `generic-array` to v0.14
- Splits out `NewUniversalHash` from `UniversalHash`
- Uses `GenericArray` type aliases
- Renames `update_block` to `update`
- Gets rid of redundant buffering logic in `poly1305`
- Adds notes about the NCC/MobileCoin security audit

Cargo.toml

@@ -4,3 +4,6 @@ members = [
     "poly1305",
     "polyval"
 ]
+
+[patch.crates-io]
+universal-hash = { git = "https://github.com/RustCrypto/traits" }

ghash/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "ghash"
-version = "0.2.3"
+version = "0.3.0-pre"
 authors = ["RustCrypto Developers"]
 license = "MIT OR Apache-2.0"
 description = """
@@ -15,7 +15,7 @@ categories = ["cryptography", "no-std"]
 edition = "2018"
 
 [dependencies]
-polyval = { version = "0.3", path = "../polyval" }
+polyval = { version = "= 0.4.0-pre", path = "../polyval" }
 zeroize = { version = "1", optional = true, default-features = false }
 
 [dev-dependencies]

ghash/README.md

@@ -13,13 +13,19 @@ Its primary intended use is for implementing [AES-GCM][4].
 
 [Documentation][docs-link]
 
-## Security Warning
+## Security Notes
 
-No security audits of this crate have ever been performed, and it has not been
-thoroughly assessed to ensure its operation is constant-time on common CPU
-architectures.
+This crate has received one [security audit by NCC Group][5], with no significant
+findings. We would like to thank [MobileCoin][6] for funding the audit.
 
-USE AT YOUR OWN RISK!
+All implementations contained in the crate are designed to execute in constant
+time, either by relying on hardware intrinsics (i.e. AVX2 on x86/x86_64), or
+using a portable implementation which is only constant time on processors which
+implement constant-time multiplication.
+
+It is not suitable for use on processors with a variable-time multiplication
+operation (e.g. short circuit on multiply-by-zero / multiply-by-one, such as
+certain 32-bit PowerPC CPUs and some non-ARM microcontrollers).
 
 ## License
 
@@ -53,3 +59,5 @@ dual licensed as above, without any additional terms or conditions.
 [2]: https://en.wikipedia.org/wiki/Universal_hashing
 [3]: https://en.wikipedia.org/wiki/Message_authentication_code
 [4]: https://en.wikipedia.org/wiki/Galois/Counter_Mode
+[5]: https://research.nccgroup.com/2020/02/26/public-report-rustcrypto-aes-gcm-and-chacha20poly1305-implementation-review/
+[6]: https://www.mobilecoin.com/

ghash/src/lib.rs

@@ -29,11 +29,19 @@ pub use polyval::universal_hash;
 
 use core::convert::TryInto;
 use polyval::Polyval;
-use universal_hash::generic_array::{typenum::U16, GenericArray};
-use universal_hash::{Output, UniversalHash};
+use universal_hash::{consts::U16, NewUniversalHash, UniversalHash};
 #[cfg(feature = "zeroize")]
 use zeroize::Zeroize;
 
+/// GHASH keys (16-bytes)
+pub type Key = universal_hash::Key<GHash>;
+
+/// GHASH blocks (16-bytes)
+pub type Block = universal_hash::Block<GHash>;
+
+/// GHASH tags (16-bytes)
+pub type Tag = universal_hash::Output<GHash>;
+
 /// **GHASH**: universal hash over GF(2^128) used by AES-GCM.
 ///
 /// GHASH is a universal hash function used for message authentication in
@@ -42,12 +50,11 @@ use zeroize::Zeroize;
 #[repr(align(16))]
 pub struct GHash(Polyval);
 
-impl UniversalHash for GHash {
+impl NewUniversalHash for GHash {
     type KeySize = U16;
-    type BlockSize = U16;
 
     /// Initialize GHASH with the given `H` field element
-    fn new(h: &GenericArray<u8, U16>) -> Self {
+    fn new(h: &Key) -> Self {
         let mut h = *h;
         h.reverse();
 
@@ -65,12 +72,16 @@ impl UniversalHash for GHash {
 
         result
     }
+}
+
+impl UniversalHash for GHash {
+    type BlockSize = U16;
 
     /// Input a field element `X` to be authenticated
-    fn update_block(&mut self, x: &GenericArray<u8, U16>) {
+    fn update(&mut self, x: &Block) {
         let mut x = *x;
         x.reverse();
-        self.0.update_block(&x);
+        self.0.update(&x);
     }
 
     /// Reset internal state
@@ -79,10 +90,10 @@ impl UniversalHash for GHash {
     }
 
     /// Get GHASH output
-    fn result(self) -> Output<U16> {
+    fn result(self) -> Tag {
         let mut output = self.0.result().into_bytes();
         output.reverse();
-        Output::new(output)
+        Tag::new(output)
     }
 }
 
@@ -92,7 +103,7 @@ impl UniversalHash for GHash {
 ///
 /// [1]: https://tools.ietf.org/html/rfc8452#appendix-A
 #[allow(non_snake_case)]
-fn mulX_POLYVAL(block: &GenericArray<u8, U16>) -> GenericArray<u8, U16> {
+fn mulX_POLYVAL(block: &Block) -> Block {
     let mut v0 = u64::from_le_bytes(block[..8].try_into().unwrap());
     let mut v1 = u64::from_le_bytes(block[8..].try_into().unwrap());
 

ghash/tests/lib.rs

@@ -1,7 +1,10 @@
 #[macro_use]
 extern crate hex_literal;
 
-use ghash::{universal_hash::UniversalHash, GHash};
+use ghash::{
+    universal_hash::{NewUniversalHash, UniversalHash},
+    GHash,
+};
 
 //
 // Test vectors for GHASH from RFC 8452 Appendix A
@@ -18,8 +21,8 @@ const GHASH_RESULT: [u8; 16] = hex!("bd9b3997046731fb96251b91f9c99d7a");
 #[test]
 fn ghash_test_vector() {
     let mut ghash = GHash::new(&H.into());
-    ghash.update_block(&X_1.into());
-    ghash.update_block(&X_2.into());
+    ghash.update(&X_1.into());
+    ghash.update(&X_2.into());
 
     let result = ghash.result();
     assert_eq!(&GHASH_RESULT[..], result.into_bytes().as_slice());

poly1305/Cargo.toml

@@ -1,8 +1,8 @@
 [package]
 name = "poly1305"
-version = "0.5.2"
+version = "0.6.0-pre"
 authors = ["RustCrypto Developers"]
-license = "MIT OR Apache-2.0"
+license = "Apache-2.0 OR MIT"
 description = "The Poly1305 universal hash function and message authentication code"
 documentation = "https://docs.rs/poly1305"
 repository = "https://github.com/RustCrypto/universal-hashes"
@@ -11,8 +11,11 @@ categories = ["cryptography", "no-std"]
 readme = "README.md"
 edition = "2018"
 
+[badges]
+maintenance = { status = "passively-maintained" }
+
 [dependencies]
-universal-hash = { version = "0.3", default-features = false }
+universal-hash = { version = "= 0.4.0-pre", default-features = false }
 zeroize = { version = "1", optional = true, default-features = false }
 
 [features]

poly1305/README.md

@@ -15,13 +15,19 @@ In practice, Poly1305 is primarily combined with ciphers from the
 
 [Documentation][docs-link]
 
-## Security Warning
+## Security Notes
 
-No security audits of this crate have ever been performed, and it has not been
-thoroughly assessed to ensure its operation is constant-time on common CPU
-architectures.
+This crate has received one [security audit by NCC Group][7], with no significant
+findings. We would like to thank [MobileCoin][8] for funding the audit.
 
-USE AT YOUR OWN RISK!
+All implementations contained in the crate are designed to execute in constant
+time, either by relying on hardware intrinsics (i.e. AVX2 on x86/x86_64), or
+using a portable implementation which is only constant time on processors which
+implement constant-time multiplication.
+
+It is not suitable for use on processors with a variable-time multiplication
+operation (e.g. short circuit on multiply-by-zero / multiply-by-one, such as
+certain 32-bit PowerPC CPUs and some non-ARM microcontrollers).
 
 ## License
 
@@ -57,3 +63,5 @@ dual licensed as above, without any additional terms or conditions.
 [4]: https://cr.yp.to/snuffle/salsafamily-20071225.pdf
 [5]: https://github.com/RustCrypto/AEADs/tree/master/chacha20poly1305
 [6]: https://github.com/RustCrypto/AEADs/tree/master/xsalsa20poly1305
+[7]: https://research.nccgroup.com/2020/02/26/public-report-rustcrypto-aes-gcm-and-chacha20poly1305-implementation-review/
+[8]: https://www.mobilecoin.com/