RustCrypto: Constant-Time Serde Helpers

Constant-time serde serializer/deserializer helpers for data that potentially contains secrets (e.g. cryptographic keys)

Documentation

About

Serialization is a potential sidechannel for leaking sensitive secrets such as cryptographic keys.

This crate provides "best effort" constant-time helper methods for reducing the amount of timing variability involved in serializing/deserializing data when using serde, Rust's standard serialization framework.

These helper methods conditionally serialize data as hexadecimal using the constant-time base16ct crate when using human-readable formats such as JSON or TOML. When using a binary format, the data is serialized as-is into binary.

While this crate can't ensure that format implementations don't perform other kinds of data-dependent branching on the contents of the serialized data, using a constant-time hex serialization with human-readable formats should help reduce the overall timing variability.

serdect is tested against the following crates:

• bincode v1

• ciborium v0.2

• rmp-serde v1

• serde-json-core v0.5

• serde-json v1

• toml v0.7

Minimum Supported Rust Version

Rust 1.70 or newer.

In the future, we reserve the right to change MSRV (i.e. MSRV is out-of-scope for this crate's SemVer guarantees), however when we do it will be accompanied by a minor version bump.

License

Licensed under either of:

• Apache License, Version 2.0
• MIT license

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.