Notes on adding cutting edge features

As we've stated in the past, the Themis library grew out of our own needs for a secure, efficient and convenient cryptographic library. While providing abstracted high-level services, Themis uses trusted, well established implementations of cryptographic primitives such as those provided by LibreSSL/OpenSSL or platform native cryptography providers.

With the upcoming v0.9.2 release of the Themis library, we will be announcing a new set of features called "Secure Comparator". As distinct from the current set of Themis functions, Secure Comparator not only uses existing implementations of cryptographic math but also our own in house developments - as we could find no suitable public implementations for some of operations with ECC curve ed25519.

While we are excited and quietly confident that Secure Comparator will offer a real step forward for the Themis library, we are also profoundly aware that traditions of cryptographic community require peer review of formal descriptions and code implementations for something to be trusted. Since Secure Comparator has in no way had the scrutiny or community validation required for it to be considered stable or production ready, we decided to ship Secure Comparator in safe form, which encourages evaluation, scientific validation and code assessment, but does limit it's influence on main product code.

After much debate and weighing the choices, we've chosen to include Secure Comparator in the main Themis repository. As you may now expect to see Secure Comparator implementation in the source code, the purpose of this note is to explain how the "cutting edge" Secure Comparator features are maintained separately from the existing set of stable and secure Themis functions.

By default Themis builds entirely without Secure Comparator. Building Themis with Secure Comparator is also supported and we hope that the interested (and cautious) amongst you will examine the source code do just that. Specifically:

  • The default makefile excludes Secure Comparator from the build.
  • All Secure Comparator source code is implemented in separate files. These are included in the build if and only if special make directives are applied.
  • When Themis is built to include Secure Comparator, an entirely separate binary is generated to avoid any potential confusion with the stable version.

To learn more about Secure Comparator and why we are excited about these features, stay tuned for the scientific paper and developer presentation dedicated to Secure Comparator that we'll be releasing over the coming weeks.

Copyright © 2014-2017 Cossack Labs Limited
Cossack Labs is a privately-held British company with a team of data security experts based in Kyiv, Ukraine.