f Frank Xue

(02) Work / Detail

gm-crypto-rs

A pure-Rust SDK for the Chinese national cryptography standards — SM2, SM3, SM4 — with constant-time-designed secret-handling paths guarded by an in-CI leak-regression harness.

What it is

gm-crypto-rs implements GB/T 32905 (SM3 hash), GB/T 32918 (SM2 public-key sign / verify / encrypt / decrypt), and GB/T 32907 (SM4 block cipher) in pure Rust. The crate graph is no_std + alloc, builds on wasm32-unknown-unknown, and ships RustCrypto-trait fits for digest, mac, and cipher.

What's different about it

Other Rust SM2 crates exist — RustCrypto's sm2 is the most established, and it aims for constant-time secret-dependent operations in its design. The differentiator here isn't design intent in isolation. It's an in-CI regression gate that catches a timing leak the moment it shows up, instead of relying on review to assert its absence.

Fifteen secret-touching code paths run under a dudect-bencher harness on every CI run, gated at |τ| < 0.20. SM2 sign, SM2 decrypt, SM4 key schedule, SM4 encrypt (under both the default linear-scan and the bitsliced SIMD S-box), HMAC-SM3, encrypted-PKCS#8 decrypt, and direct Fn::invert / Fp::invert diagnostics. The harness reports detection events — low |τ| means the test couldn't detect a leak with the budget given, not that no leak exists. Language taken directly from dudect-bencher's own docs.

Safety posture

  • #![forbid(unsafe_code)] on gmcrypto-core.
  • All SIMD unsafe quarantined to the sibling crate gmcrypto-simd, opt-in via the sm4-bitsliced-simd feature.
  • Constant-time arithmetic via subtle and crypto-bigint 0.7.
  • Secret material zeroized on drop via zeroize.

Where the throughput came from

v0.5 → v0.6 was an SIMD arc. v0.5.0 shipped the scaffolding; v0.5.1 added an AVX2 sbox_x8; v0.6.0 widened that to sbox_x32 on AVX2 and added a NEON sbox_x16 on aarch64, with a CBC-decrypt fanout that keeps the per-block latency hidden behind the parallel S-box. v0.7 (now in flight) builds the first user-callable cipher modes on top of that.

Status

v0.6.0
Shipped 2026-05-14 — AVX2 sbox_x32, NEON sbox_x16, CBC-decrypt fanout.
v0.7.0
In flight — cipher modes. Five PRs stacked; ship target 2026-05-15.
v0.8.0
Planned — AEAD: SM4-GCM and SM4-CCM, per docs/v0.7-aead-scope.md.
v0.9+
Research — pinned dudect runner, streaming AEAD, AVX-512 16-way sbox_x64, RustCrypto 0.11 / 0.5 / 0.6 trait migrations.

What it isn't

  • Not a TLS/TLCP implementation.
  • Not SM9, ZUC, or post-quantum.
  • Not an HSM / SDF / SKF integration.
  • Not a certified cryptographic module.
  • Not constant-time on CPUs with data-dependent multiply latencies (some older x86, some embedded).

Personal project. Not affiliated with, endorsed by, sponsored by, or certified by any upstream cryptography project, payment gateway, standards body, or vendor.

Source ↗ crates.io ↗ docs.rs ↗ ← All work