RustCrypto · tarcieri · Nov 2, 2025 · Oct 24, 2025 · Oct 24, 2025 · Oct 24, 2025
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/bignp256/Cargo.toml b/bignp256/Cargo.toml
@@ -34,6 +34,7 @@ primefield = { version = "0.14.0-rc.0", optional = true }
 primeorder = { version = "0.14.0-rc.0", optional = true }
 sec1 = { version = "0.8.0-rc.9", optional = true }
 signature = { version = "3.0.0-rc.4", optional = true }
+subtle = { version = "2.6", default-features = false, optional = true }
 
 [dev-dependencies]
 criterion = "0.7"
@@ -50,7 +51,7 @@ std = ["alloc", "elliptic-curve/std"]
 
 arithmetic = ["dep:primefield", "dep:primeorder", "elliptic-curve/arithmetic"]
 bits = ["arithmetic", "elliptic-curve/bits"]
-ecdsa = ["arithmetic", "dep:rfc6979", "dep:signature", "dep:belt-hash"]
+ecdsa = ["arithmetic", "dep:rfc6979", "dep:signature", "dep:belt-hash", "dep:subtle"]
 pem = ["pkcs8/pem", "sec1/pem"]
 pkcs8 = ["dep:pkcs8"]
 ecdh = ["arithmetic", "elliptic-curve/ecdh", "dep:digest", "dep:hkdf", "dep:hmac", "dep:belt-hash", "alloc"]

diff --git a/bignp256/src/ecdh.rs b/bignp256/src/ecdh.rs
@@ -22,22 +22,13 @@
 //! [AKE]: https://en.wikipedia.org/wiki/Authenticated_Key_Exchange
 //! [SIGMA]: https://www.iacr.org/cryptodb/archive/2003/CRYPTO/1495/1495.pdf
 
-// use crate::{
-//     point::AffineCoordinates, AffinePoint, Curve, CurveArithmetic, FieldBytes, NonZeroScalar,
-//     ProjectivePoint, PublicKey,
-// };
-// use core::borrow::Borrow;
-// use digest::{crypto_common::BlockSizeUser, Digest};
-// use group::Curve as _;
-// use hkdf::{hmac::SimpleHmac, Hkdf};
-// use rand_core::CryptoRngCore;
-// use zeroize::{Zeroize, ZeroizeOnDrop};
-
 use crate::{AffinePoint, FieldBytes, NonZeroScalar, ProjectivePoint, PublicKey};
-use belt_hash::BeltHash;
 use core::borrow::Borrow;
-use elliptic_curve::point::AffineCoordinates;
-use elliptic_curve::zeroize::{Zeroize, ZeroizeOnDrop};
+use digest::{Digest, block_api::BlockSizeUser};
+use elliptic_curve::{
+    point::AffineCoordinates,
+    zeroize::{Zeroize, ZeroizeOnDrop},
+};
 use hkdf::Hkdf;
 use hmac::SimpleHmac;
 use rand_core::CryptoRng;
@@ -161,7 +152,7 @@ impl SharedSecret {
     /// random values which are suitable as key material.
     ///
     /// The `D` type parameter is a cryptographic digest function.
-    /// `sha2::Sha256` is a common choice for use with HKDF.
+    /// `belt_hash::BeltHash` is a common choice for use with HKDF.
     ///
     /// The `salt` parameter can be used to supply additional randomness.
     /// Some examples include:
@@ -174,7 +165,10 @@ impl SharedSecret {
     /// material.
     ///
     /// [HKDF]: https://en.wikipedia.org/wiki/HKDF
-    pub fn extract(&self, salt: Option<&[u8]>) -> Hkdf<BeltHash, SimpleHmac<BeltHash>> {
+    pub fn extract<D>(&self, salt: Option<&[u8]>) -> Hkdf<D, SimpleHmac<D>>
+    where
+        D: BlockSizeUser + Clone + Digest,
+    {
         Hkdf::new(salt, &self.secret_bytes)
     }
 

diff --git a/bignp256/src/ecdsa/signing.rs b/bignp256/src/ecdsa/signing.rs
@@ -101,12 +101,11 @@ impl SigningKey {
 //
 
 impl PrehashSigner<Signature> for SigningKey {
-    #[allow(deprecated)] // clone_from_slice
     fn sign_prehash(&self, prehash: &[u8]) -> Result<Signature> {
         if prehash.len() != <BignP256 as Curve>::FieldBytesSize::USIZE {
             return Err(Error::new());
         }
-        let mut h_word: Array<u8, U32> = Array::clone_from_slice(prehash);
+        let mut h_word: Array<u8, U32> = Array::try_from(prehash).map_err(|_| Error::new())?;
         h_word.reverse();
 
         let h = Scalar::reduce(&h_word);

diff --git a/bignp256/src/ecdsa/verifying.rs b/bignp256/src/ecdsa/verifying.rs
@@ -34,6 +34,7 @@ use elliptic_curve::{
 use signature::{Error, MultipartVerifier, Result, Verifier, hazmat::PrehashVerifier};
 
 use elliptic_curve::sec1::ToEncodedPoint;
+use subtle::ConstantTimeEq;
 
 /// Bign256 public key used for verifying signatures are valid for a given
 /// message.
@@ -152,7 +153,7 @@ impl PrehashVerifier<Signature> for VerifyingKey {
         s0.reverse();
 
         // 8. If 𝑆0 != 𝑡, return NO.
-        if s0 == &t.as_slice()[..16] {
+        if s0.ct_eq(&t.as_slice()[..16]).into() {
             // 9. Return YES.
             Ok(())
         } else {

diff --git a/bignp256/src/secret_key.rs b/bignp256/src/secret_key.rs
@@ -90,8 +90,7 @@ impl SecretKey {
     /// sidechannel, always ensure that the input has been pre-padded to `C::FieldBytesSize`.
     pub fn from_slice(slice: &[u8]) -> Result<Self> {
         if slice.len() == <BignP256 as elliptic_curve::Curve>::FieldBytesSize::USIZE {
-            #[allow(deprecated)]
-            Self::from_bytes(FieldBytes::from_slice(slice))
+            Self::from_bytes(&FieldBytes::try_from(slice).map_err(|_| Error)?)
         } else if (Self::MIN_SIZE..<BignP256 as elliptic_curve::Curve>::FieldBytesSize::USIZE)
             .contains(&slice.len())
         {