User managed secret-memory

[koraa]

One of the goals in Rosenpass was to allow using custom allocators for secret memory. Right now we are using sodium_malloc/sodium_free for instance.

Due to the reliance on a C library (libsodium) this is not a perfect choice, but allowing user-managed memory is still useful to comprehensively support features like zeroization.

In Rosenpass we opt for a low-level solution, passing all memory as slices:

pub trait KEM {
    const SK_LEN: usize;
    const PK_LEN: usize;
    const CT_LEN: usize;
    const SHK_LEN: usize;

    fn keygen(sk: &mut [u8], pk: &mut [u8]) -> Result<(), RosenpassError>;
    fn encaps(shk: &mut [u8], ct: &mut [u8], pk: &[u8]) -> Result<(), RosenpassError>;
    fn decaps(shk: &mut [u8], sk: &[u8], ct: &[u8]) -> Result<(), RosenpassError>;
}

A more comprehensive solution might involve the use of a custom allocation.

We should figure out a way to enable user-controlled secret allocation in HPKE!

[rozbb]

This is a great point, thank you. I think a reasonable way to go about this is to change the KEM API to take mutable refs to the output slice, as you suggest. It's not as clean, but I don't see a better way at the moment