{"id":51539906,"url":"https://github.com/mytechnotalent/encryption-c-rp2350","last_synced_at":"2026-07-09T13:00:16.583Z","repository":{"id":370044337,"uuid":"1292968201","full_name":"mytechnotalent/encryption-c-rp2350","owner":"mytechnotalent","description":"A 100% strict, RP2350 Embedded C implementation of the Ouroboros cryptographic authentication engine, maintaining constant-time execution.","archived":false,"fork":false,"pushed_at":"2026-07-08T03:50:29.000Z","size":3968,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-07-08T04:08:09.957Z","etag":null,"topics":["c","embedded","encrypt","encryption","encryption-algorithms","encryption-decryption","ouroboros","pico2","raspberry-pi","raspberrypi","rp2350"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mytechnotalent.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-07-08T02:15:24.000Z","updated_at":"2026-07-08T03:51:49.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/mytechnotalent/encryption-c-rp2350","commit_stats":null,"previous_names":["mytechnotalent/encryption-c-rp2350"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/mytechnotalent/encryption-c-rp2350","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mytechnotalent%2Fencryption-c-rp2350","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mytechnotalent%2Fencryption-c-rp2350/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mytechnotalent%2Fencryption-c-rp2350/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mytechnotalent%2Fencryption-c-rp2350/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mytechnotalent","download_url":"https://codeload.github.com/mytechnotalent/encryption-c-rp2350/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mytechnotalent%2Fencryption-c-rp2350/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35299763,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-09T02:00:07.329Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["c","embedded","encrypt","encryption","encryption-algorithms","encryption-decryption","ouroboros","pico2","raspberry-pi","raspberrypi","rp2350"],"created_at":"2026-07-09T13:00:14.832Z","updated_at":"2026-07-09T13:00:16.100Z","avatar_url":"https://github.com/mytechnotalent.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"![encryption-c-rp2350](https://raw.githubusercontent.com/mytechnotalent/encryption-c-rp2350/main/encryption-c-rp2350.png)\n\n## FREE Reverse Engineering Self-Study Course [HERE](https://github.com/mytechnotalent/encryption-c-rp2350)\n\n\u003cbr\u003e\n\n# encryption-c-rp2350\n\n`encryption-c-rp2350` is bare-metal Pico 2 firmware for hardened Ouroboros: 12-word lowercase passphrases, Argon2id/XChaCha20-Poly1305, and GPIO25/UART dispatch.\n\n## Highlights\n\n- RP2350 firmware build using the Pico SDK\n- Strict 12-word lowercase passphrase policy\n- Argon2id key derivation with generated artifact parameters\n- XChaCha20-Poly1305 payload decryption\n- GPIO25 LED control from payload byte `0`\n- UART output from payload bytes `1..7`\n- Host generator writes both JSON and generated firmware header\n\n## Getting Started\n\nBecause `encryption-c-rp2350` is a bare-metal Pico SDK firmware project, you need the RP2350 toolchain installed on your system.\n\n### 1. Install Toolchain Prerequisites\n\n- Pico SDK 2.2.0+\n- ARM GNU toolchain (`arm-none-eabi`)\n- CMake and Ninja\n- Python 3.x\n\n**Linux:**\n\n```bash\nexport PICO_SDK_PATH=\"$HOME/.pico-sdk/sdk/2.2.0\"\n```\n\n**macOS:**\n\n```bash\nbrew install cmake ninja arm-none-eabi-gcc python\nexport PICO_SDK_PATH=\"$HOME/.pico-sdk/sdk/2.2.0\"\n```\n\n**Windows:**\n\nInstall PowerShell, Visual Studio Build Tools, CMake, Ninja, Python 3, and the ARM embedded toolchain. The provided build script configures the MSVC environment automatically.\n\n### 2. Build the Firmware\n\n```bash\nmkdir -p build \u0026\u0026 cmake -S . -B build -G Ninja -DPICO_BOARD=pico2 -DPICO_PLATFORM=rp2350-arm-s \u0026\u0026 cmake --build build\n```\n\nBuild-time artifact guardrail:\n\n- The build regenerates `demo_artifact.h` from `scripts/demo_artifact.json` before compiling.\n- The build fails if committed `include/demo_artifact.h` is stale relative to the JSON artifact.\n\nGenerated outputs:\n\n- `build/encryption_app.elf`\n- `build/encryption_app.uf2`\n\n### 3. Flash the RP2350\n\n**picotool:**\n\n```bash\n\"$HOME/.pico-sdk/picotool/2.2.0-a4/picotool/picotool\" load build/encryption_app.uf2 -f \u0026\u0026 \"$HOME/.pico-sdk/picotool/2.2.0-a4/picotool/picotool\" reboot\n```\n\n**BOOTSEL mode:**\n\n```bash\ncp build/encryption_app.uf2 /Volumes/RP2350/\n```\n\n### 4. Open the UART Demo\n\nAfter flashing, connect a serial terminal at `115200` baud.\n\n| Platform | Command |\n| --- | --- |\n| macOS | `screen /dev/tty.usbserial-* 115200` |\n| Linux | `screen /dev/ttyACM0 115200` |\n| Windows | PuTTY or another serial terminal |\n\nThe firmware prints a policy hint and then a `\u003e ` prompt.\n\n## Running the Demo\n\nThe RP2350 firmware enforces the same strict passphrase policy as the Rust hardened demo: Enter exactly 12 lowercase words under ASCII-whitespace normalization (spaces/tabs/newlines). Inputs like `hello`, empty lines, or non-policy strings are rejected with a policy hint.\n\nSuccessful decrypt also requires that your input exactly matches the passphrase used to generate the current `scripts/demo_artifact.json` and `include/demo_artifact.h` pair.\n\nIf you generated the artifact with the default README command, enter this exact 12-word phrase:\n\n```text\norbit olive ladder marble quartz canyon ripple saddle violet ember walnut falcon\n```\n\nOn success:\n\n- GPIO25 is driven high\n- UART prints `hello` followed by CRLF\n\nIf the passphrase violates policy, the firmware prints:\n\n```text\nEnter exactly 12 lowercase words separated by spaces.\n```\n\nIf your artifact was generated with a different passphrase, this phrase will return:\n\n```text\nAuthentication failed.\n```\n\nExpected behavior summary:\n\n```text\ncorrect phrase for current artifact -\u003e GPIO25 on + hello\nwrong phrase for current artifact   -\u003e Authentication failed.\n```\n\n## Hardened Construction\n\nThis firmware now implements the hardened Ouroboros construction:\n\n- Argon2id key derivation\n- 16-byte random salt\n- 24-byte XChaCha20 nonce\n- XChaCha20-Poly1305 authenticated decryption\n- fixed 48-byte payload dispatch\n\nThe JSON artifact schema matches the Rust repo:\n\n- `format`\n- `memory_kib`\n- `iterations`\n- `parallelism`\n- `salt_hex`\n- `nonce_hex`\n- `ciphertext_and_tag_hex`\n\nImportant: the RP2350 cannot run the Rust repo's 1 GiB desktop demo profile in SRAM. This repo uses the same algorithm and artifact shape, but the checked-in embedded profile is calibrated for the microcontroller:\n\n- `memory_kib: 64`\n- `iterations: 3`\n- `parallelism: 1`\n\nThat is an implementation constraint of the hardware, not a change in the cryptographic construction.\n\n## Generating Hardened Demo Artifacts\n\nThe `scripts/dec.py` script is hardened-only and writes both:\n\n- `scripts/demo_artifact.json`\n- `include/demo_artifact.h`\n\nWhy those byte arrays are compiled into firmware:\n\n- RP2350 firmware has no runtime JSON parser/filesystem in this demo path.\n- `include/demo_artifact.h` is generated from the JSON artifact so the exact salt, nonce, and ciphertext/tag bytes are embedded in flash.\n- This is provisioned data, not hand-written cryptographic constants; regenerate with `scripts/dec.py` whenever rotating passphrase or payload.\n\nRun it with a strict 12-word lowercase passphrase:\n\n```bash\npython3 scripts/dec.py --key \"orbit olive ladder marble quartz canyon ripple saddle violet ember walnut falcon\" --text \"hello\"\n```\n\nBy default this updates the embedded JSON artifact and the generated firmware header directly (no manual copy/paste needed).\n\nTo sync the committed header from an existing JSON artifact without re-encrypting:\n\n```bash\npython3 scripts/dec.py --from-json scripts/demo_artifact.json --header-out include/demo_artifact.h\n```\n\n`dec.py` enforces the same passphrase policy as the firmware: exactly 12 lowercase words under ASCII-whitespace normalization.\n\nIf your local `.venv` has native-extension architecture mismatch errors (for example, `_cffi_backend` incompatible architecture), rebuild it first:\n\n```bash\nrm -rf .venv\npython3 -m venv .venv\nsource .venv/bin/activate\npython3 -m pip install -U pip setuptools wheel\npython3 -m pip install argon2-cffi pynacl\n```\n\nOtherwise, install required Python packages first:\n\n```bash\npython3 -m pip install argon2-cffi pynacl\n```\n\nYou can override the output paths if needed:\n\n```bash\npython3 scripts/dec.py --key \"\u003c12 lowercase words\u003e\" --text \"hello\" --out scripts/demo_artifact.json --header-out include/demo_artifact.h\n```\n\nThen rebuild and flash:\n\n```bash\ncmake -S . -B build -G Ninja -DPICO_BOARD=pico2 -DPICO_PLATFORM=rp2350-arm-s\ncmake --build build\n```\n\nPayload layout is fixed:\n\n- byte `0`: LED state (`1` on, `0` off)\n- bytes `1..7`: UART output bytes\n\nBy default, `dec.py` appends CRLF (`\\r\\n`) to `--text`, so output must fit within 7 bytes after that append. Use `--no-crlf` to keep the full 7-byte capacity for raw text.\n\n## Security Notes\n\nThe firmware does not contain a plaintext secret and does not bypass the entered phrase. To light GPIO25 and print the payload, an attacker still needs a passphrase that derives the correct key for the embedded artifact.\n\nImplementation-accurate claim boundary:\n\n- This demo enforces cryptographic gating in the intended firmware path (policy check + Argon2id + authenticated decryption before payload dispatch).\n- This demo does not claim full side-channel resistance or fault-injection resistance.\n- Branchless code alone is not sufficient to claim side-channel or fault resistance.\n\nScope boundary: claims here are limited to intended execution with unmodified firmware; firmware patching, instruction-level control, and active fault injection are out of scope.\n\nThe important variables are:\n\n- passphrase entropy\n- Argon2id work factor\n- physical extraction and side-channel assumptions for the device\n\n### Side-Channel and Fault Hardening Checklist\n\nUse this checklist before making stronger claims than \"cryptographically gated demo path\":\n\n- Enable secure boot / signed image verification so patched firmware cannot run.\n- Lock debug/programming interfaces in production lifecycle states.\n- Add voltage/clock/temperature glitch detection and safe-fail behavior.\n- Use constant-time verification paths where applicable and avoid secret-dependent early exits.\n- Add redundant checks or control-flow integrity for critical auth decisions.\n- Minimize secret lifetime in RAM and verify compiler-retained zeroization.\n- Perform hardware side-channel and fault-injection testing on target boards.\n- Get third-party security review before claiming resistance properties.\n\n### Quantum Threat Model\n\nShort answer: **not in the strict post-quantum-cryptography (PQC) sense**.\n\n- This framework does not implement a NIST PQC KEM or signature scheme.\n- Security here is symmetric-key plus password-guessing cost.\n- Against Grover-style brute force, symmetric search exponents are roughly halved.\n\nSo the right claim is: **high modeled brute-force cost under stated entropy and KDF assumptions**, not \"quantum-proof.\"\n\n### Crack-Time Math (Reference Row)\n\nThe hardened framework uses the same reference entropy row and the same classical versus optimistic Grover-style formulas as the Rust repo:\n\n```text\nT_avg_classical_years = 2^(H-1) / (r * 31,557,600)\nT_avg_quantum_years   = 2^(H/2 - 1) / (r_q * 31,557,600)\n```\n\nFor the 12-word Diceware policy reference row:\n\n- `H ≈ 155.1`\n- `r = 0.1/s`\n- `r_q = 0.1/s`\n- Classical: `~7.76e39 years`\n- Quantum (optimistic Grover model): `~3.51e16 years`\n\nAge-of-universe comparison (`≈ 1.38e10 years`):\n\n- Classical ratio: `~5.6e29`\n- Quantum ratio: `~2.5e6`\n\nImportant: those are the same paper-standard reference numbers used in the Rust repo. They are not a measured claim that the RP2350's checked-in `memory_kib: 64` profile has the same real-world per-guess cost as the Rust repo's 1 GiB desktop demo profile.\n\n#### Reproducibility Snippet\n\n```python\nSECONDS_PER_YEAR = 365.25 * 24 * 3600\n\ndef avg_years_classical(H, r):\n\treturn 2 ** (H - 1) / (r * SECONDS_PER_YEAR)\n\ndef avg_years_quantum(H, r_q):\n\treturn 2 ** (H / 2 - 1) / (r_q * SECONDS_PER_YEAR)\n\nprint(avg_years_classical(155.1, 0.1))\nprint(avg_years_quantum(155.1, 0.1))\n```\n\nThis project is a demonstrator firmware, not a third-party audited security product or formal security proof.\n\n## Project Layout\n\n- `src/main.c`: firmware entry point\n- `src/cli.c`: UART prompt and passphrase handling\n- `src/auth.c`: Argon2id + XChaCha20-Poly1305 authentication path\n- `src/mbedtls_shims.c`: minimal zeroize shim for the AEAD subset\n- `include/auth.h`: public auth API and constants\n- `include/demo_artifact.h`: generated artifact header consumed by firmware\n- `scripts/dec.py`: hardened artifact generator\n- `scripts/demo_artifact.json`: JSON source-of-truth artifact\n- `paper.typ`: hardened paper\n\n\u003cbr\u003e\n\n## License\n\nMIT — see [LICENSE](LICENSE).","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmytechnotalent%2Fencryption-c-rp2350","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmytechnotalent%2Fencryption-c-rp2350","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmytechnotalent%2Fencryption-c-rp2350/lists"}