{"id":13812921,"url":"https://github.com/teslamotors/liblithium","last_synced_at":"2025-05-14T22:31:19.256Z","repository":{"id":38051578,"uuid":"399265071","full_name":"teslamotors/liblithium","owner":"teslamotors","description":"A lightweight and portable cryptography library","archived":false,"fork":false,"pushed_at":"2024-12-14T04:09:59.000Z","size":425,"stargazers_count":315,"open_issues_count":0,"forks_count":21,"subscribers_count":16,"default_branch":"main","last_synced_at":"2025-04-30T14:58:26.288Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/teslamotors.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-08-23T22:32:44.000Z","updated_at":"2025-02-12T13:57:10.000Z","dependencies_parsed_at":"2024-03-19T02:25:21.508Z","dependency_job_id":"a92f7572-1a48-4aa9-9933-31b0a8d7f1ad","html_url":"https://github.com/teslamotors/liblithium","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/teslamotors%2Fliblithium","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/teslamotors%2Fliblithium/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/teslamotors%2Fliblithium/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/teslamotors%2Fliblithium/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/teslamotors","download_url":"https://codeload.github.com/teslamotors/liblithium/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254239540,"owners_count":22037722,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T04:00:58.021Z","updated_at":"2025-05-14T22:31:14.228Z","avatar_url":"https://github.com/teslamotors.png","language":"C","funding_links":[],"categories":["Cryptography"],"sub_categories":["General"],"readme":"[![TrustInSoft CI](https://ci.trust-in-soft.com/projects/teslamotors/liblithium.svg?branch=main)](https://ci.trust-in-soft.com/projects/teslamotors/liblithium)\n\n![Lithium](lithium.svg)\n\n# liblithium\n\nliblithium is a lightweight cryptography library that is portable by design. It\nrequires only standard C99 and does not assume 8-bit addressability, making it\nsuitable for use on some DSP architectures as well as mainstream architectures.\n\nliblithium is built on the [Gimli permutation](https://gimli.cr.yp.to/) and\nX25519 signatures. The Gimli permutation and the Gimli-Hash function are\ndesigned to be high-performance and to have an extremely small footprint.\nX25519 signatures are related to the more common ed25519 signatures used by\n[NaCl](https://nacl.cr.yp.to/) and others, but use only the x-coordinate of\nelliptic curve points, a technique pioneered in the paper [\"Fast and compact\nelliptic-curve cryptography\"](https://www.shiftleft.org/papers/fff/) and\nimplemented in the [STROBE project](https://sourceforge.net/projects/strobe/).\nThis technique greatly reduces the code size required for creating and\nverifying signatures. liblithium's X25519 implementation is derived from\nSTROBE.\n\n# Compiling\n\nWhile you can embed liblithium in many environments, the library comes with a\nSConstruct file for building using scons by default.\n\nYou can also use the [`docker.bash`](docker.bash) script that will build a\ndocker image with the necessary build dependencies and run a container.\nFrom within this container, run `scons`.\n\n# What you can use liblithium for\n\nliblithium is particularly well-suited for constrained environments and\nlow-power microcontrollers due to its very small footprint and limited\nprocessing requirements. This makes liblithium a great candidate for\nimplementing signed firmware updates on embedded electronics that have no\nsecure boot functionality.\n\n## Basics of using liblithium for signed updates\n\nBefore anything else, you should ensure that all debug ports (e.g., JTAG) on\nyour target MCU are disabled, since those can be used to circumvent\nsoftware-only signature verification.\n\nSignature verification should ideally be implemented in the bootloader, either\nat boot time, or only at firmware update time if boot speed is critical.\nNote that for update-time-only checks, this mechanism will only be effective\nfor MCUs where the entire application is stored in internal flash and protected\nfrom read/write via a debugger (see statement on JTAG lock above).\n\nThe bootloader must contain the public key that will be used for signature\nverification. The corresponding secret key must be kept confidential and will\nbe used for signing firmware update binaries.\n\nIn order for the signature verification process to be effective, the entire\nfirmware binary should be signed (not only the header or a subset of the\nfirmware).\n\nSince signature verification can be done continuously during data reception by\nthe update process, it makes sense to append the signature at the end of the\nfirmware binary, since the signature is required at that point for final\nverification.\n\n# Examples\n\n## Generating a signature\n\nYou can refer to [`examples/lith-sign.c`](examples/lith-sign.c) for an example\nof how to sign a binary blob with a secret key.\n\nThree calls only are required to implement this:\n\n- `lith_sign_init(\u0026state);` : initializes the liblithium library state (state\n  is a `lith_sign_state`)\n- `lith_sign_update(\u0026state, msg, len);` : updates the liblithium\n  state for each data block that is being read\n- `lith_sign_final_create(\u0026state, sig, secret_key);` : is called once all the\n  data is received, and generates the signature using the secret key.\n\n## Verifying a signature\n\nYou can refer to [`examples/lith-verify.c`](examples/lith-verify.c) for an\nexample of how to verify the signature of a binary blob against a public key.\n\nThree calls only are required to implement this:\n\n- `lith_sign_init(\u0026state);` : initializes the liblithium state (state is\n   a `lith_sign_state`)\n- `lith_sign_update(\u0026state, msg, len);` : updates the liblithium\n  state for each data block that is being read (for instance when\n  reading a file, or receiving data over a serial bus)\n- `lith_sign_final_verify(\u0026state, sig, public_key);` : is called once all the\n  data and the signature are received, and verifies the signature against the\n  public key.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fteslamotors%2Fliblithium","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fteslamotors%2Fliblithium","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fteslamotors%2Fliblithium/lists"}