https://github.com/kamil-kielbasa/libedhoc
EDHOC (RFC 9528): Lightweight authenticated key exchange in C for IoT and constrained devices
https://github.com/kamil-kielbasa/libedhoc
authentication c coap constrained-devices cryptography edhoc embedded ietf iot key-exchange oscore rfc9528 rfc9529 security zephyr
Last synced: 2 months ago
JSON representation
EDHOC (RFC 9528): Lightweight authenticated key exchange in C for IoT and constrained devices
- Host: GitHub
- URL: https://github.com/kamil-kielbasa/libedhoc
- Owner: kamil-kielbasa
- License: mit
- Created: 2024-04-01T12:20:54.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2026-02-27T18:35:55.000Z (4 months ago)
- Last Synced: 2026-02-27T21:43:12.081Z (4 months ago)
- Topics: authentication, c, coap, constrained-devices, cryptography, edhoc, embedded, ietf, iot, key-exchange, oscore, rfc9528, rfc9529, security, zephyr
- Language: C
- Homepage:
- Size: 6.13 MB
- Stars: 14
- Watchers: 3
- Forks: 3
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.rst
- License: LICENSE
Awesome Lists containing this project
README
[](https://github.com/kamil-kielbasa/libedhoc/actions/workflows/ci-linux.yml)
[](https://github.com/kamil-kielbasa/libedhoc/actions/workflows/ci-zephyr.yml)
[](https://github.com/kamil-kielbasa/libedhoc/actions/workflows/ci-sandbox.yml)
[](https://github.com/kamil-kielbasa/libedhoc/actions/workflows/ci-docs.yml)
[](https://codecov.io/gh/kamil-kielbasa/libedhoc)
# libedhoc
A C implementation of the Ephemeral Diffie-Hellman Over COSE (EDHOC) protocol — a lightweight authenticated key exchange designed for constrained devices. EDHOC provides mutual authentication, forward secrecy, and identity protection. Standardized by the IETF as [RFC 9528](https://datatracker.ietf.org/doc/html/rfc9528), verified against [RFC 9529](https://datatracker.ietf.org/doc/html/rfc9529) test vectors.
## Features
- Context-based API with safe access control using context handles
- CoAP-friendly message composition and processing
- OSCORE session export for establishing secure communication channels
- Separate interfaces for cryptographic keys, operations, credentials, and EAD
- Private keys accessible only by identifier; raw key material never exposed
- All CBOR encoding/decoding encapsulated and hidden from the user
- Stack-only allocations using VLA; no heap required
- Native Zephyr RTOS support with west manifest integration
- Verified with cppcheck, clang-tidy, ASan, UBSan, Valgrind, and LibFuzzer
### Cipher Suites
| Suite | AEAD | Hash | ECDH | Signature |
|-------|-------------------|---------|---------|-----------|
| 0 | AES-CCM-16-64-128 | SHA-256 | X25519 | EdDSA |
| 2 | AES-CCM-16-64-128 | SHA-256 | P-256 | ES256 |
### Authentication Methods
All four EDHOC authentication methods (0–3) are supported, combining Signature Keys and Static DH Keys for initiator and responder.
## Metrics
| Metric | Value |
|--------|-------|
| Line coverage | 92.8% |
| Function coverage | 100% |
| Test count | 635+ (unit, integration, fuzz) |
| Library flash footprint | ~20 KiB (cipher suite 2, P-256/ES256, native_sim) |
| Static RAM (data + bss) | 0 bytes (all state on stack) |
Coverage details on the [Codecov dashboard](https://codecov.io/gh/kamil-kielbasa/libedhoc). Memory and timing benchmarks available as [CI artifacts](../../actions/workflows/ci-zephyr.yml).
## Documentation
Full documentation including API reference, build instructions, configuration, and testing guide:
## Contributing
Contributions are welcome. To contribute:
1. Fork the repository and create a new branch.
2. Implement your feature or bugfix.
3. Write tests if applicable.
4. Open a pull request.
Please follow the existing code style and structure.
## License
MIT License. See the [LICENSE](LICENSE) file for details.
## Related Projects
- [node-edhoc](https://github.com/stoprocent/node-edhoc) — A TypeScript/Node.js implementation of EDHOC.
## Contact
email: kamkie1996@gmail.com