Skip to content

Document AES-128-CTR endianness in Eth2 keystore implementation #8620

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Copilot wants to merge 4 commits into from
Closed

Document AES-128-CTR endianness in Eth2 keystore implementation #8620

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0afa04e
Initial plan
Copilot Jan 2, 2026
3867c39
Add comprehensive documentation about AES-128-CTR endianness in Eth2 …
Copilot Jan 2, 2026
01254fa
Fix documentation placement - move endianness docs to module level
Copilot Jan 2, 2026
0f61833
Improve test based on code review feedback
Copilot Jan 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 41 additions & 2 deletions crypto/eth2_keystore/src/keystore.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,35 @@
//! Provides a JSON keystore for a BLS keypair, as specified by
//! [EIP-2335](https://eips.ethereum.org/EIPS/eip-2335).
//!
//! ## AES-128-CTR Endianness
//!
//! EIP-2335/ERC-2335 specifies the use of AES-128-CTR mode for encrypting the secret key material.
//! The specification references [RFC 3686](https://www.rfc-editor.org/rfc/rfc3686) which defines
//! the use of AES in Counter Mode.
//!
//! ### Counter Increment Endianness
//!
//! According to both NIST SP 800-38A and RFC 3686, the counter in CTR mode must be incremented
//! as a **big-endian** integer. This is critical for interoperability between different
//! implementations of EIP-2335 keystores.
//!
//! The Rust `aes` crate (version 0.7) with the `ctr` feature uses the RustCrypto `ctr` crate,
//! which correctly increments the counter in big-endian byte order by default. This matches
//! the requirements of:
//!
//! - **NIST SP 800-38A**: Defines CTR mode with big-endian counter increment
//! - **RFC 3686**: Specifies AES-CTR for IPsec with big-endian counter
//! - **EIP-2335/ERC-2335**: References RFC 3686 for AES-128-CTR implementation
//!
//! ### Implementation Notes
//!
//! The implementation in this crate uses `aes::Aes128Ctr` which provides the correct big-endian
//! counter behavior. The IV (initialization vector) provided in the keystore JSON is used as the
//! initial counter block value. For each 16-byte block encrypted, the counter is incremented by
//! one in big-endian format.
//!
//! This ensures that keystores created by Lighthouse are compatible with other Ethereum consensus
//! client implementations and can be correctly decrypted by any compliant EIP-2335 implementation.

use crate::Uuid;
use crate::derived_key::DerivedKey;
Expand Down Expand Up @@ -347,7 +377,11 @@ pub fn encrypt(
// Validate IV
validate_aes_iv(params.iv.as_bytes())?;

// AES Encrypt
// AES-128-CTR Encrypt
// Uses the first 16 bytes of the derived key as the AES-128 key.
// The IV (nonce) serves as the initial counter block value.
// The counter is incremented in big-endian byte order for each 16-byte block,
// as specified by NIST SP 800-38A and RFC 3686.
let key = GenericArray::from_slice(&derived_key.as_bytes()[0..16]);
let nonce = GenericArray::from_slice(params.iv.as_bytes());
let mut cipher = AesCtr::new(key, nonce);
Expand Down Expand Up @@ -393,7 +427,12 @@ pub fn decrypt(password: &[u8], crypto: &Crypto) -> Result<PlainText, Error> {
// Validate IV
validate_aes_iv(params.iv.as_bytes())?;

// AES Decrypt
// AES-128-CTR Decrypt
// Uses the first 16 bytes of the derived key as the AES-128 key.
// The IV (nonce) serves as the initial counter block value.
// The counter is incremented in big-endian byte order for each 16-byte block,
// as specified by NIST SP 800-38A and RFC 3686.
// Note: CTR mode encryption and decryption are identical operations.
let key = GenericArray::from_slice(&derived_key.as_bytes()[0..16]);
let nonce = GenericArray::from_slice(params.iv.as_bytes());
let mut cipher = AesCtr::new(key, nonce);
Expand Down
73 changes: 73 additions & 0 deletions crypto/eth2_keystore/tests/tests.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -301,3 +301,76 @@ fn normalization() {
assert_eq!(decoded_nfc.pk, keypair.pk);
assert_eq!(decoded_nfkd.pk, keypair.pk);
}

/// Test that verifies AES-128-CTR uses big-endian counter increment.
///
/// This test uses the official EIP-2335 test vectors to verify that the AES-128-CTR
/// implementation correctly uses big-endian byte order for counter incrementation.
/// The test vectors were specifically designed to validate compliance with RFC 3686
/// and NIST SP 800-38A, which both mandate big-endian counter behavior.
///
/// If the endianness were incorrect (e.g., using little-endian), this test would
/// fail because the decrypted secret would not match the expected value.
#[test]
fn aes_ctr_endianness_verification() {
// This test vector is from EIP-2335 specification
// Password: "testpassword" (from the simplified test in the spec)
let password = b"testpassword";

// Expected BLS secret key after decryption
let expected_secret_key =
hex::decode("000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f")
.expect("valid hex");

// EIP-2335 test vector with scrypt KDF
let keystore_json = r#"
{
"crypto": {
"kdf": {
"function": "scrypt",
"params": {
"dklen": 32,
"n": 262144,
"p": 1,
"r": 8,
"salt": "d4e56740f876aef8c010b86a40d5f56745a118d0906a34e69aec8c0db1cb8fa3"
},
"message": ""
},
"checksum": {
"function": "sha256",
"params": {},
"message": "149aafa27b041f3523c53d7acba1905fa6b1c90f9fef137568101f44b531a3cb"
},
"cipher": {
"function": "aes-128-ctr",
"params": {
"iv": "264daa3f303d7259501c93d997d84fe6"
},
"message": "54ecc8863c0550351eee5720f3be6a5d4a016025aa91cd6436cfec938d6a8d30"
}
},
"pubkey": "9612d7a727c9d0a22e185a1c768478dfe919cada9266988cb32359c11f2b7b27f4ae4040902382ae2910c15e2b420d07",
"uuid": "1d85ae20-35c5-4611-98e8-aa14a633906f",
"path": "",
"version": 4
}
"#;

let keystore = Keystore::from_json_str(keystore_json).expect("should parse keystore JSON");

let keypair = keystore
.decrypt_keypair(password)
.expect("should decrypt with correct password");

// Verify the decrypted secret key matches the expected value.
// This proves the AES-CTR counter is being incremented in big-endian format
// as required by NIST SP 800-38A and RFC 3686.
assert_eq!(
keypair.sk.serialize().as_ref(),
&expected_secret_key[..],
"Decrypted secret key must match expected value. \
Failure indicates non-compliance with NIST SP 800-38A and RFC 3686 \
big-endian counter increment requirement."
);
}