============================================== CCC Rust Implementation — Phase Tracking ============================================== :Last Updated: 2026-02-25 Legend ------ * ``[ ]`` Not started * ``[~]`` In progress * ``[x]`` Complete * ``[!]`` Blocked ---- Three-Milestone Overview ------------------------ ============= =================================== ============================ Milestone Repository Status ============= =================================== ============================ **1 (this)** ``ccc_rust`` Complete **2** ``ccc_cryptography`` Not started **3** ``letusmsg`` (existing app) Not started ============= =================================== ============================ Milestone 1 Verification Gate is now passing. Milestone 2 may begin when scheduled. Milestone 3 does not start until the Milestone 2 gate passes. ---- ============================================================ Milestone 1 — ``ccc_rust`` Pure Rust Crypto Library ============================================================ Phase 1 — Cargo Workspace Scaffold ---------------------------------- * ``[x]`` Create ``Cargo.toml`` (workspace manifest, 3 members — no bridge crate) * ``[x]`` Create ``rust-toolchain.toml`` (channel = "stable") * ``[x]`` Create ``.cargo/config.toml`` (cross-compile target aliases) * ``[x]`` Create ``vendors/README.md`` ---- Phase 2 — ``ccc-crypto-core`` Trait Crate ----------------------------------------- * ``[x]`` Create ``crates/ccc-crypto-core/Cargo.toml`` * ``[x]`` ``algorithms.rs`` — AeadAlgorithm, KdfAlgorithm, MacAlgorithm, HashAlgorithm, KemAlgorithm enums (values == cipher_constants.dart) * ``[x]`` ``capabilities.rs`` — AlgorithmCapability, ProviderCapabilities * ``[x]`` ``error.rs`` — CryptoError enum * ``[x]`` ``types.rs`` — KemKeyPair, SelfTestReport, BenchmarkReport, AlgoTestResult * ``[x]`` ``provider.rs`` — AeadProvider, KdfProvider, MacProvider, HashProvider, KemProvider traits; CryptoProvider umbrella trait * ``[x]`` ``registry.rs`` — ProviderRegistry (OnceLock>), register(), get(), list() * ``[x]`` ``lib.rs`` — re-exports all public items * ``[x]`` Unit tests for registry (5 passing) ---- Phase 3 — wolfSSL Submodule + ``ccc-crypto-wolfssl`` ----------------------------------------------------- * ``[x]`` ``git submodule add`` wolfSSL → ``vendors/wolfssl`` * ``[x]`` Pin submodule to ``v5.7.2-stable`` * ``[x]`` Document pin in ``vendors/README.md`` * ``[x]`` Create ``crates/ccc-crypto-wolfssl/Cargo.toml`` * ``[x]`` ``build.rs`` — cmake build + bindgen; stub_ffi feature bypasses C build * ``[x]`` ``aead.rs`` — AES-256-GCM implementation * ``[x]`` encrypt_aead (AES-256-GCM) * ``[x]`` decrypt_aead (AES-256-GCM) * ``[x]`` encrypt_aead (ChaCha20-Poly1305) * ``[x]`` decrypt_aead (ChaCha20-Poly1305) * ``[x]`` encrypt_aead (XChaCha20-Poly1305 via HChaCha20) * ``[x]`` decrypt_aead (XChaCha20-Poly1305) * ``[x]`` ``kdf.rs`` — KDF implementations * ``[x]`` HKDF-SHA256 * ``[x]`` HKDF-SHA384 * ``[x]`` HKDF-SHA512 * ``[x]`` Argon2id (64 MB / 3 iter / 4 threads — matches DEFAULT_CIPHER_PARAMS) * ``[x]`` BLAKE2b-512 KDF * ``[x]`` ``mac.rs`` — MAC implementations * ``[x]`` HMAC-SHA256 * ``[x]`` HMAC-SHA384 * ``[x]`` HMAC-SHA512 * ``[x]`` BLAKE2b-MAC (keyed) * ``[x]`` Constant-time verify * ``[x]`` ``hash.rs`` — Hash implementations * ``[x]`` SHA-256 / SHA-384 / SHA-512 * ``[x]`` SHA3-256 / SHA3-512 * ``[x]`` BLAKE2b-512 * ``[x]`` ``kem.rs`` — KEM implementations * ``[x]`` X25519 (keygen + DH encap/decap) * ``[x]`` X448 (keygen + DH encap/decap) * ``[ ]`` ML-KEM-768 (deferred to Phase 5) * ``[ ]`` ML-KEM-1024 (deferred to Phase 5) * ``[ ]`` Classic McEliece (deferred to Phase 5) * ``[x]`` ``capabilities.rs`` — probe-at-startup per algorithm * ``[x]`` ``capabilities.rs`` — benchmark() throughput micro-bench * ``[x]`` ``provider.rs`` — WolfSslProvider: CryptoProvider impl * ``[x]`` ``provider.rs`` — self_test() with embedded NIST vectors (AES-256-GCM, ChaCha20-Poly1305) * ``[x]`` Register WolfSslProvider in ProviderRegistry via init() * ``[x]`` Full native build verified (cmake builds clean, all conformance tests pass) ---- Phase 4 — Conformance Test Suite --------------------------------- * ``[x]`` NIST AES-256-GCM vectors (2 vectors) * ``[x]`` RFC 8439 ChaCha20-Poly1305 vectors * ``[x]`` RFC 5869 HKDF-SHA256 vectors (2 vectors) * ``[x]`` RFC 4231 HMAC-SHA256 vectors (2 vectors) * ``[x]`` FIPS hash vectors (SHA-256/512, SHA3-256, BLAKE2b-512) * ``[x]`` RFC 7748 X25519 DH test vectors * ``[x]`` RFC 7748 X448 DH test vectors * ``[x]`` XChaCha20-Poly1305 extended-nonce vectors * ``[x]`` ``cargo run -p ccc-conformance-tests`` passes (all current vectors) ---- Phase 5 — Architecture Documentation -------------------------------------- * ``[x]`` Create ``docs/ccc_rust_milestone1.rst`` * ``[x]`` Crate dependency graph (ASCII diagram) * ``[x]`` "How to add a new provider" — 7-step trait checklist * ``[x]`` ``algo: u32`` → cipher constant mapping table * ``[x]`` Milestone 2 hand-off contract documented ---- Milestone 1 Verification Gate ------------------------------ *All items must be checked before the* ``v0.1.0`` *tag is cut.* * ``[x]`` ``cargo test --workspace`` — all pass * ``[x]`` ``cargo run -p ccc-conformance-tests`` — ALL VECTORS PASSED * ``[x]`` ``cargo build --target aarch64-apple-ios`` — success * ``[x]`` ``cargo build --target aarch64-linux-android`` — success * ``[x]`` No ``flutter_rust_bridge`` / Dart / Flutter dependency in workspace * ``[x]`` ``cargo audit`` — no known CVEs ---- ============================================================ Milestone 2 — ``ccc_cryptography`` Flutter Plugin =========================================================== *(Not started — begins after Milestone 1 gate passes)* Phase 1 — New Repository Setup ------------------------------- * ``[ ]`` Create ``ccc_cryptography`` repository * ``[ ]`` Flutter plugin scaffold (``pubspec.yaml``, ``ios/``, ``android/``, ``macos/``) * ``[ ]`` Rust bridge crate with ``crate-type = ["cdylib", "staticlib"]`` * ``[ ]`` Add ``flutter_rust_bridge = "2"`` dependency * ``[ ]`` Reference ``ccc_rust`` via git tag ``v0.1.0`` ---- Phase 2 — Bridge Crate ---------------------- * ``[ ]`` ``dto.rs`` — CapabilitiesDto, KemKeyPairDto, KemEncapDto, SelfTestDto, AlgoTestResultDto; From impls * ``[ ]`` ``bridge.rs`` — ccc_init() * ``[ ]`` ``bridge.rs`` — ccc_list_providers() * ``[ ]`` ``bridge.rs`` — ccc_capabilities() / ccc_available_algorithms() * ``[ ]`` ``bridge.rs`` — ccc_aead_encrypt() / ccc_aead_decrypt() * ``[ ]`` ``bridge.rs`` — ccc_kdf_derive() * ``[ ]`` ``bridge.rs`` — ccc_mac_compute() / ccc_mac_verify() * ``[ ]`` ``bridge.rs`` — ccc_hash() * ``[ ]`` ``bridge.rs`` — ccc_kem_generate_keypair() * ``[ ]`` ``bridge.rs`` — ccc_kem_encapsulate() / ccc_kem_decapsulate() * ``[ ]`` ``bridge.rs`` — ccc_self_test() ---- Phase 3 — Codegen + Plugin Build --------------------------------- * ``[ ]`` Run ``flutter_rust_bridge_codegen generate`` * ``[ ]`` Verify generated Dart bindings compile * ``[ ]`` ``flutter build ios`` succeeds (static lib linked) * ``[ ]`` ``flutter build apk`` succeeds (cdylib linked) * ``[ ]`` ``flutter build macos`` succeeds ---- Phase 4 — Dart API Layer ------------------------ * ``[ ]`` ``CccCrypto`` class (wraps all bridge calls) * ``[ ]`` ``CccSelfTest`` class (wraps ccc_self_test()) * ``[ ]`` ``CccProviderCatalog`` (runtime-populated from ccc_capabilities()) ---- Phase 5 — Flutter Integration Tests ------------------------------------ * ``[ ]`` Roundtrip encrypt/decrypt 1 KB (AES-256-GCM) * ``[ ]`` Roundtrip encrypt/decrypt 1 KB (ChaCha20-Poly1305) * ``[ ]`` ``CccSelfTest.runAll()`` — all-pass ---- Milestone 2 Verification Gate ------------------------------ * ``[ ]`` All Flutter integration tests pass on iOS simulator * ``[ ]`` All Flutter integration tests pass on Android emulator * ``[ ]`` Package published / tagged ``v0.1.0`` ---- ============================================================ Milestone 3 — LetUsMsg App Integration ============================================================ *(Not started — begins after Milestone 2 gate passes)* * ``[ ]`` Add ``ccc_cryptography`` to ``letusmsg`` `pubspec.yaml`` * ``[ ]`` Wire ``crypto_wolfssl.dart`` encrypt/decrypt → bridge calls * ``[ ]`` Call ``CccCrypto.cccInit()`` at app startup * ``[ ]`` Populate ``CccProviderCatalog`` from runtime capabilities * ``[ ]`` Expose ``CccSelfTest.runAll()`` in app debug screen * ``[ ]`` End-to-end integration test (send + receive encrypted message) ---- Phase 8 — Stretch Goal Providers (Future) ------------------------------------------ *(Out of scope for Phase 4. Tracked here for future scheduling.)* * ``[ ]`` libsodium (``sodiumoxide`` / ``safe_libsodium``) * ``[ ]`` OpenSSL (``openssl`` crate) * ``[ ]`` BoringSSL (``boring`` crate) * ``[ ]`` RustCrypto (pure-Rust, no native dep) * ``[ ]`` liboqs — ML-KEM, BIKE, HQC, Falcon, Dilithium, SPHINCS+ * ``[ ]`` Signal ``libsignal`` * ``[ ]`` Botan * ``[ ]`` mbedTLS * ``[ ]`` Nettle