commonwarexyz · patrick-ogrady · Jan 7, 2026 · Dec 29, 2025 · Dec 29, 2025 · Dec 29, 2025
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
@@ -37,7 +37,7 @@ jobs:
       matrix:
         include:
           - package: commonware-cryptography
-            cargo_flags: ""
+            cargo_flags: "--features commonware-cryptography/soft-mlock"
             file_suffix: ""
             benchmark_name: "commonware-cryptography"
           - package: commonware-storage

diff --git a/.github/workflows/slow.yml b/.github/workflows/slow.yml
@@ -83,7 +83,7 @@ jobs:
       matrix:
         include:
           - package: commonware-cryptography
-            cargo_flags: ""
+            cargo_flags: "--features commonware-cryptography/soft-mlock"
           - package: commonware-storage
             cargo_flags: ""
           - package: commonware-storage

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -139,6 +139,7 @@ serde = "1.0.218"
 serde_json = "1.0.122"
 serde_yaml = "0.9.34"
 sha2 = { version = "0.10.8", default-features = false }
+subtle = { version = "2.6.1", default-features = false }
 syn = "2.0.0"
 sysinfo = "0.37.2"
 thiserror = { version = "2.0.12", default-features = false }

diff --git a/consensus/Cargo.toml b/consensus/Cargo.toml
@@ -40,6 +40,7 @@ tracing.workspace = true
 [dev-dependencies]
 commonware-conformance.workspace = true
 commonware-consensus = { path = ".", features = ["mocks"] }
+commonware-cryptography = { workspace = true, features = ["soft-mlock"] }
 commonware-math.workspace = true
 commonware-resolver = { workspace = true, features = ["mocks"] }
 rstest.workspace = true

diff --git a/cryptography/Cargo.toml b/cryptography/Cargo.toml
@@ -32,6 +32,7 @@ rand_chacha.workspace = true
 rand_core.workspace = true
 rayon = { workspace = true, optional = true }
 sha2.workspace = true
+subtle.workspace = true
 thiserror.workspace = true
 x25519-dalek = { workspace = true, features = ["zeroize"] }
 zeroize = { workspace = true, features = ["zeroize_derive"] }
@@ -41,6 +42,9 @@ zeroize = { workspace = true, features = ["zeroize_derive"] }
 version = "0.2.15"
 features = ["js"]
 
+[target.'cfg(unix)'.dependencies]
+libc = "0.2"
+
 [dev-dependencies]
 anyhow.workspace = true
 commonware-conformance.workspace = true
@@ -55,6 +59,7 @@ crate-type = ["rlib", "cdylib"]
 
 [features]
 default = [ "std" ]
+soft-mlock = []
 parallel = [ "blake3/rayon", "rayon", "std" ]
 mocks = [ "std" ]
 arbitrary = [
@@ -84,6 +89,7 @@ std = [
 	"rand_core/std",
 	"rayon",
 	"sha2/std",
+	"subtle/std",
 	"thiserror/std",
 	"zeroize/std",
 ]
@@ -92,16 +98,19 @@ std = [
 name = "bls12381"
 harness = false
 path = "src/bls12381/benches/bench.rs"
+required-features = ["soft-mlock"]
 
 [[bench]]
 name = "ed25519"
 harness = false
 path = "src/ed25519/benches/bench.rs"
+required-features = ["soft-mlock"]
 
 [[bench]]
 name = "secp256r1"
 harness = false
 path = "src/secp256r1/benches/bench.rs"
+required-features = ["soft-mlock"]
 
 [[bench]]
 name = "sha256"

diff --git a/cryptography/fuzz/fuzz_targets/bls12381_primitive_operations.rs b/cryptography/fuzz/fuzz_targets/bls12381_primitive_operations.rs
@@ -417,10 +417,7 @@ fn arbitrary_g2(u: &mut Unstructured) -> Result<G2, arbitrary::Error> {
 }
 
 fn arbitrary_share(u: &mut Unstructured) -> Result<Share, arbitrary::Error> {
-    Ok(Share {
-        index: u.int_in_range(1..=100)?,
-        private: arbitrary_scalar(u)?,
-    })
+    Ok(Share::new(u.int_in_range(1..=100)?, arbitrary_scalar(u)?))
 }
 
 fn arbitrary_poly_scalar(u: &mut Unstructured) -> Result<Poly<Scalar>, arbitrary::Error> {

diff --git a/cryptography/fuzz/fuzz_targets/common/mod.rs b/cryptography/fuzz/fuzz_targets/common/mod.rs
@@ -105,10 +105,7 @@ pub fn arbitrary_scalar(u: &mut Unstructured) -> Result<Scalar, arbitrary::Error
 
 #[allow(unused)]
 pub fn arbitrary_share(u: &mut Unstructured) -> Result<Share, arbitrary::Error> {
-    Ok(Share {
-        index: u.int_in_range(1..=100)?,
-        private: arbitrary_scalar(u)?,
-    })
+    Ok(Share::new(u.int_in_range(1..=100)?, arbitrary_scalar(u)?))
 }
 
 #[allow(unused)]

diff --git a/cryptography/fuzz/fuzz_targets/secp256r1_recoverable_decode.rs b/cryptography/fuzz/fuzz_targets/secp256r1_recoverable_decode.rs
@@ -53,7 +53,7 @@ fn test_private_key(data: &[u8]) {
             if let (Ok(ref_key), Ok(our_key)) = (ref_result, our_result) {
                 assert_eq!(
                     ref_key.to_bytes().as_slice(),
-                    our_key.as_ref(),
+                    our_key.encode().as_ref(),
                     "32-byte input: keys don't match"
                 );
             }

diff --git a/cryptography/fuzz/fuzz_targets/secp256r1_standard_decode.rs b/cryptography/fuzz/fuzz_targets/secp256r1_standard_decode.rs
@@ -53,7 +53,7 @@ fn test_private_key(data: &[u8]) {
             if let (Ok(ref_key), Ok(our_key)) = (ref_result, our_result) {
                 assert_eq!(
                     ref_key.to_bytes().as_slice(),
-                    our_key.as_ref(),
+                    our_key.encode().as_ref(),
                     "32-byte input: keys don't match"
                 );
             }