OsRng not available from the opaque-ke rand public re-export

[Philb37]

Hello, I'm new to Rust so I might not be grasping the full picture here. This might not be an issue but just a lack of understanding on my part or a missreading of your documentation.

Crate version

4.0.0

Problem

It seems you cannot access OsRng (used in the simple_login.rs example) when you add the opaque-ke crate in your own project.

main.rs:

use opaque_ke::{
    CipherSuite, 
    ClientRegistration,
    rand::rngs::OsRng // <-------- ERROR HERE: unresolved import `opaque_ke::rand::rngs::OsRng` no `OsRng` in `rngs`
};

// 
use opaque_ke::rand::rngs; // <--- But here you can access rngs

struct Default;

impl CipherSuite for Default {
    type OprfCs = opaque_ke::Ristretto255;
    type KeyExchange = opaque_ke::TripleDh<opaque_ke::Ristretto255, sha2::Sha512>;
    type Ksf = opaque_ke::ksf::Identity;
}

fn main() {
    let mut client_rng = OsRng;
    let client_registration_start_result =
        ClientRegistration::<Default>::start(&mut client_rng, b"password");
}

Cargo.toml:

[package]
name = "opaque-ke-rand-issue"
version = "0.1.0"
edition = "2024"

[dependencies]
opaque-ke = { version = "4.0.0", features = ["std", "argon2"] }
sha2 = "0.10.9"

Workaround

If you add the rand crate separately (matching the version used by opaque-ke), the problem disappears:

Cargo.toml

[dependencies]
opaque-ke = { version = "4.0.0", features = ["std", "argon2"] }
rand = "0.8" # Matching opaque-ke's rand version
sha2 = "0.10.9"

Question

You re-export the rand crate here. I assumed I would be able to access the entire rand crate through this re-export, but it seems that OsRng is gated behind the getrandom feature and isn't accessible this way.

I notice that:

1. Your simple_login.rs example can access OsRng directly (presumably because it's part of the crate itself)
2. Your documentation if it's not broken anymore, otherwise here shows use rand::rngs::OsRng;, which suggests users should add rand as a separate dependency

My questions:

• Is the intent for users to add rand as their own dependency?
• If so why do you re-export publicly the rand crate and should the documentation clarify this requirement ?
• If not should we be able to pass the getrandom feature ?

I'm confused about the correct approach here. Thank you for your help!

[kevinlewi]

Hmm interesting, thanks for raising the issue!

The intended behavior is to allow users to use the re-exported version of rand without having to add it as their own dependency. It seems like this is not working, as you pointed out.

I will attempt to fix this, unfortunately it doesn't seem like the tests caught this issue.

[kevinlewi]

The fix should be landed in the latest commit. Can you check and see if this works for you locally?

[Philb37]

It works !

I cloned the repo locally, removed rand and opaque-ke crates from the sample project presented above. Now my toml looks like this

[package]
name = "opaque-ke-rand-issue"
version = "0.1.0"
edition = "2024"

[dependencies]
opaque-ke = {  path = "../opaque-ke", features = ["std", "argon2"] }
sha2 = "0.10.9"

And I don't have an error on this use anymore.

use opaque_ke::{
    CipherSuite, 
    ClientRegistration,
    rand::rngs::OsRng // <-------- Working
};

Thanks for the quick fix !