Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Should we rip out Ed25519 private key compatibility? #9

Closed
burdges opened this issue Feb 4, 2019 · 4 comments
Closed

Should we rip out Ed25519 private key compatibility? #9

burdges opened this issue Feb 4, 2019 · 4 comments

Comments

@burdges
Copy link
Collaborator

burdges commented Feb 4, 2019

As discussed in #7 we needed to dump the Ed25519 public key compatibility, so we should probably rip out the private key compatibility too for simplicity. We should probably consider the issues further before doing this however, like if anyone wants a migration crate then maybe we should not do this. I suppose the right answer might be: Keep the code for private key compatibility but do not make it the default.

@burdges
Copy link
Collaborator Author

burdges commented Feb 13, 2019

If we keep the Ed25519 keypairs then we should hardcode sha2 as in d81d43e3ae957e4c707560d7aaf9f7326a96eaaa dalek-cryptography/ed25519-dalek#64

Now done in be13a05

@burdges
Copy link
Collaborator Author

burdges commented Mar 18, 2019

We'll keep minisecretkey being an ed25519 secret key for now. There is only one cost: If you wanted to use these keys in some tricks that expose the non-uniformity then you must make the secretkey directly.

As a poor example, imagine we permit an account public key to be either a public key or a public key hashed to the curve, with the real public key provided. If keys are uniform then an adversary with a quantum computer might attempt to steal funds by breaking an account key. If they did not check if the key had never been used before then they might break one that is hashed to the curve. In that case, they would steal the funds but they're also give the legitimate funds holder the ability to prove a person with a working quantum computer stole their funds. This is all pretty far fetched.

As a better example, someone might use these keys for key exchanges in a mixnet, in which case an adversary with a quantum computer can get one bit of information about their route.

We could fix any worried with more scary warnings on using minisecretkey, but ideally we might just have two mini secret key types, one called Ed25519SecretKey that works like now, and one called something else that uses wide generation for the scalar, so no clamping.

burdges added a commit that referenced this issue May 12, 2019
This should make it easier to interact with Ristretto crates like
slingshot.  See  #34  and  #9
@burdges
Copy link
Collaborator Author

burdges commented May 12, 2019

I've ripped out the ed25519-style minisecretkey to secretkey mapping because I expect protocols that want uniformity for secret scalars exist.

I've switched the secret key serialization to canonical bytes instead of the ed25519 compatible bit shifting because that gives a very limited amount of compatibility with more dalek ecosystem crates like slingshot. see #34

@burdges
Copy link
Collaborator Author

burdges commented Jul 31, 2019

I put back ed25519 private key compatibility because we never updated subkey before asking user to use it. This is fine. It adds a sha2 dependency, and might annoy someone someday, but if anyone ever wants a map from ristretto to ed25519 then they can exploit it, so maybe that's good.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant