Generic signature API

[bwesterb]

Used to easily add support for new (PQ) signature schemes to our fork of Go and cfssl.

[bwesterb]

Another reason is that I'm quickly prototyping integration into Go stdlib to find possible issues with the API. I found one already: we can't use PubicKeyAlgorithm() x509.PublicKeyAlgorithm in our interface for that would cause an import cycle.

[bwesterb]

@armfazh @claucece Have another look.

[claucece]

I'll check this tomorrow ;)

[claucece]

I think it is looking good. Maybe we should be more clear on some names and all, though

[claucece]

Maybe we don't need to repeat here the 'ToLower'.. but maybe it will be a safe security measure...

[bwesterb]

If we would remove this ToLower() then we will never match any scheme that has an upper case character in the return of its scheme.Name().

[claucece]

Yes, but perhaps the scheme.Name() should always be enforced to be lower case... what do you think?

[bwesterb]

@armfazh Removed case insensitivity again. Did you do that on purpose @armfazh ?

[claucece]

What if only opts.Context != ""?

[bwesterb]

I don't understand. For opts.Context to make sense, we must have opts != nil.

[armfazh]

if any of the options is not used, then is ignored.

[bwesterb]

I don't understand — could you rephrase perhaps?

[bwesterb]

Maybe we should be more clear on some names and all, though

Sure, which?

[armfazh]

I just added a generic interface for four signatures, there are some methods marked with TODO.
Also I moved some methods into the circl/pki package.

[claucece]

Sure, which?

Let me thinking of a nice naming convention and propose something over here tomorrow.

[bwesterb]

@armfazh

• I dislike that SchemeByName is now under the github.com/cloudflare/circl/sign/api package.

I don't see a way to solve this without making something else ugly.

• Providing a context to a scheme that does not support it is completely ignored. It should be an error.

I've changed that behaviour: provided a context where none is supported causes an error.

[bwesterb]

I've also removed the Hash from the SignatureOpts as it's not used — we can add it back in if we have a scheme that actually uses it.

[bwesterb]

@armfazh @claucece I've addressed all comments. Before starting with final polish (i.e. better documentation & examples), I think we still need to discuss some API issues:

• Are we really happy with having sign package which defines Scheme and sign/api package which actually lists them? Isn't schemes perhaps a better name than api as the sign package itself defines the API. Then schemes.All() and scheme.ByName() would be nice to write.
• Do we want Scheme names to be case insensitive? This was the case but @armfazh reversed it. This is required for easy integration with cfssl.
• Doesn't ed25519 have a variant that support contexts? Should we add this to the Ed25519 scheme or have a separate Ed25519Ctx scheme? I guess it's best to have separate schemes for these variants — @claucece what do you think?

[armfazh]

• Are we really happy with having sign package which defines Scheme and sign/api package which actually lists them? Isn't schemes perhaps a better name than api as the sign package itself defines the API. Then schemes.All() and scheme.ByName() would be nice to write.

Agree on s/api/schemes/

• Do we want Scheme names to be case insensitive? This was the case but @armfazh reversed it. This is required for easy integration with cfssl.

I don't have a strong opinion on this. Feel free to bring back that code.

• Doesn't ed25519 have a variant that support contexts? Should we add this to the Ed25519 scheme or have a separate Ed25519Ctx scheme? I guess it's best to have separate schemes for these variants — @claucece what do you think?

That variant would be another named scheme Ed25519Ctx, which is separated from the current Ed25519 scheme.

I've also removed the Hash from the SignatureOpts as it's not used — we can add it back in if we have a scheme that actually uses it.

I added that the Hash field to make the structure compatible with the crypto.SignerOpts. So, we can receive a crypto.SignerOpts, and internally convert it to a different type.

I dislike that SchemeByName is now under the github.com/cloudflare/circl/sign/api package.

I also didn't like it at all. But, that's the way I found for avoiding circle dependencies. Renaming sign/api to sign/schemes can alleviate a bit its usage.

[armfazh]

I don't understand why to take the address of a zero-sized value. You can implement the interface with scheme and not with *scheme.

[bwesterb]

Under the hood an instance of an interface is always a pair of a pointer and a concrete type, so instantiating it with a pointer is closer to what really happens. The assembly generated btw is exactly the same.

[armfazh]

The difference is on the assembly calls.
call AX vs call "".(*Impl2).A(SB)
one call is with a register and the other is with a pointer.

I am not convinced why to use pointer when they are not needed.

[bwesterb]

Oops, I simplified my example too much.

Take a look at this one

Creating an instance of an interface with either a empty struct or a pointer to an empty struct results in the pointer runtime.zerobase. (The code of alloc1 and alloc2 is the same. This time I checked properly.)

The generic way to run a function on an interface involves a virtual call (call ax). So interestingly the Go compiler optimised the call with the pointer receiver, but not the call with the value receiver. I don't see a reason why it couldn't optimise the one with the value receiver as well and perhaps it will in the future.

So using pointers or not does not actually change anything when using empty structs (and the calling code doesn't know the types.) And if it does it optimizes the pointer case better. That's not the reason I use pointers though — as I said I prefer putting them here as it's closer to what Go actually does under the hood: an instance of an interface is always a pointer.

[armfazh]

So interestingly the Go compiler optimised the call with the pointer receiver, but not the call with the value receiver.

I want to learn more about this.

So using pointers or not does not actually change anything when using empty structs.

Agree.

[bwesterb]

Agree on s/api/schemes/

Done. Updated this branch, Go fork and cfssl fork.

I added that the Hash field to make the structure compatible with the crypto.SignerOpts. So, we can receive a crypto.SignerOpts, and internally convert it to a different type.

The type of Scheme.Sign is Sign(sk PrivateKey, message []byte, opts *SignatureOpts) []byte so that wouldn't accept a crypto.SignerOpts anyway now. (Note that there are two sign functions: one on the scheme and one on the PrivateKey — the one on the private key does accept a crypto.SignerOpts but does not allow for the advanced options like Context.)

[armfazh]

the one on the private key does accept a crypto.SignerOpts but does not allow for the advanced options like Context.)

I had the same intuition, but here is the trick. Even if we announce to receive a crypto.SignerOpts, we could pass a Sign.SignatureOpts (which must have field Hash) and internally convert the parameter into a Sign.SignatureOpts struct. (I learn this trick from @claucece)

[claucece]

Are we really happy with having sign package which defines Scheme and sign/api package which actually lists them? Isn't schemes perhaps a better name than api as the sign package itself defines the API. Then schemes.All() and scheme.ByName() would be nice to write.

Yes!

Do we want Scheme names to be case insensitive? This was the case but @armfazh reversed it. This is required for easy integration with cfssl.

Mmm... It will be better case insensitive.

Doesn't ed25519 have a variant that support contexts? Should we add this to the Ed25519 scheme or have a separate Ed25519Ctx scheme? I guess it's best to have separate schemes for these variants — @claucece what do you think?

There are two: the ctx and the ph. The schemes should be there on the ed25519 API.

[claucece]

I had the same intuition, but here is the trick. Even if we announce to receive a crypto.SignerOpts, we could pass a Sign.SignatureOpts (which must have field Hash) and internally convert the parameter into a Sign.SignatureOpts struct. (I learn this trick from @claucece)

Exactly! Then, the "Golang-way" API does not change ;)

[claucece]

@bwesterb check what I did with the ed448 and ed25519 API, specially the usage of this: https://github.com/cloudflare/circl/blob/master/sign/ed25519/ed25519.go#L69

[bwesterb]

I had the same intuition, but here is the trick. Even if we announce to receive a crypto.SignerOpts, we could pass a Sign.SignatureOpts (which must have field Hash) and internally convert the parameter into a Sign.SignatureOpts struct. (I learn this trick from @claucece)

Yes, that's for a method on the private key, but here we're dealing with a top level function.

(For the Sign method on the private key it's actually a bit tricky. If we use the same type for an ed25519 and ed25519ctx private key, then we can't know whether it was used for the scheme ed25519 or ed25519ctx. I'd like to propose to fix this in a coming pull request where we add schemes for the variants of ed*.)

[bwesterb]

@armfazh @claucece I'm happy with the PR as it is now (assuming we'll be able to make changes to the API before we tag it.) Do you agree?

[claucece]

(For the Sign method on the private key it's actually a bit tricky. If we use the same type for an ed25519 and ed25519ctx private key, then we can't know whether it was used for the scheme ed25519 or ed25519ctx. I'd like to propose to fix this in a coming pull request where we add schemes for the variants of ed*.)

Mmm.. ok.

Do you agree?

Sure!

[armfazh]

It seems ready to go.

[bwesterb]

Thank you, I merged it. I created an issue ( #147 ) to track desired improvements to this API.