-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: x/crypto/curve25519: new X25519 API #32670
Comments
Discussed with @rsc, comments inline.
This wouldn't be very useful, as unnamed types and equivalent named types don't conflict.
It should be possible to write it such that it does not allocate. Will write an experiment and a test.
Deprecation for ScalarMult, just a note for ScalarBaseMult. |
https://golang.org/ref/spec says
Perhaps you need to say |
Good point, but we can compare the pointer to the beginning of the slice. |
I'd really suggest comparing the len too. |
The inliner trick is working. For example in the following code, the
|
This seems like a good path forward. Going to keep this open for another week and then consider the proposal accepted. |
A week has passed, accepting this proposal. While at it, we should also add an example of a DH flow, and a lot of docs. I used the current curve255219 package this weekend and it was not a good experience. |
This is way out of my league so I depend on the mercy of examples how to DH a secret key from point a to b using X25519 |
PS This other package looks excellent to me? https://godoc.org/github.com/aead/ecdh |
Change https://golang.org/cl/205157 mentions this issue: |
Change https://golang.org/cl/205158 mentions this issue: |
const ScalarSize = 32 const PointSize = 32 var Basepoint []byte func X25519(scalar, point []byte) ([]byte, error) Fixes golang/go#32670 Change-Id: I6b08932e4123949355610b16b6053559b399516c Reviewed-on: https://go-review.googlesource.com/c/crypto/+/205157 Reviewed-by: Katie Hockman <katie@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
const ScalarSize = 32 const PointSize = 32 var Basepoint []byte func X25519(scalar, point []byte) ([]byte, error) Fixes golang/go#32670 Change-Id: I6b08932e4123949355610b16b6053559b399516c Reviewed-on: https://go-review.googlesource.com/c/crypto/+/205157 Reviewed-by: Katie Hockman <katie@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
const ScalarSize = 32 const PointSize = 32 var Basepoint []byte func X25519(scalar, point []byte) ([]byte, error) Fixes golang/go#32670 Change-Id: I6b08932e4123949355610b16b6053559b399516c Reviewed-on: https://go-review.googlesource.com/c/crypto/+/205157 Reviewed-by: Katie Hockman <katie@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
const ScalarSize = 32 const PointSize = 32 var Basepoint []byte func X25519(scalar, point []byte) ([]byte, error) Fixes golang/go#32670 Change-Id: I6b08932e4123949355610b16b6053559b399516c Reviewed-on: https://go-review.googlesource.com/c/crypto/+/205157 Reviewed-by: Katie Hockman <katie@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
const ScalarSize = 32 const PointSize = 32 var Basepoint []byte func X25519(scalar, point []byte) ([]byte, error) Fixes golang/go#32670 Change-Id: I6b08932e4123949355610b16b6053559b399516c Reviewed-on: https://go-review.googlesource.com/c/crypto/+/205157 Reviewed-by: Katie Hockman <katie@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
const ScalarSize = 32 const PointSize = 32 var Basepoint []byte func X25519(scalar, point []byte) ([]byte, error) Fixes golang/go#32670 Change-Id: I6b08932e4123949355610b16b6053559b399516c Reviewed-on: https://go-review.googlesource.com/c/crypto/+/205157 Reviewed-by: Katie Hockman <katie@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
Current API
The names are the same as the
elliptic.Curve
methods, but with different function signatures.The main issue with the current API is that there is no way to return an error from
ScalarMult
for low order inputs, which are a serious problem in certain protocols.See #31846 and the linked paper, where it was only the Go implementations that were actually exploitable, due to our lack of safety checks, which is the opposite of what we want to achieve.
Proposed API
X25519
is the name of the function as specified in RFC 7748.Basepoint
is identified by slice equality (as opposed tobytes.Equal
) to avoid a timing side-channel when the point might or might not be the basepoint.The implementation of
X25519
would just check ifpoint == Basepoint
, and invoke theScalarBaseMult
orScalarMult
implementation (the latter followed by the missing check).Why slices
There is a split in Go crypto APIs between slices (like
ed25519
) and array pointers (likecurve25519
). Both have their advantages, but over time I decided I prefer slices: arrays require a new variable and a copy at most uses, and I often saw bugs due to making short copies into the array.So while type safety is nice, the failure mode of arrays in practice is worse. Slices cause an error at runtime, but if the code is ever tested, that condition should be caught more easily than the example above.
Open questions
Should we have
Scalar []byte
andPoint []byte
types to prevent mixing up scalar and point arguments?Does this function always allocate, or will inliner and escape analysis be able to figure out that if the return value is quickly disposed of it can live on the stack?
Should we deprecate the unsafe
ScalarMult
in favor ofX25519
? For most uses ofScalarMult
the unsafe corner-case doesn't really matter, but on the other hand most common uses will be in other standard or x/crypto packages. If an application uses it directly, they might be doing something complex where low-order points matter.Considered alternatives
Adding an error
This package lives in curve25519, so we could add an error return value to
ScalarMult
. Since it currently doesn't have a return value, it would be a fairly low impact.The problem is indeed that it would probably go unnoticed for existing code.
Adding a check function
The unsafe inputs generate recognizable results, so we could add a
CheckOutput(p []byte) error
function.This is the opposite of secure by default.
Replacing only ScalarMult
We could just deprecate
ScalarMult
and replace it with an identical function with an error return value.I could honestly not think of a good name, and it seemed like a good opportunity to switch to slices and the naming of the RFC.
/cc @agl @rsc
The text was updated successfully, but these errors were encountered: