-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/ed25519: Implement Ed25519ph #31804
Comments
Change https://golang.org/cl/174941 mentions this issue: |
+1 |
Thanks @titanous , this is just what we needed. Confirmed to behave as the reference implementation (libsodium). 👍 Not sure if this is still in time for 1.13... @FiloSottile |
Too late for Go 1.13, targeting Go 1.14. ( |
While I understand that the As it stands right now, the proposed implementation does not support a domain separation context. Since there already is a |
RFC 8032 defined context independently of pre-hashing, so to support the whole spec we'd also have to support pure Ed25519 with custom context. I am really not a fan of extending the API surface of a standard library package that should be what we point users to for basic public key signatures. How about this alternative API, which is more extensible and still makes it very opt-in to select the variants?
|
If this proposed API is accepted, then Nitpicking: Is there any particular reason why |
Yep.
Mostly consistency, we've used string for contexts elsewhere, in some cases to make it a different type from the message itself (which is not relevant here). I personally think it fits better the nature of the value, because it's usually fixed or at least immutable, often human-readable, and as you say can be a const. We should definitely document the max length, thank you. |
I went and implemented this in a package I maintain for dayjob (because dayjob needs ph-with-context support), and have more feedback. What should happen when
I went with option 2 as option 1 is somewhat nonsensical and recommended against, though I will happlily change the package to match what the runtime library does. If Minor: I used |
Yeah, definitely pure if Context is
I thought about that, but I think I'd rather use the concrete type for a few reasons:
|
I think this is wrong,
the prehashed mode must do the job internally, i.e. explicitly hashing the (likely to be large) message with SHA-512. |
That is not how the |
Of couse doesn't work like that because I acknowledge the lack of a Signer Go interface that handles the new signature schemes for example those in RFC-8032, which enable prehashing and receive domain separation strings as input. |
Based on the discussion above, this proposal seems like a likely accept. |
No change in consensus, so accepted. 🎉 |
CC @golang/security Looks like this didn't make 1.19. Moving to backlog. Please recategorize as appropriate. |
Updates #31804 Change-Id: I5a48dfc57401576902674aff20b557e4a8ce8ab8 Reviewed-on: https://go-review.googlesource.com/c/go/+/373076 Reviewed-by: Filippo Valsorda <[email protected]> Reviewed-by: Michael Knyszek <[email protected]> Run-TryBot: Filippo Valsorda <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Katie Hockman <[email protected]> Reviewed-by: David Chase <[email protected]>
Updates golang#31804 Change-Id: I5a48dfc57401576902674aff20b557e4a8ce8ab8 Reviewed-on: https://go-review.googlesource.com/c/go/+/373076 Reviewed-by: Filippo Valsorda <[email protected]> Reviewed-by: Michael Knyszek <[email protected]> Run-TryBot: Filippo Valsorda <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Katie Hockman <[email protected]> Reviewed-by: David Chase <[email protected]>
This is missing a test for Ed25519ph with context, since the RFC doesn't provide one. Fixes golang#31804 Change-Id: I20947374c51c6b22fb2835317d00edf816c9a2d2 Reviewed-on: https://go-review.googlesource.com/c/go/+/404274 Auto-Submit: Filippo Valsorda <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Filippo Valsorda <[email protected]> Reviewed-by: Cherry Mui <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]>
Update, Apr 6 2022: The proposed API is in #31804 (comment).
The Ed25519ph variant specified in RFC 8032 allows signing/verifying a message that has already been hashed with SHA-512 without risking the collision-resistant properties of "PureEdDSA" when using the same keys for messages signed using both schemes.
This is useful in at least two scenarios:
This variant can be implemented minimally using the existing
crypto.Signer
API plus an additional verification function, without encouraging unsafe use by providing easy access to an API that takes anio.Reader
orio.Writer
.Due to the additional internal hash initialization, there is no way to implement this without forking the package or upstreaming an implementation patch.
I will send a CL with a proposed implementation.
Relevant: #31727
/cc @zx2c4 @FiloSottile
The text was updated successfully, but these errors were encountered: