[noise] generated go from noise-explorer uses deprecated point multiplication

john at sys.casa john at sys.casa
Fri Aug 13 13:38:27 PDT 2021 

Hey folks,

I was checking out the auto-generated go implementations of various
noise protocols on https://noiseexplorer.com/ - really cool site/tool btw.

I noticed the generated go code uses a deprecated API for point scalar
multiplication.

For example; this is the generated dh function for IK:

	func dh(private_key [32]byte, public_key [32]byte) [32]byte {
		var ss [32]byte
		curve25519.ScalarMult(&ss, &private_key, &public_key)
		return ss
	}

you can see the use of ScalarMult, which is deprecated.

	https://pkg.go.dev/golang.org/x/crypto@v0.0.0-20210812204632-0ba0e8f03122/curve25519#ScalarMult. curve25519.ScalarBaseMult


The go-docs suggest switching from ScalarMult to X25519 - here's a quick
reference on what that could look like for `dh`

	func dh(private_key [32]byte, public_key [32]byte) [32]byte {
		var ss [32]byte
		point, _ := curve25519.X25519(public_key[:], private_	key[:])
		subtle.ConstantTimeCopy(1, ss[:], point[:32])
		return ss
	}



so to summarize;

	1) should noise end its usage of the now deprecated x25519.ScalarMult
when auto-generating go implementations?

	2) where do you make the changes that will affect the autogenerated go
code?

	3) the low-level api for operating across the ed25519 curve is another
solution here - is it worth pondering the tradeoffs in switching
entirely to this API? https://github.com/FiloSottile/edwards25519


In response to my own question 3, here are some trade-offs I observed.

upsides
=======

1. Constant-time implementations for each curve operation used in IK.

2. Addresses some issues with the inconsistency between implementations
of curve/ed 25519. (read more:
https://hdevalence.ca/blog/2020-10-04-its-25519am)

3. edwards25519 planned to merge with the internal ed25519 API in go1.17

4. Provides an array of useful extensions/operations for utilization
across curve 25519.

downsides
=========
1. Fairly significant API change

2. More
involved interface that may be inconvenient/unfamiliar to users.

3. Is currently not a go std pkg/module/library.


This email us looking to open up a discussion ~ please share your
thoughts, whatever they may be :)


--
Regards,

John S
-------------- next part --------------
A non-text attachment was scrubbed...
Name: publickey - john at sys.casa - 5550f851.asc
Type: application/pgp-keys
Size: 3179 bytes
Desc: not available
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20210813/df9f6408/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 855 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20210813/df9f6408/attachment.sig>

More information about the Noise mailing list