[noise] generated go from noise-explorer uses deprecated point multiplication

Nadim Kobeissi nadim.kobeissi at outlook.com
Fri Aug 13 15:00:59 PDT 2021 

Noise Explorer author here. I’ll take a close look at this tomorrow. Thanks for your patience everyone.

Nadim
Sent from my iPhone

> On 13 Aug 2021, at 11:17 PM, Yawning Angel <yawning at schwanenlied.me> wrote:
> 
> Hello,
> 
>> On 8/13/21 8:38 PM, john at sys.casa wrote:
>>    1) should noise end its usage of the now deprecated x25519.ScalarMult
>> when auto-generating go implementations?
> 
> See 11.1 and 12.1 of the Noise Protocol specification.
> 
>>    3) the low-level api for operating across the ed25519 curve is another
>> solution here - is it worth pondering the tradeoffs in switching
>> entirely to this API? https://github.com/FiloSottile/edwards25519
> 
> No. For several reasons.
> 
> 1) Recent versions of `x/crypto/curve25519` already use that package (If
> people are wondering why your scalar multiply performance cratered
> recently after updating their import, this is why).  See:
> https://github.com/golang/crypto/blob/0ba0e8f031222feafe2c6fe04ba9c3da11dd361a/curve25519/curve25519.go#L14
> 
> 2) That package does not (on it's own) implement u-coordinate only
> "multiplication".  Doing an Ed25519 scalar-point multiply and then
> converting to Montgomery u-coordinate will be slower than having a
> dedicated code path.
> 
> 3) 32-bit performance is awful.
> 
>> 1. Constant-time implementations for each curve operation used in IK.
> 
> Huh? `x/crypto/curve25519` has always been constant time.
> 
>> 2. Addresses some issues with the inconsistency between implementations
>> of curve/ed 25519. (read more:
>> https://hdevalence.ca/blog/2020-10-04-its-25519am)
> 
> Nothing the noise protocol framework does, has anything to do with how
> Ed25519 verification has many divergent implementations[0].  This is
> totally irrelevant in the context of noise.
> 
>> 3. edwards25519 planned to merge with the internal ed25519 API in go1.17
> 
> It's internal, and not accessible from normal code.  You would need to
> import Filo's standalone version.
> 
>> 4. Provides an array of useful extensions/operations for utilization
>> across curve 25519.
> 
> I guess you could reuse the scalar and finite field implementations?  It
> doesn't provide much else apart from a way to go from a twisted Edwards
> point to a u-coordinate...
> 
> 
>> downsides
>> =========
>> 1. Fairly significant API change
> 
> If you mean, use the raw field element library, and implement the
> multiplications that you need by hand, then sure.  If you just want to
> use the library for the sake of using it, then bumping your import does
> so, without any changes.
> 
> Don't get me wrong, I like the edwards25519 library, and I've used it
> for other things.  But as far as Noise is concerned, there isn't really
> a decision to be made here.  If the library uses recent
> `x/crypto/curve25519` then it will be used, if not, it won't.
> 
> Regards,
> 
> -- 
> Yawning Angel
> 
> [0]: Off-topic, if people need to solve the Ed25519 verification
> behavior issue in, ed25519consensus (implements ZIP-215) and
> curve25519-voi (implements several variants) exist to solve this.
> Really, "Just use Ristretto" though.
> 
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise

More information about the Noise mailing list