-
Notifications
You must be signed in to change notification settings - Fork 200
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing elliptic curves #114
Comments
I added an initial set of Brainpool curves ( Unfortunately I'm not a Brainpool user, so I was unclear around usage of brainpoolP256r1/brainpoolP384r1 vs brainpoolP256t1/brainpoolP384t1. The crates I added assume the former. Happy to hear from Brainpool users about how the curves are used in practice. If it turns out |
Circling back on Brainpool, I see a couple ways forward. We should decide which one makes sense. First, for background:
So, it seems like we should probably support both Include both
|
I know it is not one of the most widespread curves, but is there any chance, that secp224r1 is supported at some point? |
@tarcieri, I know that you mentioned in your original post that:
But is there any chance (or are planning already) to implement the I know that someone can use |
I assume you're specifically interested in Ed25519 and RFC 8410 support? There's an open PR to add PKCS#8 and SPKI support to https://github.com/ZcashFoundation/ed25519-zebra/pulls I'll also note that similar functionality is available through the https://docs.rs/signatory/0.23.2/signatory/ed25519/struct.SigningKey.html#method.from_pkcs8_der We do also maintain the https://github.com/RustCrypto/signatures/tree/master/ed25519 |
I added PKCS#8 support to the It now provides a Note it's still unreleased though |
Deno, a popular JavaScript runtime, uses RustCrypto's implementation of the P-256 and P-384 curves. A lack of support for the P-521 curve is the only thing holding it back from full compliance the WebCrypto standard, implemented by all major browsers. I humbly request the P-521 curve. Thank you very much! |
Now that |
Has the |
Do you have a real use case for it? Note that there's quite a bit of duplication between If it's just |
Sounds reasonable 👍 I need the curve for my company's product. Having this without importing one of the few C crypto libraries supporting it would be nice to have, but obviously I am aware that this is a quite exotic curve. |
#607 added the initial boilerplate for a However, implementing it properly will require some breaking changes to the |
#631 extracts a proper generic implementation of |
@newpavlov we got a request on Zulip for a |
@tarcieri Done. |
@newpavlov thank you! |
|
Could you please add |
@halvors added, although given its small modulus size it will probably be a fairly low priority (i.e. we should finish up P-224, P-521, and the Brainpool curves first, at least) |
@newpavlov it looks like you're an owner of the |
@tarcieri P.S.: I think it would be better to use the Zulip private chat for such questions, since I doubt other users are interested in these matters. |
I see that |
@halvors supporting any given curve is a lot of work, as we need to synthesize field implementations (both base and scalar) for each curve, and plug in formulas for the parts of the field implementation which can't be synthesized. The curve arithmetic implementation is generic; the field arithmetic implementations are not. |
As of v0.13.1 (#820), |
Very understandable, in my use case i have to verify signature using P-192, P-224, and k224 (but not signing) this is due to the fact that i am verifying authentication tokens issued by an external provider (somewhat dated one of that). Has there been any progress on generalizing k256? If so could generic implementations be reused for k224? Or is something that is yet to be done? |
@halvors https://github.com/RustCrypto/elliptic-curves/tree/master/primeorder seems to be it? Have you tried applying it to your curves? |
Yeah, |
For future reference the problem with |
@tarcieri I think |
Yes,
It's deeper than that, it would be a change to the |
Hello, does this mean basic field arithmetic is currently expected to "work" with these curves (but untested and potentially having bugs and security flaws)? Is it expected that this snippet features unmarked multiplication overflows (which panics in debug)? use elliptic_curve::SecretKey;
use p521::NistP521; // with feature wip-arithmetic-do-not-use
fn main() {
let mut rng = rand::thread_rng();
let secret_key : SecretKey<NistP521> = SecretKey::random(&mut rng);
let public_key = secret_key.public_key();
println!("{:?}", public_key);
} Which apparently occurs in fiat generated code, at https://github.com/RustCrypto/elliptic-curves/blob/master/p521/src/arithmetic/field/p521_64.rs#L324 Moreover if one forgets overflows (e.g. compiles in release), the snippet still does not work as multiplication here relies on inversion, which is unimplemented at the moment. So it appears a scalar multiplication cannot be performed. I am not too familiar with the structure of the repository and its implementation ; what is the current state of the implementation of these curves, besides the lack of tests and security confidence? Sorry if this should be in another issue, I don't know as I don't know how much this is expected. |
It uses a different fiat-crypto code generator specific to Solinas primes, which is a unique property of the prime modulus of the P-521 base field. However, something is wrong with the implementation and I haven't figured out what. I've been hoping the new codegen in |
I can help in creating a PR to update the existing code into the new type codegen by fiat-crypto. Would that be helpful?
|
This note returns a valid public key :) Required changes: |
Yep, |
Any strong feelings on Curve448-Goldilocks? Seeing it standardized and favored for inclusion in TLS might be worth the effort to investigate on our end. (I see an emphasis on legacy curves, so maybe not this one for now) |
@drcapybara there's already a few implementations of it out there, e.g. https://crates.io/crates/ed448-goldilocks We could potentially ask about upstreaming them |
This is a solid example. It appears there may be some good opportunity to upgrade some of the scalar arithmetic with functionality offered by crypto-bigint here. |
Any plans to support bn254? |
Arkworks already has an implementation of BN254: https://github.com/arkworks-rs/curves/tree/master/bn254 |
Is the required refactoring done in primeorder in order to support secp224k1 with N being 1 bit larger than the curve? |
The breaking change needs to happen in the |
Thank you for all of your work, it's a great endeavor. Did you get to spend any time on the Brainpool curves down the road? |
Yeah, still haven't gotten to the bottom of what the issue is with them, but they should be close to having arithmetic backends |
Has the secp384r1 been done? |
Yes, along with all of the other NIST P-curves: https://github.com/RustCrypto/elliptic-curves/tree/master/p384 |
where does this stand currently? The last published version of this crate came in about a year ago it looks like |
We could potentially inquire on the upstream repo: https://github.com/crate-crypto/Ed448-Goldilocks |
sounds like the authors might be interested: crate-crypto/Ed448-Goldilocks#35 |
secq256k1? Should be trivial given the secp256k1 code present. |
Hi, I haven't seen The Master List Signer Certificate and the German CSCA certificate uses Curve parameters for these curves can be found at: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03111/BSI-TR-03111_V-2-0_pdf.pdf?__blob=publicationFile&v=1 |
This is a tracking issue for additional elliptic curves we could potentially implement.
Note that we are presently focusing on short Weierstrass curves which can be implemented using the
primeorder
crate. There are many other Rust projects implementing newer curve forms, such asbls12_381
,curve25519-dalek
anded448-goldilocks
.The text was updated successfully, but these errors were encountered: