kryptology icon indicating copy to clipboard operation
kryptology copied to clipboard

Published 20 hours ago verified publisher icon coinbase

[suggestion] Deprecate the GG20 Library

Open brendanjryan opened this issue 2 years ago • 3 comments

Based on the following comment from [0] and the "obsolescence" of the GG20 paper I think it would make sense to "deprecate" the tecdsa/gg20 package so that any new implementations or those which already rely on this code are aware of the risks of this protocol.

This should be possible via the following godoc declaration: https://rakyll.org/deprecated/

On the other hand, the authors of that paper appear to have declared it "obsolete". In light of this declaration, we cannot attest, given the information we currently have, that the protocol implemented here is secure. We advise caution regarding its use.

[0] https://github.com/coinbase/kryptology/blob/master/pkg/tecdsa/gg20/SECURITY.md

brendanjryan avatar Jul 27 '22 23:07 brendanjryan

@brendanjryan Good day Brendan Ryan

Can you help with a few questions about this issue?

  1. Can you advise new implementations that fix this error?
  2. Can they be used in the production?

vanillahedg avatar Aug 10 '22 10:08 vanillahedg

Sure -- thanks for flagging @vanillahedg

  1. I cannot, per [0] these changes would need to occur at the algorithm design level and are not related to implementation.
  2. ^

On the other hand, the authors of that paper appear to have declared it "obsolete". In light of this declaration, we cannot attest, given the information we currently have, that the protocol implemented here is secure. We advise caution regarding its use.

brendanjryan avatar Aug 11 '22 02:08 brendanjryan

Thank you very much for your answer.

vanillahedg avatar Aug 11 '22 15:08 vanillahedg