sslcrypto icon indicating copy to clipboard operation
sslcrypto copied to clipboard
verified publisher icon purplesyringa

EdDSA support

Open purplesyringa opened this issue 5 years ago • 16 comments

The interface should perhaps match sslcrypto.ecc and be called sslcrypto.edwards.

purplesyringa avatar Apr 14 '20 06:04 purplesyringa

@imachug @filips123: https://github.com/peer-to-peer-network/testing/blob/master/ed25519-blake3.py

ghost avatar Apr 14 '20 13:04 ghost

I would also replace the hashing function in ed25519 https://ed25519.cr.yp.to/python/ed25519.py

def H(m):
  return hashlib.sha512(m).digest()

What about this one? :thinking:

def H(m):
  return blake3.blake3(m).digest()

ghost avatar Apr 14 '20 13:04 ghost

I think I can't support this change. EdDSA schemes are defined by several parameters such as elliptic curve, base point and hash. So, ed25519 with BLAKE3 instead of SHA-512 is not ed25519. Please notice that I can't just add a separate hash argument as for ECC because the hash function is used even for public key generation. Instead, I could allow constructing an edwards-curve-cryptography object from the parameters (including hash function).

purplesyringa avatar Apr 14 '20 13:04 purplesyringa

@imachug I got it, that is why I did not replaced sha512 in ed25519, but I don't think it is important what hashing function you use in ed25519.

I don't see here: https://ed25519.cr.yp.to/python/ed25519.py anything which would make the change impossible.

Bernstein clearly choose sha512 because there was no better hashing function that time.

ghost avatar Apr 14 '20 14:04 ghost

ed25519 is a well-known signing scheme, using a different hash function under the same name is confusing.

purplesyringa avatar Apr 14 '20 14:04 purplesyringa

@imachug confusing, but its faster and probably also more secure. We can change the name that is not a big deal. ed25519 is on the public domain :wink:

ghost avatar Apr 14 '20 14:04 ghost

@imachug what about this one? https://github.com/ZeroCoinOrganization :thinking: As you see I replaced sha512 in ZeroNet but not Bitcoin. Maybe "ZeroNet" or whatever we will call it should support both Bitcoin and ZeroCoin and ZeroCoin should use a modified ed25519 and the blake3 hashing function.

What I like about ed25519 and blake3 is that blake3 is super fast compared to sha2 and that ed25519 is faster and more secure than using a NIST curve (from NSA).

ghost avatar Apr 14 '20 15:04 ghost

confusing, but its faster and probably also more secure. We can change the name that is not a big deal. ed25519 is on the public domain :wink:

I'll add arbitrary parameter support.

purplesyringa avatar Apr 14 '20 16:04 purplesyringa

@imachug This (modified ed25519 + blake3) should be ZeroCoin :+1:

Addresses can start with Z and not 1 for example. @filips123

ghost avatar Apr 14 '20 16:04 ghost

ed25519's sha512 hashing is not modified. Addresses not starting with 1 but with Z. :wink:

import os
import binascii
import hashlib
import blake3
import ed25519
import base58
import random


def ripemd160(x):
    d = hashlib.new('ripemd160')
    d.update(x)
    return d

for n in range(1,10):
    signing_key, verifying_key = ed25519.create_keypair()
    vkey_hex = verifying_key.to_ascii(encoding="hex")
    priv_key = signing_key.to_ascii(encoding="hex")
    fullkey = '80' + binascii.hexlify(priv_key).decode()
    blake3a = blake3.blake3(binascii.unhexlify(fullkey)).hexdigest()
    blake3b = blake3.blake3(binascii.unhexlify(blake3a)).hexdigest()
    WIF = base58.b58encode(binascii.unhexlify(fullkey + blake3b[:8]))
    sk = ed25519.SigningKey(priv_key)
    vk = sk.get_verifying_key()
    publ_key = '04' + binascii.hexlify(vk.to_bytes()).decode()
    hash160 = ripemd160(blake3.blake3(
    binascii.unhexlify(publ_key)).digest()).digest()
    publ_addr_a = b"\x51" + hash160
    checksum = blake3.blake3(blake3.blake3(publ_addr_a).digest()).digest()[:4]
    publ_addr_b = base58.b58encode(publ_addr_a + checksum)
    i = n + 1
    print("ZeroCoin", str(n) + ": " + WIF.decode())
    print("ZeroCoin", str(n) + ": " + publ_addr_b.decode())
    print(vkey_hex)
    print(priv_key)
print("There you go, now we need to verify some signatures as next step... :roll_eyes:")

ZeroCoin 1: 2H3EcMpgxhpM7cMpALiFSQR1mS7gCJ3vVxMiK9fvCDoxb6q1d6vuedSGKAZtXJTSjx8gRwfbUFYHZ7STTYYkDKqEFpMwtXs
ZeroCoin 1: ZfMXCFy1TgwEasgLev2E4izQuRvMk51uNf
b'2c7bd56886591494a9a7d2918123fcec2247bfda874bb38433bce11033878467'
b'7e5c4720f546a08f511240a5a9010785c83df9490e8b775fb1f1ba6ce18d316b'
ZeroCoin 2: 2H9Mv3WotZGJKxQqiCwQ5Bu9KWC9ao8qFcSxKUKcLVuNyuErZFThGoVNBv89uS5e3SomjUnCsPUpiprjCkZRThWr8qHDW4X
ZeroCoin 2: ZzQjqhqaSACHpmXD1683FTPQqxZFbjYmv2
b'6b541f94e8162733a3823285070ba8346cd702b0b1b4dd5bd52aa87c08fdfc6a'
b'f883bd1bcd12898a171c07173e38147fd423736b8e4a877900ce0ca93cabfd86'
ZeroCoin 3: 2H3DBp2ngedQCVbWyRozqA7oGPnkRFzahAAj1QsbNPHGdy6UJUH4FMy8itth2wJMGpyMmFsniARVMWMCsdjda33aJ1dyCf8
ZeroCoin 3: ZuALdevDr6fgWBzFt7Gzo46hp2dVLX6ro3
b'46142af6a1f21d2abcb9785d887f1b13e5be776a457e088297bb3929acd03e5e'
b'751501aa9b2f53e02caf1ecbaa70358ed777185932e1459e0e9698f90975ceb7'
ZeroCoin 4: 2H3VhQdcXXWQhSUVMiAuhZEgKLZLpr2v5n6PsLcmzDLvfjpDmKDDKF7b3L4YHpRiSwY6SSp3X3cey24myZaGddSzfDpQHeu
ZeroCoin 4: Zi95Wj5pukhiU7SJ1mvAuQbWJvmzYJ4Hi5
b'd7ef0b00287918e86066824e3019231b747c5267f640b5d84878820bcd788189'
b'9b41b2db4a8667a444a521d31dda83865b412be26413364ee6f96d3f80469988'
ZeroCoin 5: 2H36xqkcfbci8RH9xGqNrGMdwnAtDZtWs66oHS5Wui9osUdkTS7v5jBQsUDdWHTTfBsg69LGmRYCUCedTMaQALBBkgR6k8U
ZeroCoin 5: ZqrnPCq8w6bYkqY3VqUh1JAjs5y9twFgRQ
b'98ca4ebf37ca574c06d4eab7a7e0990427e775ca25ecd752413760dfda94d460'
b'6c9c5541d088f39b19feb8f2bf2e3bf628283e754e616f30a24535fc885bdd39'
ZeroCoin 6: 2H8jLZgF4C7yp5bUiYUbMho16kmAmFhAMr44drbsawc5fs31LcqzC3HG1PVFQDnfDgZk2GZezbBoVeQkR8xLXaBx3ViS1EH
ZeroCoin 6: ZphU7FSfyxz7h3p8PRp4VB8b9A18ktQq85
b'7fad58781fa4ab19f277653ee6340b7765ee1d8333406a12ca53a94bf51a5960'
b'af46dbec245d7f6267e817dbeb8f7f53f0caa9a937ef934a23b1cd750d04699c'
ZeroCoin 7: 2H3Ee3yoKixkYH99JG8mePguoG8SH9bipcN4g1hdeRKDaDMh3JPAnv3gDaLifgdc8gZ92d1L21jaBrbLq45UUXBXnXqFZEL
ZeroCoin 7: ZvsY4M1VBbQ9tBEUHqkzE1TtJeFe2vPLeT
b'b5d62fd33a103f54455d5e7b0a8146db1f328ef6ff376853f4012268fd40517b'
b'7f1ec5b52a66545da2e64cc2a3bab81ab3b4d96132884c71c2f67a35c25c2719'
ZeroCoin 8: 2H2gvspKZHfUvpoBhHXTtc3mhBZdbRxinjbvEPRtK7H547cWkytzh7juX93raHihpXmX55DzCWEWY6Hi3NzhGkHb3n5dT8Z
ZeroCoin 8: Zcky3v7GhZrFaudG5RPsEtHSdUN59cbEKt
b'4d4a4c4db15944abf303d0f53c85cd5c206e8794766a64b27d9f01e0e6f2d043'
b'38c179e13f4bf2406a7fc91df60fba9e1b0e48516c7c993ed90844b60d173abf'
ZeroCoin 9: 2H3N5uoaGkjiWWNZZVaZWGmzqGjH71PP8kMG5YFpTFz1KKAdxsa8P8Y5C3JnVLtZDyUgWhmtCDX9oaZoFHSLNaQHJMoAtn9
ZeroCoin 9: Zi2b6DQg9KYhYBWGas8yyfcERcCjSNjTPA
b'6d27e0d3a163bc2bcd878609815f6a14ac58dd95351d6283653b9e6ac45d38ea'
b'8ae39f208e1bf5dfd0fa62129eaf47da3d6e205066a4a4dd8d176b3ff58cf1ac'

ghost avatar Apr 14 '20 16:04 ghost

@imachug look:

ZeroCoin "WIF": 2H2KVcnAHsSuBozQrmyzxWpRAPJtNMe6AqDVbTEQCpkkMi5QaJ83eZV8kDzSThPmozFhnAAEct9NfptnjbmokdHfQQ2E8pb
ZeroCoin Address: ZcdJ72138B7RLCV8CqdVzKFBWrbEsaYf5K
PubHex:	    b'0bfd80b406f073d559e1f7433ad1c8b9096aabfb3d191270e462d1c3fc81ed61'
Privhex:    b'0e6cdc97c961fce212b30b38cffb72488a7e55bc45f805cfb23f80274082d33b'
FullPriv:   8030653663646339376339363166636532313262333062333863666662373234383861376535356263343566383035636662323366383032373430383264333362
FullPub:    043861376535356263343566383035636662323366383032373430383264333362   
PrivDec:    30653663646339376339363166636532313262333062333863666662373234383861376535356263343566383035636662323366383032373430383264333362
PublDec:    3861376535356263343566383035636662323366383032373430383264333362

>>> len("30653663646339376339363166636532313262333062333863666662373234383861376535356263343566383035636662323366383032373430383264333362")
128

I think is pretty cool! :partying_face:

Search space size (as a power of 10): 1.11 x 10^128 Time required to search (one hundred trillion guesses per second): 3.53 hundred million trillion trillion trillion trillion trillion trillion trillion trillion centuries

ghost avatar Apr 14 '20 18:04 ghost

Perhaps you don't know cryptography well so I'll explain an issue in your calculations.

The search space size might be approx what you say but the required time is wrong. Pollard's rho will most likely find the private key within O(sqrt(l)) time where l is the order of the base point. For Ed25519 base point l is around 2^252, i.e. around 2^126 operations are required to break the key, or (in scientific notation) 8.5e37 operations, or around 10^14 centuries, which is much smaller than your expectation.

purplesyringa avatar Apr 14 '20 19:04 purplesyringa

https://bitcointalk.org/index.php?topic=2859033.msg29494267#msg29494267

exponentials confuse many people. The difference between 80-bit and 128-bit doesn’t sound like much. Whereas 2^128 work is more than 281 trillion times bigger than 2^80 work. To do 2^80 work is feasible today, albeit costly in the extreme. To do 2^80 work more than 281 trillion times over is humanly impossible and unthinkable.

:rofl:

In any case @imachug, ed25519 keys + blake3 hashing is way more secure and faster than ECDSA and NIST P-256 (NSA's sha2) which used in Bitcoin.

Ohh and something else, the ed25519 python lib is very slow, that is why you should at least support ed25519 in sslcrypto. I will change the hashing function in ed25519 afterwards because nothing should be implemented which "requires the approval" of the National Security Agency of the United States of America.

Remember when Bernstein sued the U.S. Government? :thinking: https://en.wikipedia.org/wiki/Bernstein_v._United_States

This is still the law of the United States of America: https://www.ecfr.gov/cgi-bin/text-idx?node=pt22.1.121#se22.1.121_11

United States Munitions List

Category XIII

(b) Information security or information assurance systems and equipment, cryptographic devices, software, and components, as follows: (1) Military or intelligence cryptographic (including key management) systems, equipment, assemblies, modules, integrated circuits, components, and software (including their cryptographic interfaces) capable of maintaining secrecy or confidentiality of information or information systems, including equipment or software for tracking, telemetry, and control (TT&C) encryption and decryption.....

ghost avatar Apr 14 '20 19:04 ghost

I bet if Satoshi Nakamoto had information about ed25519 and BLAKE3 than he would not used any algorithm designed by the NSA in Bitcoin. Unfortunately both ed25519 and BLAKE3 released later. Another possibility that he was well aware of the dangers of creating something which can be classified as "munition" :roll_eyes: by the State Department :rage: and he intentionally used that NIST curve and sha2.

ghost avatar Apr 14 '20 20:04 ghost

standard

@imachug In ZeroNet you could also fast implement version 3 onion addresses if you finished up implementing ed25519 in your sslcrypto.

https://github.com/HelloZeroNet/ZeroNet/tree/py3/src/Crypt needs a new file CryptEd.py :rofl: for example and https://github.com/HelloZeroNet/ZeroNet/blob/py3/src/Tor/TorManager.py need some care. Again, I don't think, and not supporting the idea to have backward compatibility in this case either. Tor version 3 is way better, faster and secure.

In my opinion CryptRSA.py also can be dropped from ZeroNet and use ed25519 only. (Yes, also for certificates.)

ghost avatar Apr 15 '20 15:04 ghost

I am kind of interested in getting it supported. Is there some news?

EdDSA, 
Ed25519 (Curve25519  + SHA512) signature```

iceman1001 avatar Sep 27 '20 17:09 iceman1001