New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: crypto/elliptic support x25519 #29128
Comments
CC @FiloSottile @agl |
https://godoc.org/golang.org/x/crypto/curve25519 is intended to handle this. Does that work for you? |
I've tried using that, but I'm not quite sure how I was supposed to use it.
I'm trying to utilize go-ethereum's ecies code, and most of the functions take in an elliptic.Curve as a parameter so that won't work. I've tried converting what you linked to an elliptic.Curve but in the end I was missing Add, Double and IsOnCurve (well, I managed to solve that one with a bit of math) methods and ScalarBaseMult took in the wrong types.
… On 07 Dec 2018, at 01:04, Adam Langley ***@***.***> wrote:
https://godoc.org/golang.org/x/crypto/curve25519 is intended to handle this. Does that work for you?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
I don't think this is a proposal so much as a question then. (An elliptic.Curve for X25519 doesn't really make sense because it's implemented as a Montgomery ladder, so Add and Double don't fit. You can work on Ed25519 in that fashion, but then you would need to to the isogeny mapping.) Basically, ECIES just means Diffie–Hellman with an AEAD. So, to do that with X25519 you:
But really you want to avoid having to worry about the above. https://godoc.org/golang.org/x/crypto/nacl/box handles this for you in a standard format that interoperates with NaCl, libsodium, and several other libraries. |
Okay, I believe the issue can be closed then.
I just want to confirm that I can use NaCl crypto box for hybrid encryption, as I need to encrypt potentially very long messages.
Thanks for taking the time to help me. I really appreciate it.
… On 07 Dec 2018, at 04:06, Adam Langley ***@***.***> wrote:
I don't think this is a proposal so much as a question then. (An elliptic.Curve for X25519 doesn't really make sense because it's implemented as a Montgomery ladder, so Add and Double don't fit. You can work on Ed25519 in that fashion, but then you would need to to the isogeny mapping.)
Basically, ECIES just means Diffie–Hellman with an AEAD. So, to do that with X25519 you:
Generate a random private key.
Generate the public key from the private key with ScalarBaseMult.
To encrypt to another public key, calculate the shared key by hashing the ScalarMult of your private key and their public key, and use that to key an AEAD like AES-GCM. If you always generate a fresh private key then you can set the AEAD nonce to zero. Send your public key and the AEAD ciphertext.
To decrypt a message, calculate the ScalarMult of your private key with their public key and open the AEAD ciphertext.
But really you want to avoid having to worry about the above. https://godoc.org/golang.org/x/crypto/nacl/box handles this for you in a standard format that interoperates with NaCl, libsodium, and several other libraries.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
See the package comment about long messages. Roughly: don't have long messages. Rather, put a random key and a total length in the box. Then chunk the message into ~16KiB chunks and use secretbox on each one with an incrementing nonce. When decrypting, check that you got as many bytes as expected to prevent truncation at a chunk boundary. |
@agl To be clear, I want to do something like this: I cannot currently do this, as the app doesn't know the private key in step 1, and nacl/box wants it for encryption. UPDATE: Okay, I seem to have found a solution, but please tell me if this is insecure/your general opinion on this solution.
Thanks in advance. |
X25519 is still a good way to do what you want, but it's a Diffie–Hellman scheme, not a public-key encryption scheme or a KEM. (Some people find this paint analogy to be useful.) A DH scheme provides a function the generates a shared key between a private key and a public key. Therefore to make a public-key encryption scheme one generally generates a random, ephemeral private key for each encryption operation, encrypts the data with the resulting shared key, and stores the ephemeral public key along with the data. The documentation for libsodium's “sealed boxes” says that is what it's doing under the covers. (libsodium's version of x/crypto's box API is here). In your update you suggest using a zero private-key for all operations. But zero isn't very random so it would be trivial for anyone to decrypt that. I would suggest mirroring what libsodium does here. |
Ah! I missed that. Thank you so much! Click to expand )
|
@MetalBreaker thanks for the code snippet above, I was trying to find the equivalent of blake2b in go and was surprised it was actually part or the crypto library. It's good to know since libsodium's crypto_box_seal() takes no nonce as argument but its internal implementation uses black2b() to create the nonce. Your above example shows how the nonce is created. |
@Baha-sk Haha, this was a long time ago. I remember spending quite some time deciphering the documentation and original C (or C++? Can't remember, doesn't matter) libsodium code and writing a Go equivalent, so I figured it'd be nice to share that code snippet. |
@MetalBreaker much appreciated!!! You definitely saved me the time of researching this nonce creation :) yeah, libsodium is C code Thanks so much! |
You're welcome. 😄
…On Thu, 22 Aug 2019, 17:31 Baha-sk, ***@***.***> wrote:
@MetalBreaker <https://github.com/MetalBreaker> much appreciated!!!
You definitely saved me the time of researching this nonce creation :)
yeah, libsodium is C code
Thanks so much!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#29128?email_source=notifications&email_token=ABUWEHYSJAAPBNEQVX226P3QF2WOPA5CNFSM4GI5WAL2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD45OZWA#issuecomment-523955416>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABUWEH4UBUOMBHZ646MVUW3QF2WOPANCNFSM4GI5WALQ>
.
|
Currently, there's no way to use the x25519 curve in Golang outside of TLS.
I believe implementing it in crypto/elliptic would help a lot of people using the curve for non-TLS purposes (i.e. with an ECIES library), including me.
Thanks in advance.
The text was updated successfully, but these errors were encountered: