proposal: crypto: support bn, nums, sm2 curves #52778
Comments
|
Could you refer which issue that obsolete all these curve parameters? Thanks. |
seankhliao
added
the
Proposal-Crypto
seankhliao
changed the title
|
Those 2 repos were created in the last week. If there are no real world applications using these, I don't see why they should be included in standard library, especially if they are obsolete. |
|
First, I may not have expressed myself well, none of them are obsolete. They are just out of use. I created the library a week ago but I've been looking for them for years. Regarding FiloSottile's comment, he must have been referring to bn158, bn190, bn222, bn254, bn286, bn318, bn350 etc. But I don't know precisely in which proposal this was denied. The ones I asked to include Fp256BN and Fp512BN are not obsolete, see: https://tools.ietf.org/id/draft-kasamatsu-bncurves-01.html Obviously there won't be applications that use them, because in practice they don't exist yet. They are in disuse. To be more specific: Fp256BN (2014) ISO/IEC 15946-5:2022 I need TLS 1.2 support for these, without needing to fork some version of Go, so I need to patch each update to use unconventional algorithms that are more secure than Secp256r1/Secp256k1 (1985-2001). One way would be providing the OID in the *elliptic.CurveParams.. |
|
CC @golang/security |
Why do you need TLS 1.2 support for these? |
|
This proposal has been added to the active column of the proposals project |
|
Greetings! I need it because they are newer. I mean, the French government released the curve FRP256v1 for this purpose: to be free and utilised. They are free and already exist in my repository. It is difficult to understand why the algorithms around the world are discarded. The question must be: I am just proposing that the new generation of curves be included and not replace the existing ones. But just in TLS and x509 libraries; In fact they all have an elliptic.Curve/*ecdsa.PrivateKey interface. We would only need to add the OIDs to avoid the "unknown curve" error, the other components of the library remain intact. Sm2 already exists on OpenSSL as GOST2012_512 Like I said, it's very recent, there's no applications, You will be pioneer Cheers and sorry bad English |
|
The algorithms Go chooses to support is part of a balance that attempts to provide the highest level of security we can for the lowest cost of complexity and operational burden. Generally our stance is that an algorithm or signature scheme should not be included simply because it exists, but because there is an exigent need for it, or because it truly offers a significantly higher level of security than what is currently available and that there is a industry wide move towards supporting it. Since it is much harder to remove support for an algorithm than it is to add one, and without significant users of these algorithms, I think we would be extremely reluctant to support them. |
|
@rolandshoemaker ECDSA and RSA isn't highest level of security and lowest cost of complexity. RSA is broken depending on the key size and at a high cost compared to elliptic curves, and ECDSA is authored by the NSA, which says a lot about its security. With only one algorithm left that would survive the Post-Quantum era, it's a tough choice. |
I don't know whether we should do this or not, I just want to note that being a pioneer is not a goal of the Go standard library. |
|
This sounds quite strange even because it's an innovative language in which I'm able to write and compile programs from my windows 7 to run on linux machines, Android phones and Raspberry Pi (and vice-versa). There is no other language that does this without the need to install toolchains, which is why I chose it. (I humbly ask those who don't want to help not to get in the way, it's been hard enough to get here.) |
|
It sounds like we are not ready to commit to having these in our tree (making them very hard to remove). It should be possible to maintain them out of tree as needed. |
|
Based on the discussion above, this proposal seems like a likely decline. |
|
No coments. |
|
This proposal has been declined as retracted. |
|
Greetings, I want to rectify my last comment and reopen the proposal with only the Koblitz SecP256k1, SM2, Brainpool and FRP256v1 algorithms (which is already in use in OpenSSL and LibreSSL). Thanks |
|
Based on the comments above (#52778 (comment)) I think the decision stands. |
|
An unwise decision, sounds like censorship yes, not rule of minimum effort. I could perfectly close the proposal after the negative, I appreciate at least this effort. |
Greetings!
fp256BN/fp512BN (Barreto-Naehrig), frp256v1, Nothing Up My Sleeve (NUMS) curves, ECGOST2012 (GOST R 34.10-2012), and sm9p256v1 (GM/T 0044-2016), at least SM2, TLS 1.2 support, please!
There is a proposal* where @FiloSottile claims the BN curves are obsolete.. well here is two examples of a public key algorithm, are identity-based encryption (IBE):
https://github.com/pedroalbanese/bn (ISO/IEC 15946-5:2022)
https://github.com/pedroalbanese/sm9 (GM/T 0044-2016)
Thanks in advance!
The text was updated successfully, but these errors were encountered: