signature 2.0 tracking issue #237
Comments
|
Is there are plan to extend traits to support Schnorr signatures where it's necessary to specify a Fiat-Shamir transformation function over message, public key and nonce? Same thing potentially applies to EdDSA. Separately, hazmat functions take scalar-like secret value https://docs.rs/ecdsa/0.8.1/ecdsa/hazmat/trait.SignPrimitive.html Would it be reasonable to separate/duplicate Scalar into PublicScalar ( |
In cases like this, https://docs.rs/ed25519-dalek/1.0.1/ed25519_dalek/struct.Keypair.html#impl-Signer%3CSignature%3E
The closest thing to that right now is the https://docs.rs/elliptic-curve/0.6.2/elliptic_curve/secret_key/struct.SecretKey.html |
|
I prefer if symmetric cryptography overall transitioned to more flexible STROBE-like constructions, ala merlin, etc., and abstractions that permit judicious usage of asymmetric primitives, ala zk circuit friendly primitives, MuSig-DN, etc. I presume this lies beyond the RustCrypto "mandate", which seems more about providing monomorphised but flexible access to the historical constructions. I therefore do not view this as particularly relevant here, but really "signatures" should be doing this aggressively. I want VRFs to become "user friendly" too. I think teaching "VRFs are signatures" is a part of that story, but actually placing VRFs and signatures behind a common abstraction sounds far more harmful than useful: Almost all sane VRFs sign two+ things while signatures sign only one. VRFs require different batching interfaces. etc. Again nothing relevant for signature 2.0 I think, but I'll keep experimenting with different VRF interfaces elsewhere. |
RustCrypto generally has a focus on "mainstream" cryptography, for lack of a better word.
I'm a big fan of VRFs and perhaps RustCrypto should provide some VRF traits. I definitely also think of them as a (randomly) commit and verify scheme consisting of a random-looking value and a proof, where in many use cases you want to publish the former and sequester the latter. |
|
I took a direct approach to a VRF interface in https://github.com/w3f/schnorrkel/blob/master/src/vrf.rs but the results proved disappointing. I'm experimenting with a new de-builder methods approach in https://github.com/w3f/ring-vrf/blob/master/src/schnorr.rs but maybe overly complex. It's tricky because you have n+1 messages, and n outputs for which you should often but not always hide access until after verification, you need pre-outputs to be serializable only inside the signature, not hashable, etc., your batch verifiable form differs, and this pre-ring VRF has another component that interfaces with the SNARK. Aside form ring/group VRFs, there are no good options besides Schnorr DLEQ proofs, like VEd25519, schnorrkel, etc. right now: Any unique signature like BLS, RSA-FDH, etc. suck because you always want a VRF signature to sign extra data not fed into one of the VRF inputs in practice. Rabin-Williams might prove interesting, purely for speed. And PQ sounds wide open. |
|
Hey Jeff! :) I would love to see good generic MuSig-DN with may be other hash function to generate nonce, e.g. Rescue is as good PRF for this purpose and should have less constraints. |
|
A note on this:
We still need to support variable-width signatures for ASN.1 DER-encodings. So it seems we may need separate traits to support fixed-width versus variable-width encodings. |
This commit contains the first breaking changes to the `signature` crate made since its initial 1.0 stabilization. Planning for these changes occurred in #237. The following changes have been made: - The `Signature` trait has been renamed to `SignatureEncoding`. The `Signature` bound on `*Signer` and `*Verifier` traits has been removed, meaning there are no longer any mandatory trait bounds on the signature paramters at all. - The `AsRef<[u8]>` bound formerly found on the `Signature` crate has been replaced with an associated `Repr` type, inspired by the `group::GroupEncoding` trait. This means signature types no longer need to retain a serialized form, and can parse the bag-of-bytes representation to something more convenient, which is useful for e.g. batch verification. - The `std` feature is no longer enabled by default, which matches the other RustCrypto/traits crates. - The `derive-preview` and `hazmat-preview` features have been stabilized. - The former `Keypair` trait has been renamed to `KeypairRef`, and the signature generic parameter removed. A new `Keypair` trait has been added which returns an owned instance of the associated `VerifyingKey`, and a blanket impl of `Keypair` for `KeypairRef` has been added. This addresses the issues described in #1124.
|
I've opened a PR which prospectively implements some of the changes planned in this issue: #1141 |
This commit contains the first breaking changes to the `signature` crate made since its initial 1.0 stabilization. Planning for these changes occurred in #237. The following changes have been made: - The `Signature` trait has been renamed to `SignatureEncoding`. The `Signature` bound on `*Signer` and `*Verifier` traits has been removed, meaning there are no longer any mandatory trait bounds on the signature paramters at all. - The `AsRef<[u8]>` bound formerly found on the `Signature` crate has been replaced with an associated `Repr` type, inspired by the `group::GroupEncoding` trait. This means signature types no longer need to retain a serialized form, and can parse the bag-of-bytes representation to something more convenient, which is useful for e.g. batch verification. - The `std` feature is no longer enabled by default, which matches the other RustCrypto/traits crates. - The `derive-preview` and `hazmat-preview` features have been stabilized. - The former `Keypair` trait has been renamed to `KeypairRef`, and the signature generic parameter removed. A new `Keypair` trait has been added which returns an owned instance of the associated `VerifyingKey`, and a blanket impl of `Keypair` for `KeypairRef` has been added. This addresses the issues described in #1124.
This commit contains the first breaking changes to the `signature` crate made since its initial 1.0 stabilization. Planning for these changes occurred in #237. The following changes have been made: - The `Signature` trait has been renamed to `SignatureEncoding`. The `Signature` bound on `*Signer` and `*Verifier` traits has been removed, meaning there are no longer any mandatory trait bounds on the signature paramters at all. - The `AsRef<[u8]>` bound formerly found on the `Signature` crate has been replaced with an associated `Repr` type, inspired by the `group::GroupEncoding` trait. This means signature types no longer need to retain a serialized form, and can parse the bag-of-bytes representation to something more convenient, which is useful for e.g. batch verification. - The `std` feature is no longer enabled by default, which matches the other RustCrypto/traits crates. - The `derive-preview` and `hazmat-preview` features have been stabilized. - The former `Keypair` trait has been renamed to `KeypairRef`, and the signature generic parameter removed. A new `Keypair` trait has been added which returns an owned instance of the associated `VerifyingKey`, and a blanket impl of `Keypair` for `KeypairRef` has been added. This addresses the issues described in #1124.
This commit contains the first breaking changes to the `signature` crate made since its initial 1.0 stabilization. Planning for these changes occurred in #237. The following changes have been made: - The `Signature` trait has been renamed to `SignatureEncoding`. The `Signature` bound on `*Signer` and `*Verifier` traits has been removed, meaning there are no longer any mandatory trait bounds on the signature paramters at all. - The `AsRef<[u8]>` bound formerly found on the `Signature` crate has been replaced with an associated `Repr` type, inspired by the `group::GroupEncoding` trait. This means signature types no longer need to retain a serialized form, and can parse the bag-of-bytes representation to something more convenient, which is useful for e.g. batch verification. - The `std` feature is no longer enabled by default, which matches the other RustCrypto/traits crates. - The `derive-preview` and `hazmat-preview` features have been stabilized. - The former `Keypair` trait has been renamed to `KeypairRef`, and the signature generic parameter removed. A new `Keypair` trait has been added which returns an owned instance of the associated `VerifyingKey`, and a blanket impl of `Keypair` for `KeypairRef` has been added. This addresses the issues described in #1124.
This commit contains the first breaking changes to the `signature` crate made since its initial 1.0 stabilization. Planning for these changes occurred in #237. The following changes have been made: - The `Signature` trait has been renamed to `SignatureEncoding`. The `Signature` bound on `*Signer` and `*Verifier` traits has been removed, meaning there are no longer any mandatory trait bounds on the signature parameters at all. - The `AsRef<[u8]>` bound formerly found on the `Signature` crate has been replaced with an associated `Repr` type, inspired by the `group::GroupEncoding` trait. This means signature types no longer need to retain a serialized form, and can parse the bag-of-bytes representation to something more convenient, which is useful for e.g. batch verification. - The `std` feature is no longer enabled by default, which matches the other RustCrypto/traits crates. - The `derive-preview` and `hazmat-preview` features have been stabilized. - The former `Keypair` trait has been renamed to `KeypairRef`, and the signature generic parameter removed. A new `Keypair` trait has been added which returns an owned instance of the associated `VerifyingKey`, and a blanket impl of `Keypair` for `KeypairRef` has been added. This addresses the issues described in #1124.
|
#1141 has been merged |
Uh oh!
There was an error while loading. Please reload this page.
This is a tracking ticket for potential breaking changes to the
signaturecrate which target a 2.0 release. There's no planned release date for this besides "some time after a minimum viable implementation of const generics in stable Rust", so this issue is mostly for brainstorming and tracking current defects/issues which require SemVer breaking changes to address.As a bit of background, the impetus for stabilizing an initial 1.0 release was to also allow for a 1.0 release of the
ed25519crate. Thesignatureanded25519crates together allow for writing code which is generic over how Ed25519 signing and/or verification is implemented. These traits and signature types are now used byed25519-dalekas well as thesignatorycrates.This stabilization, while providing a useful 1.0 for Ed25519, made a number of compromises (see #78). Most notably, while there are many ways it could benefit from either
generic-arrayor const generics, the public API avoided them both, mainly to avoid having everygeneric-arraybump be a SemVer breaking change and get to a reasonably useful 1.0 quickly.All of that said, it seems the minimum viable implementation of const generics may be coming sooner than we think, potentially in 2020. This issue is intended to track potential proposals that could use them, as well as existing API defects it'd be nice to fix in a SemVer breaking release.
Replace
AsRef<[u8]>bound onSignaturetrait with associatedconst SIZEandInto<[u8; Self::SIZE]>boundThe
AsRefbound provides a common API for converting a signature into a byte slice, but has the following limitations:Intoconversion to a byte array, allowing an intermediate serialization step from these well-structured types to a "bag-of-bytes" wire representation.Disable
stdCargo feature by defaultThis is a notable inconsistency with the other
RustCrypto/traitscrates, and since all of these crates have ano_stdfocus, it's nice to have this off-by-default.The
stdfeature is used entirely for the purposes of error handling to gate astd::error::Errorimpl which, whenstdis available, can provide aBox-ed source.Error improvements
Presently in any
no_stdcontext, including ones withalloc, the error source is lost. It seems like some middle ground is possible in thealloccase, like retaining thesource, but exposing it through an inherent method rather thanstd::error::Error. This could even be defined in a way that's purely additive by having thestd::error::Errorimpl invoke the inherentError::sourcemethod.Stabilization of
*-previewfeatures.Since many features of the
signaturecrate are also blocked on const generics for a 1.0 release, they were shipped as*-previewfeatures, with a SemVer guarantee that breaking changes to*-previewfeatures would come with a minor version bump (more or less the same way it works with 0.x versions).There are open tracking issues for each of these features:
digest-preview: providesDigestSigner,DigestVerifier, andDigestSignature(signature: tracking issue fordigeststabilization (DigestSigner, DigestVerifier, and DigestSignature) #92)rand-preview: providesRandomizedSigner; blocked onrand_core1.0 (signature: tracking issue forrand_core(RandomizedSigner) stabilization #94)It would probably make sense to stabilize the
digestfeature first via a const generics-baseddigest1.0 crate, then havesignature2.0 depend ondigest1.0 (See #238).The text was updated successfully, but these errors were encountered: