-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rabin-Williams signatures #118
Comments
|
I suppose the dynamic scheme would keep the runtime key size, but separate it from a type level bound on key size? Is there any reason to preserve a dynamic allocation support? I guess some people use this for crazy key sizes in GPG, but not sure if that really ever matters. Afaik Rabin-Williams never requires dynamic allocation because if you're using it then you're likely after raw performance, so you'll even explore things like 1536 bit keys probably. |
I wrote this originally for https://github.com/rpgp/rpgp/ which requires the support of dynamic key sizes. |
Probably, haven't really looked into it yet. |
How dynamic? Is there a fixed list of supported key sizes, or are you trying to support any possibility? |
I can probably get away with supporting everything up to |
Yikes, really? I’m reminded of this issue: RustCrypto/crypto-bigint#28 (comment) It would be simple enough to have an enum with e.g. However, if you need to support every key size under the sun up to 15360 bits, it sounds like you’re probably better off with the current backend. Perhaps through judicious use of traits it would be possible to support both, with cc @elichai |
also cc @mikelodder7 who wrote |
How often do you encounter "weird" (e.g. 4224 bits) key sizes in practice? On a first glance it looks like it will be better to create a list of 8-16 popular key sizes and use the smallest fitting one for "weird" ones. API wise I think that such approach will be simpler than trying to fit stack and heap allocating backends into the same interface. And while binary bloat is unfortunate, I think performance-wise it will be a win in most cases. |
I'd think a If you want gpg using crypto-bigint then one could expose type information bounding the key size, so that only gpg monomorphizes for 15360bits. I doubt people care much about performance when using gpg though. |
If I understand @tarcieri you envision types and routines here gain a Any actual enum would live inside https://github.com/rpgp/rpgp/, yes?
You care about legacy RSA working without an allocator, I guess? If not another option would be doing an entirely separate Rabin-Williams crate, loosely based off AGL's C code and this crate, but using crypto-bigint and removing legacy cruft. It's plausible dynamic allocation is always fast enough for RSA, so any new protocol which cares about performance should use Rabin-Williams anyways. |
Yes, it's designed to support heapless operation and hopefully eventually the However, I suggested |
Rabin-Williams signatures are RSA-like signatures with extreme verifier speed optimizations, but enough overlap with RSA exists that maybe Rabin-Williams should be done inside this repository? Thoughts?
Afaik, we've no off the shelf Rabin-Williams implementations, but.. Dan Bernstein explains the optimization options in https://cr.yp.to/sigs/rwsota-20080131.pdf especially sections 7-10. See also https://cr.yp.to/sigs/rwtight-20080201.pdf Also in 1008, Adam Langely implemented Rabin-Williams in C with 1024 bit public keys and compressed 64-byte signatures. It's based upon GMP but verifiers still run like 22 times faster than Ed25519.
It's possible Rabin-Williams' deployment might choose fixed size keys, thereby avoiding dynamic allocation in verifiers, although maybe that's kinda too extreme. I gather @tarcieri's crypto-bigint crate exists to make this possible, even for RSA though, so..
I'm think that, after this crate or some fork adopts @tarcieri's crypto-bigint crate, then we could reimplement Adam Langely's C code, attempting to reuse as much of the RSA crate as convenient. Thoughts?
cc @mmagician @drahnr
The text was updated successfully, but these errors were encountered: