search

MerosCrypto / Meros

An instant and feeless cryptocurrency for the future, secured by the Merit Caching Consensus Mechanism.
https://meroscrypto.io
Other
82 stars 19 forks source link

Meros should use Ristretto instead of Ed25519. #266

Closed kayabaNerve closed 3 years ago

kayabaNerve commented 3 years ago

The below explains the problems with Ed25519. Ristretto ships without these problems, thanks to incredibly clever design, despite being based on the same curve. It also doesn't have a noticeable performance difference and enables several algorithms such as stock BIP 32 (as we use a version modified for Ed25519 with worse security policies; notably the requirement of a derivation depth to stop key leakage), Schnorr (which shouldn't matter for us), and more efficient Bulletproofs (which may matter to us in the future),

Compatibility is still a concern. There are much fewer Ristretto libraries out there. That said, it's easily possible to build Ristretto on top of existing Ed25519 libraries thanks to them sharing a curve. It's been picked up by C's libsodium (which we used to use for Ed25519), Rust's dalek, multiple JS libraries, a Java library, and even Zig's stdlib. I'm really not concerned about this.

Original title: Ed25519 usage isn't stable.

Original post:

Stable doesn't refer to consistency when running here. I am NOT worried or discussing some arbitrary invalid Ed25519 signatures being considered valid one moment and not the next. Rather, I am referring to implementation differences in Ed25519 libraries which can cause splits between implementations.

https://hdevalence.ca/blog/2020-10-04-its-25519am is a great blog post detailing this in depth.

As someone who believes in protocol > implementation, and wants to also host a Rust node, this is a critical consideration to have now before it bites us latter.

While we add additional consensus rules, we may also consider banning the torsion points.

Some relation to #199.

kayabaNerve commented 3 years ago

It should be noted we do currently ban all zero public keys from being signed for, for the purposes of creating a definitive burn address.

kayabaNerve commented 3 years ago

Moving to Ristretto255 is being concerned, especially as we use BIP 32 (the version proposed by Cardano).

It fixes these problems and has support, yet still isn't widely supported. It has a Java impl, and should work without issue on a Ledger hardware wallet, yet the only Python for it is bindings to C implementations (such as libsodium, which demonstrates how it's being adopted).

kayabaNerve commented 3 years ago

https://github.com/MerosCrypto/Meros/commit/0cbecfb65d19fcc3bc0b4546fdc8eac48ed232e0 is relevant.

kayabaNerve commented 3 years ago

Closed in https://github.com/MerosCrypto/Meros/commit/74642d2766c2a9f59f286907d28f43c862647364.