Consider moving to BouncyCastle signature generation and verification

Question

Consider moving to BouncyCastle signature generation and verification

AnnaShaleva opened this issue 3 months ago · comments

Summary or problem description
This is a discussion issue raised in #3209 (comment). The suggestion from @vang1ong7ang is to use BouncyCastle for both Secp256k1/r1 and SHA256/Keccak256 signature generation and verification instead of a mix of built-in and BouncyCastle usages.

Read the conversation for context, please, and add your opinions. An alternative - to leave this code as it is now.

Where in the software does this update applies to?

Crypto

Shargon · Answer 1 · Thu May 09 2024 14:57:15 GMT+0800 (China Standard Time)

Do you have benchmarks?

Anna Shaleva · Answer 2 · Thu May 09 2024 14:59:14 GMT+0800 (China Standard Time)

Do you have benchmarks?

Well, I think it's a question to @vang1ong7ang, since I'm stick to the second option, to keep it as it is now.

Shargon · Answer 3 · Thu May 09 2024 15:03:00 GMT+0800 (China Standard Time)

Do you have benchmarks?

Well, I think it's a question to @vang1ong7ang, since I'm stick to the second option, to keep it as it is now.

Me too, unless it's incredible faster

Christopher Schuchardt · Answer 4 · Thu May 09 2024 19:52:37 GMT+0800 (China Standard Time)

I think benchmarks is least of our worries. I think the main focus is security. We are giving up our trust to a 3rd party. If a bug is introduced; it could cost us time, money and reputation. This goes for any 3rd party whether or not it has a good reputation. Including Microsoft; but at least with Microsoft we know they do excessive testing.

I think we should implement our own code like we did already for ECPoint and everything else.

Vitor Nazário Coelho · Answer 5 · Fri May 10 2024 07:05:41 GMT+0800 (China Standard Time)

Specially considering this comment here #3209 (comment), I think that @vang1ong7ang was straight to the point.
I believe that in Neo2 we were BouncyCastle only as well, or a kind of fork from it.
As he said (to make it easier to follow here):

for blockchain, consistency is very important, and behavioral differences caused by architecture and platform cannot be tolerated.
the implementation of dotnet's Crypto library is to directly call the operating system API instead of implementing it by themselves. even their own developers are not clear enough about these behaviors.

Jimmy · Answer 6 · Fri May 10 2024 08:24:33 GMT+0800 (China Standard Time)

We had benchmark before, built-in is much faster than BouncyCastle. And i dont think we should focus on things like this. Mnay other issues should have higher priority, such as adding unit tests, benchmarks, existing issues and pr etc.

Vitor Nazário Coelho · Answer 7 · Fri May 10 2024 08:27:25 GMT+0800 (China Standard Time)

We had benchmark before, built-in is much faster than BouncyCastle. And i dont think we should focus on things like this. Mnay other issues should have higher priority, such as adding unit tests, benchmarks, existing issues and pr etc.

In my opinion, deciding upon a benchmark is not the case for this issue. Just if the benchmark is something that limits use case or would limit in 2-5 years, something like that.
Obviously, I want to see the benchmark. But even without seeing the number I believe it is feasible because we use to use it.

Try to run a node with MAC would be good test as well, re-sync the chain and verify everything.

Jimmy · Answer 8 · Fri May 10 2024 08:28:39 GMT+0800 (China Standard Time)

But why bother now? Do we really have any issue here? any problem was found? Any bug addressed?

Jimmy · Answer 9 · Fri May 10 2024 08:30:51 GMT+0800 (China Standard Time)

ecdsa is definately one of the core of the core performance bottleneck, i dont see any reason of updating it if there is no obvious problem.

ixje · Answer 10 · Fri May 10 2024 15:14:43 GMT+0800 (China Standard Time)

We had benchmark before, built-in is much faster than BouncyCastle.

Let's not forget that this is the reason for using BouncyCastle for OSX #2499

Vitor Nazário Coelho · Answer 11 · Sat May 11 2024 02:39:58 GMT+0800 (China Standard Time)

We had benchmark before, built-in is much faster than BouncyCastle.

Let's not forget that this is the reason for using BouncyCastle for OSX #2499

Good recall, @ixje .

In the past, before commit #2340, we use to have our "fork" implementation for Bouncy Castle and was working for all OS.

In order to fix the lack of support for koblitz curves in the C# native implementation, we moved to bouncy castle for OSX only #2511.
@shargon may recall that because he was the author of the PR.

@shargon, are you not in favor now for setting up an standard for all Operation Systems?
The way would be move all to BouncyCastle as suggested by @vang1ong7ang, which is similar to what we had in the past before PR 2340.

vang1ong7ang · Answer 12 · Wed May 15 2024 01:33:23 GMT+0800 (China Standard Time)

Including Microsoft; but at least with Microsoft we know they do excessive testing.

@cschuchardt88 this is not true unfortunately

BouncyCastle performs better than native dotnet in consistency. just as me said

the implementation of dotnet's Crypto library is to directly call the operating system API instead of implementing it by themselves. even their own developers are not clear enough about these behaviors.

vang1ong7ang · Answer 13 · Wed May 15 2024 01:34:40 GMT+0800 (China Standard Time)

We had benchmark before, built-in is much faster than BouncyCastle. And i dont think we should focus on things like this. Mnay other issues should have higher priority, such as adding unit tests, benchmarks, existing issues and pr etc.

@Jim8y I agree that this is not an urgent problem, but I doubt the conclusion of this benchmark

vang1ong7ang · Answer 14 · Wed May 15 2024 01:37:44 GMT+0800 (China Standard Time)

and, FYI, dotnet/runtime#36107