Review if ECDH is still experimental #665
Comments
|
This is a good suggestion and I agree that it would be really useful if the ECDH module would graduate from being experimental. It's already used by a few projects (elements, clightning, ...) but if they depend on an experimental module, they can be viewed themselves as experimental. But at some point the software used in the Bitcoin space must mature beyond that. One thing that marking the module as experimental is expected to do a moderately good job at is scaring developers not familiar with applied cryptography away from using low-level primitives like ECDH. However, "experimental" and "unsafe-if-used-incorrectly" are different qualities. See also the discussion in #352. API-wise the module seems relatively stable. There's #262, #352 and Most importantly though, I don't know how much the code was reviewed. While the ECDH module is very small, it uses |
|
I think it's time to make the ECDH non-experimental. For me the biggest hurdle was the question whether the API would remain stable over time, but since #354 I think we're good. |
|
Has anyone attempted yet verify that its timing doesn't depend on the secret (I mean in operation, rather than by just reading the code)? If not, I can do this. |
|
See #709. |
|
I checked that the |
We should think about closing these PRs if we're currently not interested in them. I don't think people care about ECDH performance enough to switch to a different variant. |
ECDH is needed for Lightning, and it would be convenient to use the implementation here.
ECDH was marked as experimental back in 2015, and the API was last changed more than a year ago.
I am wondering how I can help make the ECDH implementation considered stable.
The text was updated successfully, but these errors were encountered: