[WIP] Remove dynamic constants from cryptography products

[vepkenez]

Type of PR:

• prevents bugs from the future from ever existing
• Feature
• Documentation
• Other

Required reviews:

• 1
• 2
• 3

What this does:
Constant Sorrow constants are not really constant in the sense that bytestrings produced by our code may outlive some of the mechanisms by which Constant Sorrow produces the literals for them whether due to encoding, hashlib changes etc. This PR makes them truly static and constant.

It also makes parallel implementation of them in other languages easier in that it is now a copy and paste of some characters instead of a re-implementation of Constant Sorrow magic, or maybe even opens the possibility for pulling from definitions for these bytestrings from a single repo that is accessible to all language implementations.

Issues fixed/closed:

• Fixes Don't serialize Constant Sorrow constants #1484

[cygnusv]

Thanks for doing this. I guess these constants should have never live the runtime environment and be serialized anywhere. IMHO, if there's a need to serialize a constant, then this is a hint that you should not use Constant Sorrow for it.

[vepkenez]

IMHO, if there's a need to serialize a constant, then this is a hint that you should not use Constant Sorrow for it.

I was actually thinking we could subclass constant sorrow so it raises an exception if you call __bytes__

[vepkenez]

@KPrasch @cygnusv @derekpierre @fjarri @jMyles
These could be anything.
Currently I made them exactly what Constant Sorrow was outputting so they don't break compatibility with existing bytestrings, but now is the time to break that in favor of a better future.

So what should we make them?

They could be like:
DO_NOT_SIGN = b'DO_NOT_SIGN'

any reason not to do that?

[fjarri]

Why not just make them sequential bytes? \x00, \x01 and so on?

[vepkenez]

That would definitely make cross platform implementing easiest

[vepkenez]

One more consideration before I finish this.

Our encryption looks like this: pre.encrypt(recipient_pubkey_enc, sig_header + plaintext)

We are adding this "signature header" to the actual plaintext.
The signature header was 8 bytes, now we are going to go with single bytes.

But why are we adding this stuff to the plaintext at all? Isn't it kind of a hack?
Would it be better for payload signature to be handled at the app layer?
Would you even trust NuCypher's code to sign your data if your data was so important?

I as an implementer might prefer my own signing mechanics on the the payload anyway and hand the data over to Enrico already signed.

Any support for removing signatures entirely?

[fjarri]

For what it's worth, I agree with removing the signatures. I always thought of Nucypher as KMS, while ciphertexts are distributed via side channels, so, as you said, it's up to the application to decide whether to sign them or not. But I may be missing some attack vectors here - @tuxxy , @cygnusv ?

[KPrasch]

I'd love to see this PR finished, it's a nice prerequisite to our future plans with entity serialization.

[KPrasch]

Closing this PR for due to staleness. Leaving #1484 open.