Using Scrypt for user/password derived key

[shocknet-justin]

Allowing users to log in with a more traditional username/password combination, or a human readable long string, would offer better UX to users in many cases. The former at minimum being less glitchy with browser-based password managers.

I was thinking back to how GUN did this with PBKDF2, and upon a little research found Argon2 is the alleged successor. EDIT seems that scrypt may be even better.

There are considerations over my head with using it to create seeds for nostr compatible keypairs, but from what I do understand it sounds doable.

I wanted to throw the idea out there short of a proposal as I'm not qualified to write it.

I'll kick in on a bounty if others think this conceptually has merit.

[mikedilger]

I have spoken to two cryptographers who claim that argon2 only looked better than scrypt during the window of time of that competition (was it 2014? I forget), and subsequently they believe scrypt is better. PBKDF2 is not state of the art.

[mikedilger]

So that this is not so much a rumor, here is from Philip Rogaway:

There was a competition for password-based KDFs that was won by Argon2. But that competition took place before things had adequately settled down in the area, so that I'm not sure that the winning contender was nearly good as what would have won had the competition taken place a few years later. I'm not even sure that the winner was better than the originally proposed scrypt. I would trust that someone like Joel Alwen would know the best choice -- but I do not.

Joel Alwen wrote a paper proving scrypt to be maximally hard: https://eprint.iacr.org/2016/989

[shocknet-justin]

Thanks for the input, I will update the idea to reflect that scrypt is probably a better choice.

[shocknet-justin]

I've taken a stab at this and clients seem to work well, I'll leave this here for comment for awhile.

Insufficiently long passphrases are an inherent weakness as with anything else, but I think there's room to design an improved UX that provides acceptable hardness.

const crypto = require("crypto");
const scrypt = require("scryptsy");
const EC = require("elliptic").ec;

const ec = new EC("secp256k1");

function createKeypair(username, password) {
  // Generate a salt.
  const salt = crypto.randomBytes(128);

  // Hash the password with the salt using scrypt.
  const N = 1024;
  const r = 8;
  const p = 1;
  const dkLen = 64;
  
  const key = scrypt(password, salt, N, r, p, dkLen);

  // Split the hashed password into two parts.
  const publickey = key.slice(0, 32);
  const privateKey = key.slice(32);

  // Create an EC key pair using the private key.
  const keyPair = ec.keyFromPrivate(privateKey);

  // Get the public key in compressed format.
  const publicKey = keyPair.getPublic("array", "compressed");

  // Encode the public key in hexadecimal format.
  const publicKeyHex = Buffer.from(publicKey).toString("hex");

  // Console log the private and public keys.
  console.log("Private key:", privateKey.toString("hex"));
  console.log("Public key:", publicKeyHex);

  return {
    username,
    salt,
    publickey: publicKeyHex,
    privateKey: privateKey.toString("hex"),
  };
}

async function main() {
  const args = process.argv.slice(2);

  if (args.length !== 2) {
    console.error("Please provide the username and password as arguments.");
    process.exit(1);
  }

  const username = args[0];
  const password = args[1];

  try {
    await createKeypair(username, password);
  } catch (error) {
    console.error("Error:", error);
    process.exit(1);
  }
}

main();

[alexgleason]

Interesting idea. Obviously you can't click "I forgot my password", and you're ultimately still giving the app your private key. But this idea is appealing to me since I'm building Nostr into a legacy system.

[shocknet-justin]

Yea the forgot password issue is only helped by this by working more intuitively with common password managers. I think many users would opt-in to a trust based solution where keys are held by the service and authenticated by email, they could co-exist with key holders and the middle ground where someone just wants a username and password they can remember.

[alexgleason]

I think most likely users will have a Nostr "wallet" app on their phones, which stores keys and remote signs for websites using NIP-46.

Websites could send push notifications to the user's phone to sign events. Or they could pre-configure in the app a set of rules for events they will automatically sign from each provider.

To connect to a site, you'd scan a QR code on your phone, or it would trigger an "Open with " menu.

Someone needs to create that app.