Scrypt: migrate from pylibscrypt to hashlib.scrypt from the standard Python 3.6 lib

DuniterPy currently uses pylibscrypt:

• It is not packaged into Debian

Other Python libraries implementing Scrypt:

• pyscrypt: pure Python, but not in Debian
• py-srcypt. In Debian, Python wrapper around C, was used in Silkaj 0.6.0 before DuniterPy migration

---

• #68 (closed): Will allow Debian packaging

changed milestone to %0.60.0

mentioned in issue #68 (closed)

mentioned in issue #83

Libsodium is required most importantly for libnacl, so even if we can get rid of it for this lib, we need it anyway for crypto functions. Like Duniter and Cesium...

This lib can use pure python if libsodium is not installed, but only with python 3.6 hashlib.scrypt module or if py-scrypt is installed! So we can upgrade to Python 3.6 to get pure python scrypt or add a second scrypt lib dependency (I prefer Python 3.6 solution).

How did you sign documents in Silkaj in pure python without libsodium ?

This lib can use pure python if libsodium is not installed, but only with python 3.6 hashlib.scrypt module or if py-scrypt is installed! So we can upgrade to Python 3.6 to get pure python scrypt or add a second scrypt lib dependency (I prefer Python 3.6 solution).

I wasn’t aware that Scrypt was included as a default library since Python 3.6.

Yes, that solution would be preferable. But on the other hand, we would need to create a Debian package of the pylibscrypt library wrapper.

How did you sign documents in Silkaj in pure python without libsodium ?

Silkaj 0.6.x was using following lib which is a Python wrapper around a C implementation of Scrypt: py-scrypt/scrypt.

Silkaj 0.6.x was using following lib which is a Python wrapper around a C implementation of Scrypt: py-scrypt/scrypt.

It doesn't respond to my question, you only use scrypt to create the seed, not to sign a document.

I do not have any objection to replace the scrypt lib use in Duniterpy to allow easier packaging for Debian. Avoiding the necessity to use Python 3.6 minimum dependency.

I would say, let's try it, let's profit of your Silkaj experience in Duniterpy !

But the libsodium dependency will still be necessary for libnacl to sign/verify and encrypt/decrypt documents.

Ah, yeah, excuse my ignorance. I just realize how Silkaj signature process was working: encryption of the hash of the document.

This this PyNaCl which takes care of the encryption/decryption part.

It seems were are mixing-up two topics in this ticket:

• (this ticket) a Scrypt lib: to hash documents: we want to have one for Debian packaging
• #83: libsodium: an encoding/decoding lib: talking about its way of being embended for distribution:
  • PyNaCl lib comes with a copy of libsodium
  • libnacl currently needs libsodium from the system

We should split those two topics into two tickets. We may continue libsodium discussion on #83 and keep this ticket to talk about scrypt.

---

We could use hashlib.scrypt from Python 3.6 (would be the preferable way).

changed the description

As far as I understood, we would be able to get rid of pylibscrypt.scrypt dependency replacing it by hashlib.scrypt from Python 3.6.

And, we would need no extra package to package for Duniter except DuniterPy itself.

added Crypto label and removed ~327 label

changed title from Migrate Scrypt Python dependency to Scrypt: migrate from pylibscrypt to hashlib.scrypt from the standard Python 3.6 lib

changed the description

added Debian label

added Dep label

assigned to @moul

mentioned in commit 4f085da1

mentioned in commit 9270652f

mentioned in merge request !106 (merged)

seems there is also the option of using python3-pycryptodome

mentioned in commit b919ccfe

mentioned in commit 17e7870a

closed with merge request !106 (merged)