Dear Nim forum, You could criticize my terrible nim code, or we could attempt to discuss cryptography in nim and why I think nim is one of the best languages for prototyping cryptographic protocols. We could also discuss improving nim's cryptography libraries. There ought to be one good one that has all the things.
I am one of the core developers of the Katzenpost mixnet and I'm also very new to the nim language and have been using it to prototype the modular KEM based double ratchet from the 2018 paper: The Double Ratchet: Security Notions, Proofs, and Modularization for the Signal Protocol <https://eprint.iacr.org/2018/1037.pdf> Behold, I've probably made many offensive nim mistakes, but the point is that nim was most excellent for prototyping this cryptographic protocol. And nim is 1000 times better than python for prototyping cryptographic because static typing, omg a real type system. <https://github.com/katzenpost/formal_specifications/blob/main/kem_ratchet/prototype/kem_double_ratchet/src/kem_double_ratchet.nim> One startling result from the paper is that their double ratchet achieves post compromise security in just two rounds! This is better than Signal/WhatApp double ratchet, and also because it is KEM based, you can swap in any of the bleeding edge post quantum cryptographic KEMs. My nim prototype assisted my overall understanding of the protocol which allowed me to fix my golang implementation which admittedly was written a little sloppily (by me, my fault, i'm pretty good but not perfect and I make mistakes sometimes, sue me): <https://github.com/katzenpost/cryptonomicon> To be clear, I don't have a post quantum KEMs (key encapsulation mechanisms) for nim... and I didn't want to spend time porting or binding a C code KEM over to nim. So I did it the classical way and constructed a "hashed ElGamal construction" using the secp256k1 NIKE (non-interactive key exchange). Anyway, this frankenstein NIKE variation elgamal construction... is really just a KEM because it behaves in exactly the same way and has IND-CCA security. If nim had a more complete cryptography library then that would be the only dependency that I would need to prototype other cryptographic protocols. In my experience, cryptography libraries come about as a result of a project deciding to give back to the community after they've been collecting cryptographic primitive functions for a while. Probably one or two of the larger nim projects could help with this. I could be your cheer leader. I had to get off my high horse the other week; I was trying to use ProVerif to model this modular KEM double ratchet... and found that it's actually too complicated for the ProVerif modeling language to handle. ProVerif is based on the Pi Calculus... which means that in order to model a sequential process I'd have to create a replicating function that uses channels to send data to it's other copies... instead of a simple loop construct that most imperative languages have: <https://github.com/katzenpost/formal_specifications/blob/main/kem_ratchet/cka.pv> In my humble opinion, the core cryptographic library for nim should have at least one cryptographic primitive in each category: PRP PRNG AEAD Stream Cipher PRF KDF/HKDF HMAC NIKE KEM Signature scheme This is the minimum that I need to get work done quickly. If I had all that it would be so easy to use nim to prototype all kinds of complicated modern bleeding edge post quantum hybrid cryptographic protocols. Sincerely, David
