Slow: should encrypt private keys with password

[cadorn]

Hi @leonardocustodio,

Wow you have done a lot of work! Amazing to see everything implemented!

I am running my tests and this is slow. Just want to make sure that is intentional?

✓ XID Document Lifecycle > 7. Private Key Options > should encrypt private keys with password [1675.06ms]

        it('should encrypt private keys with password', async function () {
            const password = new TextEncoder().encode('test_password')

            const envelope = await xid.toEnvelope({
                document: aliceDoc,
                privateKeyOptions: { type: XIDPrivateKeyOptions.Encrypt, password },
            })

            // Without password - no private key
            const docNoPassword = await xid.fromEnvelope({ envelope })
            const keyNoPassword = await xid.getInceptionKey({ document: docNoPassword })
            expect(keyNoPassword.hasPrivateKeys()).toBe(false)

            // With password - private key restored
            const docWithPassword = await xid.fromEnvelope({ envelope, password })
            const keyWithPassword = await xid.getInceptionKey({ document: docWithPassword })
            expect(keyWithPassword.hasPrivateKeys()).toBe(true)
        }, { timeout: 60_000 })

[leonardocustodio]

Unfortunately it is expected, the default algorithm for the test above is argon2 which unfortunately is slow on javascript. You should face a similar behavior on any test or code that is using argon2.

I've chosen the following library for the hashes used in this library: https://github.com/paulmillr/noble-hashes/blob/3e541593cf5bb65b3a765c2d020b5aba9462cccf/README.md?plain=1#L322-L335

Because it is a well-maintained and audited library currently used by multiple project. I would be more than happy to switch to another if you have any suggestions for an audited library that works fast with argon2.

The only condition that I've tried to follow is to not use any libs that calculate hashes or encrypt things using wasm or ffi from other languages as that would increase the bundle size a lot and depending on the implementation make this whole repository not compatible with all JS environment (browser/node/etc).

[leonardocustodio]

You can use another kind for the above one instead of the default argon2 though. Maybe would be a good idea for us to change the default algo. used since this one will be slow. I will think about this weekend and see what I can do, in case I go for changing the default I will make sure to document that the default used in this library is not the same as the rust libraries.

[cadorn]

Hmm. I have to think about how critical speed is. Not sure how often I need to use the slow code paths yet.

Good call on keeping the lib small & portable.

I do think a faster option would be ideal for rapid testing and simulation. Documenting the algorithm tradeoffs would be useful so when I choose I know what I am choosing.

argon2 default may make the lib feel slow for no reason ...