drop the dependency of System.Security.Cryptography

[vang1ong7ang]

in the discussion of #3220 it is tried to explore the possibility of moving to BouncyCastle

for performance reasons, many prefer keeping System.Security.Cryptography instead of moving to BouncyCastle

however, I don't think this is a rational decision

the only reason is that:

System.Security.Cryptography behaves inconsistently across platforms and it may lead to FORK

[vang1ong7ang]

according to the official document of dotnet at https://learn.microsoft.com/en-us/dotnet/standard/security/cross-platform-cryptography, it is said that:

Cryptographic operations in .NET are done by operating system (OS) libraries.

The dependency on OS libraries also means that .NET apps can only use cryptographic features that the OS supports. While all platforms support certain core features, some features that .NET supports can't be used on some platforms. This article identifies the features that are supported on each platform.

and for ECDSA

Elliptic Curve	Windows 10	Windows 7 - 8.1	Linux	macOS	iOS, tvOS, MacCatalyst	Android
NIST P-256 (secp256r1)	✔️	✔️	✔️	✔️	✔️	✔️
NIST P-384 (secp384r1)	✔️	✔️	✔️	✔️	✔️	✔️
NIST P-521 (secp521r1)	✔️	✔️	✔️	✔️	✔️	✔️
Brainpool curves (as named curves)	✔️	❌	⚠️1	❌	❌	⚠️4
Other named curves	⚠️2	❌	⚠️1	❌	❌	⚠️4
Explicit curves	✔️	❌	✔️	❌	❌	✔️
Export or import as explicit	✔️	❌3	✔️	❌3	❌3	✔️

1. Linux distributions don't all have support for the same named curves.

2. Support for named curves was added to Windows CNG in Windows 10. For more information, see CNG Named Elliptic Curves. Named curves are not available in earlier versions of Windows, except for three curves in Windows 7.

3. Exporting with explicit curve parameters requires OS library support, which is not available on Apple platforms or earlier versions of Windows.

4. Android support for some curves depends on the Android version. Android distributors may choose to add or remove curves from their Android build as well.

since different platforms use different cryptography implementations, their behavior is not consistent.

[cschuchardt88]

See dotnet/runtime#20342 and dotnet/runtime#84132 for support SHA3 they added alot. Its just the Operating system doesn't support it yet. Only Windows 11 Preview Insider.

You can use ecdsa with OpenSsl for this. https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.ecdsaopenssl?view=net-8.0

[vang1ong7ang]

@cschuchardt88 I don’t think as a blockchain platform, it is tolerated to behave differently on different platforms. it just no one knows how System.Security.Cryptography behaves.

if you search something like behavior is not consistent across platforms on dotnet runtime github repo there's multiple issues related

[Jim8y]

@vang1ong7ang I understand your concern, but how do we know if the new lib we use does not have that problem?

[cschuchardt88]

I say we implement it our self.

[vang1ong7ang]

@vang1ong7ang I understand your concern, but how do we know if the new lib we use does not have that problem?

that's a problem to be honest. the consistency is not promised by BouncyCastle. but seems BouncyCastle does better

[shargon]

Already moved to Bouncy Castle