Migrate from our current cryptography libraries to noble/*

[hilvmason]

No description provided.

[paulmillr]

Basically a continuation of #9741. Some useful context:

• https://github.com/ethereum/js-ethereum-cryptography which was audited uses noble-hashes, noble-secp256k1; scure-base, scure-bip32, scure-bip39; all of which were audited
• You can use the js-e-c repo, or individual projects directly. The repo has dependency versions set to a fixed value, which means it's more secure in regard to bad updates
• Snaps use metamask/key-tree, which use projects directly: https://github.com/MetaMask/key-tree/blob/48893ea4236f4e7e4f56d460dc2c18d30ce1b712/package.json#L27

[adonesky1]

@paulmillr because secp256k1 and keccak are nested subdependencies of a number of packages we use, our plan here is to create a wrapper to match the interface of each them but use noble implementations under the hood and then force resolve our wrapper throughout our dependency tree. I just found your compatibility layer gist for elliptic.js so I'm using this now to help me build this wrapper. Let me know if you have any thoughts on this approach!

[paulmillr]

@adonesky1 we have the compatibility layer here: https://github.com/ethereum/js-ethereum-cryptography/blob/master/src/secp256k1-compat.ts

Check it out. The gist was just initial thoughts for creating it.

[adonesky1]

Oh wow. I'm glad I mentioned it! Will check this out. Thanks!

[paulmillr]

Analysis of metamask's yarn.lockfile that was mentioned above:

• tiny-secp256k1, secp256k1 — can be freely replaced with new crypto
• libp2p-crypto-secp256k1: was deprecated, a replacement package @libp2p/crypto is already using noble
• hdkey, bip32 — can be replaced with @scure audited packages (basically noble); or asked to use noble
• gridplus-sdk, ganache, eth-lattice-keyring, bitcoinjs-lib, @trezor/utxo-lib — need to ping the folks to get their stuff updated. Although i'm not sure which of those are just devDependencies.