Re: Updating SafeCurves for 2022... from Christopher Allen on 2022-05-25 (public-credentials@w3.org from May 2022)

From: Christopher Allen <ChristopherA@lifewithalacrity.com>
Date: Tue, 24 May 2022 19:29:17 -0700
To: Orie Steele <orie@transmute.industries>
Cc: Manu Sporny <msporny@digitalbazaar.com>, W3C Credentials CG <public-credentials@w3.org>
Message-ID: <CACrqygAd8c5L6Xmyp9OKfP049usf3WvEpGTu8jQOR9R+e9hBWQ@mail.gmail.com>

On Tue, May 24, 2022 at 6:19 AM Manu Sporny <msporny@digitalbazaar.com>
wrote:

> I found this blog post useful for the upcoming VC2WG cryptosuite work:
>
> Guidance for Choosing an Elliptic Curve Signature Algorithm in 2022
>
>
> https://soatok.blog/2022/05/19/guidance-for-choosing-an-elliptic-curve-signature-algorithm-in-2022/
>
> It suggests updates to the SafeCurves website:
>
> https://safecurves.cr.yp.to/
>
> ... and does a fairly good job of boiling down the choices and
> misinterpretations in the space.
>

I don't agree with many parts of these recommendations, in particular in
support for 25519 which has a lot of broken edge cases. The post also was
rather dismissive about the importance of ristretto255 to address those
problems. The author also doesn't talk about the secp255k1 already offers
similar important properties to that ristretto255, but with a stronger
codebase.

On Tue, May 24, 2022 at 7:42 AM Orie Steele <orie@transmute.industries>
wrote:

> And then later, when you realize that hardware support Ed25519 and
> Secp256k1 sucks... and that P-256 is everywhere because its listed as
> recommended here:
>
> https://www.iana.org/assignments/jose/jose.xhtml#web-key-elliptic-curve
>

Deeper in the infrastructure stack than this group usually deals with, but
I thought some of you might be interested in being involved in our virtual
"Silicon Salon" that we are hosting on June 1st at 9 am PDT.

We ask "What if semiconductor manufacturers made chips especially optimized
for cryptocurrency, digital identity & asset wallets?" and we have four
silicon design companies and a number of cryptocurrency & identity wallet
companies as sponsors.

https://www.blockchaincommons.com/salons/silicon-salon/

I know there are some cryptographic engineers in this community that may
have a particular cryptographic wishlist item that they could get secured
by hardened silicon architecture. Maybe a particular construction requires
a non-NIST curve, or you need a Schnorr adapter signature, a VRF, etc. I'm
really hoping we can collect these requests, prioritize them, and advise
these companies on how best they can serve our needs.

We are relatively full at this point, but if you are knowledgeable about
the requirements for securing secrets with secure silicon, we'd love to
have you participate.

-- Christopher Allen

Received on Wednesday, 25 May 2022 02:30:06 UTC