Re: Updating SafeCurves for 2022... from Shawn Butterfield on 2022-05-25 (public-credentials@w3.org from May 2022)

From: Shawn Butterfield <sbutterfield@salesforce.com>
Date: Wed, 25 May 2022 10:28:42 -0700
To: Christopher Allen <ChristopherA@lifewithalacrity.com>
Cc: Orie Steele <orie@transmute.industries>, Manu Sporny <msporny@digitalbazaar.com>, W3C Credentials CG <public-credentials@w3.org>
Message-ID: <CADtMrnCBDiYJD8S+eUUiHLscAZp+HMvOwQS65oEyE3F7wEOh3A@mail.gmail.com>

As someone who must work within and around all manner of compliance
requirements, the blog post definitely resonates with our internal security
standards. There's no real distrust of k1, or ristretto255 for that matter.
It comes down to making commitments to customers now that create the best
fit for their needs in the future. Ed25519 infra provider support needs to
happen before we can build enterprise-grade platform support around it.



On Tue, May 24, 2022 at 7:32 PM Christopher Allen <
ChristopherA@lifewithalacrity.com> wrote:

> On Tue, May 24, 2022 at 6:19 AM Manu Sporny <msporny@digitalbazaar.com>
> wrote:
>
>> I found this blog post useful for the upcoming VC2WG cryptosuite work:
>>
>> Guidance for Choosing an Elliptic Curve Signature Algorithm in 2022
>>
>>
>> https://soatok.blog/2022/05/19/guidance-for-choosing-an-elliptic-curve-signature-algorithm-in-2022/
>>
>> It suggests updates to the SafeCurves website:
>>
>> https://safecurves.cr.yp.to/
>>
>> ... and does a fairly good job of boiling down the choices and
>> misinterpretations in the space.
>>
>
> I don't agree with many parts of these recommendations, in particular in
> support for 25519 which has a lot of broken edge cases. The post also was
> rather dismissive about the importance of ristretto255 to address those
> problems. The author also doesn't talk about the secp255k1 already offers
> similar important properties to that ristretto255, but with a stronger
> codebase.
>
> On Tue, May 24, 2022 at 7:42 AM Orie Steele <orie@transmute.industries>
> wrote:
>
>> And then later, when you realize that hardware support Ed25519 and
>> Secp256k1 sucks... and that P-256 is everywhere because its listed as
>> recommended here:
>>
>> https://www.iana.org/assignments/jose/jose.xhtml#web-key-elliptic-curve
>>
>
> Deeper in the infrastructure stack than this group usually deals with, but
> I thought some of you might be interested in being involved in our virtual
> "Silicon Salon" that we are hosting on June 1st at 9 am PDT.
>
> We ask "What if semiconductor manufacturers made chips especially
> optimized for cryptocurrency, digital identity & asset wallets?" and we
> have four silicon design companies and a number of cryptocurrency &
> identity wallet companies as sponsors.
>
> https://www.blockchaincommons.com/salons/silicon-salon/
>
> I know there are some cryptographic engineers in this community that may
> have a particular cryptographic wishlist item that they could get secured
> by hardened silicon architecture. Maybe a particular construction requires
> a non-NIST curve, or you need a Schnorr adapter signature, a VRF, etc. I'm
> really hoping we can collect these requests, prioritize them, and advise
> these companies on how best they can serve our needs.
>
> We are relatively full at this point, but if you are knowledgeable about
> the requirements for securing secrets with secure silicon, we'd love to
> have you participate.
>
> -- Christopher Allen
>
>

Received on Wednesday, 25 May 2022 18:47:22 UTC