Re: Updating SafeCurves for 2022... from Brent Shambaugh on 2022-05-25 (public-credentials@w3.org from May 2022)

From: Brent Shambaugh <brent.shambaugh@gmail.com>
Date: Wed, 25 May 2022 17:00:24 -0500
To: Shawn Butterfield <sbutterfield@salesforce.com>
Cc: Christopher Allen <ChristopherA@lifewithalacrity.com>, Orie Steele <orie@transmute.industries>, Manu Sporny <msporny@digitalbazaar.com>, W3C Credentials CG <public-credentials@w3.org>
Message-ID: <CACvcBVq5MGKxNhPau=tZCg1bdJiZRd6XQ8HL9X=ZSkWTLH0Obg@mail.gmail.com>

>> We ask "What if semiconductor manufacturers made chips especially
optimized for cryptocurrency, digital identity & asset wallets?" and we
have four silicon design companies and a number of cryptocurrency &
identity wallet companies as sponsors.

>>   https://www.blockchaincommons.com/salons/silicon-salon/

I would be interested in this. I wonder what
https://wiki.iota.org/identity.rs/introduction and https://www.ockam.io/ in
the corpus of IoT and verifiable credentials have to say about this. I
learned about the nxp se050 which supports ed25519 amongst its many curves
from the later:
https://www.nxp.com/docs/en/data-sheet/SE050-DATASHEET.pdf

As a side note I have no idea how curves used for bbs-signatures  from ZKP
would work with a secure element.
https://github.com/decentralized-identity/bbs-signature . Maybe this
feature described in the se050 datasheet  "Secured user flash memory up to
50 kB for secure data or key storage" would help.


-Brent Shambaugh

GitHub: https://github.com/bshambaugh
Website: http://bshambaugh.org/
LinkedIN: https://www.linkedin.com/in/brent-shambaugh-9b91259
Skype: brent.shambaugh
Twitter: https://twitter.com/Brent_Shambaugh
WebID: http://bshambaugh.org/foaf.rdf#me


On Wed, May 25, 2022 at 1:49 PM Shawn Butterfield <
sbutterfield@salesforce.com> wrote:

> As someone who must work within and around all manner of compliance
> requirements, the blog post definitely resonates with our internal security
> standards. There's no real distrust of k1, or ristretto255 for that matter.
> It comes down to making commitments to customers now that create the best
> fit for their needs in the future. Ed25519 infra provider support needs to
> happen before we can build enterprise-grade platform support around it.
>
>
>
> On Tue, May 24, 2022 at 7:32 PM Christopher Allen <
> ChristopherA@lifewithalacrity.com> wrote:
>
>> On Tue, May 24, 2022 at 6:19 AM Manu Sporny <msporny@digitalbazaar.com>
>> wrote:
>>
>>> I found this blog post useful for the upcoming VC2WG cryptosuite work:
>>>
>>> Guidance for Choosing an Elliptic Curve Signature Algorithm in 2022
>>>
>>>
>>> https://soatok.blog/2022/05/19/guidance-for-choosing-an-elliptic-curve-signature-algorithm-in-2022/
>>>
>>> It suggests updates to the SafeCurves website:
>>>
>>> https://safecurves.cr.yp.to/
>>>
>>> ... and does a fairly good job of boiling down the choices and
>>> misinterpretations in the space.
>>>
>>
>> I don't agree with many parts of these recommendations, in particular in
>> support for 25519 which has a lot of broken edge cases. The post also was
>> rather dismissive about the importance of ristretto255 to address those
>> problems. The author also doesn't talk about the secp255k1 already offers
>> similar important properties to that ristretto255, but with a stronger
>> codebase.
>>
>> On Tue, May 24, 2022 at 7:42 AM Orie Steele <orie@transmute.industries>
>> wrote:
>>
>>> And then later, when you realize that hardware support Ed25519 and
>>> Secp256k1 sucks... and that P-256 is everywhere because its listed as
>>> recommended here:
>>>
>>> https://www.iana.org/assignments/jose/jose.xhtml#web-key-elliptic-curve
>>>
>>
>> Deeper in the infrastructure stack than this group usually deals with,
>> but I thought some of you might be interested in being involved in our
>> virtual "Silicon Salon" that we are hosting on June 1st at 9 am PDT.
>>
>> We ask "What if semiconductor manufacturers made chips especially
>> optimized for cryptocurrency, digital identity & asset wallets?" and we
>> have four silicon design companies and a number of cryptocurrency &
>> identity wallet companies as sponsors.
>>
>> https://www.blockchaincommons.com/salons/silicon-salon/
>>
>> I know there are some cryptographic engineers in this community that may
>> have a particular cryptographic wishlist item that they could get secured
>> by hardened silicon architecture. Maybe a particular construction requires
>> a non-NIST curve, or you need a Schnorr adapter signature, a VRF, etc. I'm
>> really hoping we can collect these requests, prioritize them, and advise
>> these companies on how best they can serve our needs.
>>
>> We are relatively full at this point, but if you are knowledgeable about
>> the requirements for securing secrets with secure silicon, we'd love to
>> have you participate.
>>
>> -- Christopher Allen
>>
>>

Received on Wednesday, 25 May 2022 22:00:49 UTC