Re: Updating SafeCurves for 2022...

> Christopher, having engaged with a fair number of corporate customers, as you
have... what Shawn says resonates. At some level, NIST's cryptography review
process is broken and can't seem to keep up with modern cryptography (or has
no easy process for doing so)... on the other hand, perhaps they're going at
just the right speed (but I doubt it).

+1, IMO it appears from the outside looking in (w.r.t NIST) the looming threat of post-quantum has really been a massive factor impacting efforts associated to standardizing any more *pre-quantum* schemes. Don't get me wrong post quantum work is crucial, but overall it doesn't feel like the balance is right.

> As a side note I have no idea how curves used for bbs-signatures  from ZKP would work with a secure element

There are challenges here, however as one of the WG members working on this, one of the factors I believe that is significantly helping BBS signatures is that its not the first or only notable scheme to be using these types of paring operations. The BLS signature scheme (https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-04) using the BLS12-381 curve has been heavily adopted by several notable blockchain projects, ones that have a significant economic incentive (e.g the entire market cap of Ethereum and Filecoin :p) to invest in mature implementations. That has resulted in libraries like https://github.com/supranational/blst which can be run in a variety of different environments (including potentially some secure areas). In terms of getting NISTs attention for these styles of schemes socializing and calling for adoption of the work at forums like the CFRG I think is the best strategy and is what we are pursuing with the BBS draft.


Thanks,

[Mattr website]<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boYw%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeORd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0>



Tobias Looker

MATTR
CTO

+64 (0) 27 378 0461
tobias.looker@mattr.global<mailto:tobias.looker@mattr.global>

[Mattr website]<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boYw%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeORd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0>

[Mattr on LinkedIn]<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1SbN9fvNg%26u%3Dhttps%253a%252f%252fwww.linkedin.com%252fcompany%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076719975%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=t%2BidOI32oaKuTJf1AkcG%2B%2FirIJwbrgzXVZnjOAC52Hs%3D&reserved=0>

[Mattr on Twitter]<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WdMte6ZA%26u%3Dhttps%253a%252f%252ftwitter.com%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076729970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BD9WWyXEjVGlbpbCja93yW%2FzLJZpe%2Ff8lGooe8V6i7w%3D&reserved=0>

[Mattr on Github]<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiWwGdMoDtMw%26u%3Dhttps%253a%252f%252fgithub.com%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076729970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4AhRuXZCnU5i3hcngo4H3UiNayYUtXpRcImV4slS1mw%3D&reserved=0>

This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

________________________________
From: Brent Shambaugh <brent.shambaugh@gmail.com>
Sent: 26 May 2022 10:00
To: Shawn Butterfield <sbutterfield@salesforce.com>
Cc: Christopher Allen <ChristopherA@lifewithalacrity.com>; Orie Steele <orie@transmute.industries>; Manu Sporny <msporny@digitalbazaar.com>; W3C Credentials CG <public-credentials@w3.org>
Subject: Re: Updating SafeCurves for 2022...

EXTERNAL EMAIL: This email originated outside of our organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.

>> We ask "What if semiconductor manufacturers made chips especially optimized for cryptocurrency, digital identity & asset wallets?" and we have four silicon design companies and a number of cryptocurrency & identity wallet companies as sponsors.

>>   https://www.blockchaincommons.com/salons/silicon-salon/

I would be interested in this. I wonder what https://wiki.iota.org/identity.rs/introduction and https://www.ockam.io/ in the corpus of IoT and verifiable credentials have to say about this. I learned about the nxp se050 which supports ed25519 amongst its many curves from the later:
https://www.nxp.com/docs/en/data-sheet/SE050-DATASHEET.pdf

As a side note I have no idea how curves used for bbs-signatures  from ZKP would work with a secure element. https://github.com/decentralized-identity/bbs-signature . Maybe this feature described in the se050 datasheet  "Secured user flash memory up to 50 kB for secure data or key storage" would help.


-Brent Shambaugh

GitHub: https://github.com/bshambaugh
Website: http://bshambaugh.org/
LinkedIN: https://www.linkedin.com/in/brent-shambaugh-9b91259
Skype: brent.shambaugh
Twitter: https://twitter.com/Brent_Shambaugh
WebID: http://bshambaugh.org/foaf.rdf#me


On Wed, May 25, 2022 at 1:49 PM Shawn Butterfield <sbutterfield@salesforce.com<mailto:sbutterfield@salesforce.com>> wrote:
As someone who must work within and around all manner of compliance requirements, the blog post definitely resonates with our internal security standards. There's no real distrust of k1, or ristretto255 for that matter. It comes down to making commitments to customers now that create the best fit for their needs in the future. Ed25519 infra provider support needs to happen before we can build enterprise-grade platform support around it.



On Tue, May 24, 2022 at 7:32 PM Christopher Allen <ChristopherA@lifewithalacrity.com<mailto:ChristopherA@lifewithalacrity.com>> wrote:
On Tue, May 24, 2022 at 6:19 AM Manu Sporny <msporny@digitalbazaar.com<mailto:msporny@digitalbazaar.com>> wrote:
I found this blog post useful for the upcoming VC2WG cryptosuite work:

Guidance for Choosing an Elliptic Curve Signature Algorithm in 2022

https://soatok.blog/2022/05/19/guidance-for-choosing-an-elliptic-curve-signature-algorithm-in-2022/

It suggests updates to the SafeCurves website:

https://safecurves.cr.yp.to/

... and does a fairly good job of boiling down the choices and
misinterpretations in the space.

I don't agree with many parts of these recommendations, in particular in support for 25519 which has a lot of broken edge cases. The post also was rather dismissive about the importance of ristretto255 to address those problems. The author also doesn't talk about the secp255k1 already offers similar important properties to that ristretto255, but with a stronger codebase.

On Tue, May 24, 2022 at 7:42 AM Orie Steele <orie@transmute.industries> wrote:
And then later, when you realize that hardware support Ed25519 and Secp256k1 sucks... and that P-256 is everywhere because its listed as recommended here:

https://www.iana.org/assignments/jose/jose.xhtml#web-key-elliptic-curve

Deeper in the infrastructure stack than this group usually deals with, but I thought some of you might be interested in being involved in our virtual "Silicon Salon" that we are hosting on June 1st at 9 am PDT.

We ask "What if semiconductor manufacturers made chips especially optimized for cryptocurrency, digital identity & asset wallets?" and we have four silicon design companies and a number of cryptocurrency & identity wallet companies as sponsors.

https://www.blockchaincommons.com/salons/silicon-salon/

I know there are some cryptographic engineers in this community that may have a particular cryptographic wishlist item that they could get secured by hardened silicon architecture. Maybe a particular construction requires a non-NIST curve, or you need a Schnorr adapter signature, a VRF, etc. I'm really hoping we can collect these requests, prioritize them, and advise these companies on how best they can serve our needs.

We are relatively full at this point, but if you are knowledgeable about the requirements for securing secrets with secure silicon, we'd love to have you participate.

-- Christopher Allen