[MINUTES] CCG Data Integrity 2025-10-23 from meetings@w3c-ccg.org on 2025-10-23 (public-credentials@w3.org from October 2025)

From: <meetings@w3c-ccg.org>
Date: Thu, 23 Oct 2025 15:15:11 -0700
To: public-credentials@w3.org
Message-ID: <CA+ChqYc7Ot5HSCLouRwxhd=m-A3s=bGaPnYCn6ySmYNX1jx8TQ@mail.gmail.com>
Here's a summary of the CCG Data Integrity meeting:

*Meeting Summary*

The meeting focused on discussing the Ski Sign signature scheme within the
context of the W3C Credentials Community Group (CCG). Andrea Basso from the
Ski Sign team presented an overview of the scheme, its properties, and its
current status. The CCG aims to integrate Ski Sign for digital signatures,
particularly due to its small signature sizes suitable for use cases like
QR codes. The discussion covered the technical aspects of Ski Sign, its
potential for integration with W3C standards, and the future steps for
collaboration.

*Topics Covered*

   - Introduction to Ski Sign: Its design, post-quantum security, and key
   properties.
   - Ski Sign's current status and future development plans.
   - Integration of Ski Sign with W3C's data integrity specifications.
   - Collaboration and standardization processes (IETF, NIST).
   - Potential for privacy-preserving features (e.g., blind signatures).
   - Implementation details and performance.
   - Next steps and action items.

*Key Points*

   - *Ski Sign Overview*: The Ski Sign scheme is based on isogenies and
   quaternians, aiming for small signature sizes and post-quantum security.
   - *W3C Interest*: The CCG is primarily interested in Ski Sign's public
   key and signature sizes for digital credentials and QR codes.
   - *Standardization*: Ski Sign is in the NIST on-ramp process. The CCG
   will depend on its output and/or the outcome of the CFRG at the IETF.
   - *Privacy Features*: The current version of Ski Sign does not have
   native support for blind signatures or strong unlinkability, but potential
   work is being done in these areas.
   - *Implementation*: A C implementation is available, with efforts to
   develop implementations in other languages. Test vectors will be generated.
   - *Next Steps*: Greg will integrate Ski Sign into the test vector setup
   for the W3C postquantum signature specification, and the group will
   continue to communicate.

Text:
https://meet.w3c-ccg.org/archives/w3c-ccg-ccg-data-integrity-2025-10-23.md

Video:
https://meet.w3c-ccg.org/archives/w3c-ccg-ccg-data-integrity-2025-10-23.mp4
*CCG Data Integrity - 2025/10/23 09:38 EDT - Transcript* *Attendees*

Amine Allani, Andrea Basso, Basil Hess, Benj Weso, Benjamin Young, Boris
Fouotsa, Dave Longley, devi prasad, Diego F. Aranha, Duparc Max, Elaine
Wooton, Geun-Hyung Kim, Giacomo Pope, Gora Adj, Greg Bernstein, Isaac
Andres Canales Martinez, Konstantin Tsabolov, Luca De Feo, Luciano Maino,
Manu Sporny, Pancho Rh, Parth Bhatt, Pierrick Dartois, Sikhar Patranabis
*Transcript*

Andrea Basso: Hi. Yeah,…

Manu Sporny: Hi Andre,…

Manu Sporny: good to see you.

Andrea Basso: it's good to be here. How are you doing?

Manu Sporny: Doing well, thank we are probably going to wait until about
four minutes past the hour before we start. just to give you some
background, this is, a fairly technologyheavy community. They understand, a
lot around digital signatures, things like that.

Manu Sporny: I'll do a little bit of an introduction, to the community. I
know we have a lot of other people joining,…

Manu Sporny: that are not a part of the community today. we'll go over some
of that and then hand it entirely over to you and then some presentation
from you, 40 minutes, and then I'd like at least some amount of time at the
end to figure out how we might coordinate any kind of future activity. Does
that sound okay to you, Andre? Totally.

Andrea Basso: Yeah, that sounds good.

Andrea Basso: I wasn't sure how long the presentation was supposed to be.
So I think it's going to be a little bit shorter than that. But maybe that
gives us just bit more time to chat after that.

Manu Sporny: Yeah. Yeah. Yeah. Yeah. There's plenty to talk about, so don't
worry about that. Just take it at whatever pace you want. with that said,
we'll hold for about three more minutes and then we'll get started. at that
point

Manu Sporny: Okay, let's go ahead and get started. We've got quite a number
of people here, so let's make the most efficient use of everyone. welcome
to the Worldwide Web Consortium credentials community group this call is
specifically focused on digital signatures and data integrity. Basically
protecting data payloads when we're moving things over the web. just a
little bit of background on this group for those of you that are new to the
call. for the past let's say since 2014 so the past decade the worldwide
web consortium has been working on technology to enable people to
effectively own their own data including things like digital credentials.

Manu Sporny: So, think of things like driver's licenses or birth
certificates or education credentials. We want to be able to publish this
information on the web in a way that is privacy protecting that gives the
individual the right to share what they want when they want to share it.
some of this work you might be familiar with through the European digital
wallet initiative. So the UD work is working on digital credentials. We
have the same kind of thing going on in the Asia-Pacific region so this is
very much a global kind of standards thing and as all of what we need for
these digital payloads is the ability to do a digital signature over them.

Manu Sporny: this technology is already a global standard verifiable
credentials data integrity we already have things like ECDSA and EDDDSA
signatures over these payloads we already have selective disclosure the
ability to do selective disclosure and more recently we have been working
on the BBS signature scheme which allows unlinkable disclosure we've been
working on things like blind signatures and pseudonyms against civil
attacks when you have unlinkable disclosure. and most recently we have been
trying to figure out what we're going to do around postquantum signatures.
we do have a specification that's an incubation.
00:05:00

Manu Sporny: so the typical way this works is we incubate the work here for
one to two years and once we feel that the technology is fairly stable we
move it on to the global standards track at the worldwide web consortium at
which point it becomes a global standard. we are very interested in ski
sign. It has a number of properties that are the most useful being the
small signature sizes. so with verifiable credentials there's digital
credentials and digital wallets and using them online in that way but we
also have physical representations of these so a QR code that contains the
data and the signature as you can imagine having a 1 kilobyte signature in
a QR code is not very good which is why we're very interested in ski sign
because it would solve those sets of use cases the physical signature in a
QR code use cases

Manu Sporny: so that's why we're so interested in Ski Sign and we really
thank you to everyone from the Z ski sign community for participating. the
other kind of boilerplate here is these calls are recorded and transribe So
we'll have a full recording available to the public. I only say that and
that be careful what you say on it because it's recorded and the world will
see it. So okay. with that, we have much of the Ski Sign community with us
today. Again, thank you very much to that community for showing up. Andre,
I think you've prepared a presentation that you're going to take us
through. and then we'll have a discussion on how we could potentially
collaborate to integrate this technology and eventually get it to global
standard. So, Anda, over to you, please.

Andrea Basso: Great. Thanks.

Manu Sporny: Yes.

Andrea Basso: Let me just share Can you all see my screen? Perfect. Okay.
hi everyone. Thank you so much for being interested in Ski Sign and for
having us here. My name is Andrea Buffo. I'm part of the Ski Sign team, but
as you may have seen most or many of the people in the Ski Sign team are
also present in this call.

Andrea Basso: So the goal of this presentation is to sort of quick to go
through ski sign how it looks like and then sort of see where we are and
how we expect it to change and to evolve over time. So let me get started
and let's start from the name itself is key sign. What does it stand for?
It stands for short quater and isogynous signature. So starting from the
bottom, skis sign is a signature protocol which means that it's a protocol
designed to guarantee the authenticity of a message or a document. It is
currently part of the NIST on-ramp process for standardization for
postquantum signatures because sign is postquantum secure.

Andrea Basso: And then the other defining characteristic is that ski sign
is based on the mathematical structures of isogynes and querians. And this
is the main construction that we have from isogynes. And for instance, if
you look at the nization process, it is the only construction that we have
from isogynes. And then the key defining property is that It's extremely
compact. we'll see some numbers later on but it is possibly the smallest
ature of all postquantum signatures and it is comparable to classical
signatures which makes it very useful for all those sorts of applications
where communication bandwidth are limited.

Andrea Basso: So let me give you a little bit of historical overview. Ski
Sign was originally proposed in 2020, so roughly 5 years ago. and then I
also have some references down here if you're interested in checking them
out. so the original proposal was from 2020 and then two years later a
subset of the same authors proposed version of ski sign that followed the
main structure but already started to improve it significantly. 2022 is
also a particularly important year for isogeny based cryptography because
this is when SIDH which was at the time the main isogyny based protocol was
broken in a series of spectacular papers and I mention it here for two
reasons.
00:10:00

Andrea Basso: one because I want to mention the fact that while SH was
broken this has absolutely no impact on the security of isogen based
protocols and skis sign in particular while they're both based on isogynist
the kind of assumptions and information revealed are significantly
different so there is no sort of risk of the attack carrying over but the
other reason why I mention it maybe even more significantly is that these
attacks relied on some new techniques that were introduced specifically for

Andrea Basso: attack that have kind of revolutionized the entire field of
isogenic based cryptography and that have also made their way into sign
constructively in the sense that the same techniques were used in the
development in the design of ski to obtain a significantly improved version
of the protocol and this is exactly what we saw in 2023 where skis sign HD
was proposed and the HD is because these new techniques

Andrea Basso: relies rely on higher dimensional isogynies and that's why we
sort of called them skis sign HD which was a version of skis sign that
drastically improved of many aspects at the same time in 2023 sign the
original and improved version were submitted to NIST as part of the first
round of the ramp standardization process after 2023 skis sign got improved
even more

Andrea Basso: In 2024, we had a series of papers called Olski Sign 2D which
improved even more and still relied on this higher dimensional techniques
but managed to find the right sort of compromise between the old version
and the new version in such a way that improves on the original and
improves key sign basically in all metrics and

Andrea Basso: Then based on this key sign 2D from last year there is a run
to submission on the net centralization process. But the story and as part
of that submission there is also very first work that introduces a rigorous
security proof of ski sign and later on we have seen a number of works
proposing different improvements to key sign that contribute to make it
more efficient and more secure.

Andrea Basso: And I just want to mention here that this is the result of a
large international collaborators. There are currently 30 members inside
the ski sign team. this span very wide collaboration. It includes I believe
four continents and many more institutions including both universities
industry and governmental research institutes. So it's really the result of
a large collaboration spending all sort of research and researchers. That
being said, let me now get a bit more into details of how Ski Sign looks
and works. And I've tried to keep this fairly high level. but I also have
plenty of supplementary material.

Andrea Basso: So if you have any question please feel free to interrupt ask
away and me or one of the other people in the key sign team will be more
than happy to answer. So at the curve of key sign we have elliptic curves
and isogynes and in some sense they can be thought of a postquantum
generalization to group exponentiation that we have in def where we replace
the group elements with elliptic curves and we replace the exponents with
isogynes. And in the same way whenever we have an elliptic curve we can
compute an isogyny which then maps this curve onto a new elliptic curve.

Andrea Basso: And this operation is efficient the same way that
exponentiation is efficient. But the fundamental problem in isogyny based
cryptography is what we call the isogyny problem which precisely states
that given two curves it's hard to find an So exactly in the classical
setting we have that computing an isogyny is easy but given two curves it's
hard to find a connecting isogyny. And this is the most fundamental problem
that we have in isogyny based cryptography. We are also interested in one
particular type of isogynes which is what we call an endomorphism. And
these are those specific isogynes that start from a curve and somehow end
up back at the same curve. And these endomorphisms form a particular
structure.
00:15:00

Andrea Basso: If you look at all the endomorphisms of a specific curve,
this form what we call the endomorphism ring and this bring us to the
second most fundamental problem in isogenous cryptography which is the end
ring problem or the endomorphism ring problem which asks given a curve to
find the endomorphism ring of that specific curve. luckily for us these are
not two distinct problems but after several work we know now that these two
problems are fully equivalent and let me elaborate a little bit more on
what I mean with equivalent I mean that we have two algorithms which are
particularly important because these two algorithms will be the basis of
how skis sign works.

Andrea Basso: The first one says that if we are given a curve and its
endomorphism ring then whenever we have an isogyny departing from this
curve then we can also efficiently compute the endomorphism ring of the
target curve. So in some sense we have that isogynes carry the knowledge of
the endomorphism ring from the starting ve to the end ur Conversely, we
have that if we are given two curves and their endomorphism rings, then we
can always find a connecting isogyny between the two. So in some sense,
endomorphism rings act as a traptor attractor that make the isogyny problem
finding an isogyny between two given curves which is generally a hard
problem into an easy one. And with these two algorithms then we can now see
how sign looks like at a high level.

Andrea Basso: So ski sign is a signature based on a Figma protocol which
means that we'll follow the usual structure of having first a commitment
receiving a challenge and then producing a response. The starting point of
key sign public parameter is a curve with its endomorphism ring publicly
known to generate a public and private key pair. The signer will then
sample a randomiz which will then constitute the C key and the end curve of
this isogyny is the corresponding public key. Then to sign a message the
signer first computes a commitment which will be another isogyny the
starting curve and the commitment isogyny will remain secret whereas the
commitment will be the end curve of this isogyny.

Andrea Basso: Then the signer computes a challenge by hashing the
commitment curve together with the public key and the message that they
want to sign and obtain an isogyny from the public key. Then to generate a
response what designer does is we'll first use the first algorithm that we
see which lets them translate the knowledge of the endomorphism ring in
particular they know the endomorphism ring of the starting curve. They know
the secret key isogyny which means they can compute the endomorphism ring
of the public key. They also know the challenge isogyny which means they
can compute the endomorphism ring down here.

Andrea Basso: At the same time they can also do the same thing on this side
because they know the commitment isogyny. So they can know the endomorphism
ring of the commitment curve. Once they have this information they can then
use the second diagram that we seen before where we said given two curves
and their endomorphism rings it's always possible to find a connecting
isogyny and this connecting isogyny will be precisely the response. So the
signature will then consist of div response isogyny and together with the
challenge ogyny. And to verify that this is correct then it will be simp it
would be enough to check that this response isogyny goes from the challenge
curve onto the commitment curve and this is sort of how key sign looks like
at a high level.

Andrea Basso: all the different improvements that have taken over that have
happened over the years have changed how the specific algorithms to do
these two operations look like and work and that's where all the
improvements have come from. this sort of high level view has remained
consistent throughout all versions of key sign and crucially the big change
from ski sign the original key sign to the HD variant comes in the way that
the response isogyny is represented. So now let me give you some concrete
numbers to show how key sign actually performs in practice.
00:20:00

Andrea Basso: As I mentioned at the very beginning, skis sign is incredibly
compact and obtains the smallest signatures of all postquantum protocols.
And for instance, if we look at the NIST level one security what we obtain
is that the public key is only 65 bytes and the signatures is only 148
bytes. On the performance side, what we have is that through several
improvements, key sign is what we consider to be practical. It's not the
most efficient signature, but it's still practical for most applications.
And where we have that on a fast but also regular average computer, signing
takes roughly 30 milliseconds and verification is down to 1.5 milliseconds.

Andrea Basso: again for N level one. Since we talked about the
implementation, let me delve into it a little bit more. And one if not the
major downside of Ski is that its implementation is rather complex,
especially compared to other families of postquantum signatures. And the
reason for that is that the implementation needs to have three distinct
building blocks. On one end we have that we need to implement finite
fields, elliptic curves, pairings, isogynes. most of this is comparable to
what we have in classical ECC cryptography but with addition of isogynes
which already add a little bit of complexity even if not much.

Andrea Basso: Then as I mentioned the introduc introduction of these HD
representations have required a complete new different representation for
the response which in turns requires working with hyperytic curves and
isogynes in dimension too which adds additional complexity. And then the
third fundamental building block are Quernians are how we represent
endomorphism rings and how we actually implement all the algorithms that
for instance given two curves with their endomorphism ring allows us to
obtain a connecting og The main downside to this is that because we need to
work with quaternians which are generalization to dimension of complex
numbers. You can think of it as a complex number where rather than having
two components you have four of them.

Andrea Basso: it does require to work with integer arithmetic rather than
final field one which means that integers don't necessarily have a specific
bound. and that's actually one of the reason why right now key sign does
not have a constant time implementation. but having said this let me sort
of given you a brief overview of how we see the current situation for key
sign and how would we see it evolve over time specifically for the sort of
three main components which are m specification the security aspect and
implementational aspect. On the algorithm side what we have is that ski has
changed a lot over the last 5 years.

Andrea Basso: has improved drastically, but it's finally stabilizing and
it's finally sort of converging to a final design. And with that being
said, we don't expect the signature encoding to change much, but we still
expect to see some improvements at the algorithmic level. For instance,
just a few months ago, there's been some improvements proposed that
significantly speed up the signing procedure by a significant margin up to
two times as fast. So, we expect to incorporate those kind of algorithmic
improvements which will give us a speed up but also mean that the algorithm
will have to change somewhat.

Andrea Basso: On the security side, we have that finally key sign as a
rigorous mathematical security proof which shows that the security of key
sign reduces to a small variant of the endomorphism ring problem which was
one of the most fundamental security problems security assumptions in
isogen based cryptography. So we don't expect the security paradigm to
change at all going forward. On the implementation side, as I mentioned,
it's not constant time yet. It has evolved a lot and it's now slowly
getting mature, but further work is needed to obtain a constant time
implementation and this may require both engineering work to for instance
bound the size of the integers so that we can have a constant time
implementation of the integer arithmetic.
00:25:00

Andrea Basso: but it is also likely that some algorithmic changes are
necessary to make sure that this constant time implementation does not
suffer a significant slowdown and at the same time we do expect the
implementation to improve further because for instance we don't have any
kind of AVX implementation yet which may give us significant speed up in
the verification side and overall including some of the algorithmic changes
that are recently being proposed. We do expect the performance profile of
key sign to improve over time even somewhat significantly. So let me just
quickly wrap up what we seen and then we can open the conversation for
discussion.

Andrea Basso: What we have is that key sign is extremely small. again less
than 70 bytes for public keys and less than 150 bytes for signatures which
is actually smaller than RSA. It's also practically efficient for a large
number of applications and we expect it to become better over time. It also
relies on a fairly conservative design. Several variants of key sign have
been proposed to sort of trade off some efficiency for a less secure
version but the current version of key sign takes a very conservative
approach and at any point always chose the most sort of conservative secure
design choices.

Andrea Basso: So overall we are confident in security of key sign and we
believe it relies on a fairly conservative assumption and we expect as I
mentioned before ski to still be improved further especially from an
efficiency point of view. Of course all of this comes at a key sign while
being somewhat practically efficient is still much slower than other
postquantum signatures such as those based on latises and requires a fairly
complex implementation which also means that we don't have a constant time
implementation yet but there is several ongoing works that are aiming to
fix this problem. So we can hope to have a constant time implementation in
the future. Thank you very much for your attention.

Manu Sporny: Thank you Andre. That was wonderful. Really appreciate the
presentation. if you, have any questions, please go ahead and, raise your
hand. I do have a couple to start. so everything in the presentation sounds
great. I mean, it's very much aligned with, our expectations around Ski
Sign. I'll note a couple of things that we focus on here. So we don't have
an opinion on the underlying fundamental approach that you're taking. I
mean I think that work is fantastic and it's happening elsewhere and we are
just going to depend on whatever output you have right. what we are
standardizing is a higher level kind of cryptographic packaging format.

Manu Sporny: So we will use cryptography that you have whatever
improvements that you make which means that if the bite format of the
signature changes it doesn't really affect us too greatly if the run times
get 10 times slower we still find it very valuable right for the use cases
that we're looking at I mean again the key thing with key sign that is most
exciting at least to us are the public key sizes and the signature sizes.
we hear you on all of the current challenges that need to be improved.
constant time implementation no AVX stuff that we're not concerned about.
we know that your community is going to continue to work on that.

Manu Sporny: and barring any kind of fatal flaw in the solution I would
imagine we would just use it continue to use it. okay so all that to say
that our community is most interested in starting to experiment with what
the final global standard would look like. And we can do that in a way that
allows you huge latitude. You can change a lot of what you're working on
and it won't affect us. We just need to say that we're going to be using
ski sign. These are the general properties. we can warn we can say it's
experimental.

Manu Sporny: We can warn about that the bite format might change that the
approach might change that constant time implementation might create some
kind of performance degradation but I think any of those changes would be
well within the bounds of what we would be happy with. So, all that to say
that it sounds great. so far we've got some questions. Let me kind of
highlight how this typically works. So, typically a group of mathematicians
and applied cryptographers work on the fundamental technology. That's your
group and what you're already doing, right? we stay out of that.
00:30:00

Manu Sporny: whatever you come up with we end up using at some point what
you have written ends up having to go to something like the internet
engineering task force for the fundamental cryptography. So that's one
thing that we depend on is that what you are creating goes through the
internet engineering or internet research task force their crypto forum
research group which I know a number of you are already on. So that is a
requirement. We will depend on the output of that work. Greg Bernstein here
who you see on camera is someone that has participated in standardizing the
BBS signature scheme at ITF and we're happy to work with anyone to put that
work together. But that is a requirement. we need to get started on putting
those documents together, get it adopted.

Manu Sporny: it takes years unfortunately but we want the solution to work
in the end right that's why it takes so long it sounds like you have a very
good review of the work I mean that's one of the hardest things is ensuring
that you have a good community around it and it's got a good cryptographic
review that will be important at the internet engineering task force all of
this work can happen in parallel so the work that you're doing

Manu Sporny: the work at the internet engineering task force and the work
at the worldwide web consortium can all happen in parallel and we are gated
on the global standard by the work being completed at the IETF right so it
doesn't need to be a NIST adopted thing but it does need to go through CFRG
at the IETF and that will take a while the work that we do here is a
packaging format It's the easiest part of the work, right? It's just like,
okay, this is what the data blob looks like. This is where the signature
goes, that sort of thing. so let me stop there. Was that kind of how you
were expecting, things to go? Like that that's typically the way the work
is structured. Do you see any issue in the way the work's structured?

Andrea Basso: I don't see any issue…

Andrea Basso: if I mean I also don't want to hog the call. So if anyone
else from the ski sign team has any different opinion, please speak up. But
I don't see there is any issue with that.

Manu Sporny: Any other comments?

Manu Sporny: Any other concerns around that? Go ahead, Greg.

Greg Bernstein: Thank you for the presentation. I've been looking at the
papers and I was going, how does this all fit together? when I listen to
things, I heard a couple things that made me think about almost the next
step is for privacy preserving. And that's where I heard you're basing
things off Sigma protocols and there was a mention of trap doors and things
like that. And when I start hearing a couple of those things, I think that
we maybe have mechanisms or there could be mechanisms for blind signing and
pseudonym type features and unlinkability. I don't know…

Greg Bernstein: if anybody's worried or thought about that. Have you guys
thought about those issues?

Andrea Basso: So I think there has been people…

Andrea Basso: who have thought about at least some of these for instance
blind signatures that's something that we currently don't know how to do. I
think there are some challenges in getting a blind signature that right now
we don't need how to solve. there are some variants of key sign that have
been used to construct things like ring signatures which may also be
helpful for privacy presenting applications…

Andrea Basso: but I think things like rig sorry blind signatures it's not
something we currently support. There's also been work that has been
happening on developing zero knowledge proofs for things strongly related
to ski sign…

Greg Bernstein: Okay.

Andrea Basso: which may be used for things like unlinkability but right now
this is still ongoing work. so yeah, I mean I cannot make any sort of
promises or…
00:35:00

Greg Bernstein: Not ruled out,…

Andrea Basso: guarantees on how it's going to end up

Greg Bernstein: but nothing we have specifics on yet. Okay.

Manu Sporny: Any other questions for Andre or the general ski sign
community? I do have a followup on that question. So the other thing that
we really want a postquantum solution for are unlinkable signatures with an
everlasting unlinkability, property. that's just vital for the types of
credentials that people are using. as folks know, for those that are not
familiar, the reason unlinkable signatures and blind signatures and
pseudonyms are so important is that they enable you to prove things in zero
knowledge like using your driver's license or national ID card. I am over
the age of 18. I live in the European Union.

Manu Sporny: I am a citizen of X I make a certain amount of money for loans
and things like that. I am unemployed all of those things are sorts of
disclosures that we would like to make with these digital credentials using
a base credential. ideally these are things that we can do BBS signatures
we can do these with the other nice thing that we have right now with the
data integrity approach at W3C is that we can put a number of signatures in
parallel on a data object.

Manu Sporny: So, we can have something like a driver's license and we can
sign with ECDSA with selective disclosure, a BBS, ski sign, MLDDSA. All of
those are independent signatures on the same data blob and you can as a
holder of this data object decide which one you want to use as a
negotiation between So the verifier might say I take ski sign. Use any of
those. and then you have the cryptographic tooling to do a disclosure that
way. So just because Ski Sign might not have those features doesn't mean
that it's not useful still.

Manu Sporny: Its but the most amazing thing would be ske sign addresses the
postquantum signature problem and has some unlinkable ZKP mechanisms that
would allow us to use it for that as well. I mean again Sigma protocols
there's pairing going on. It feels like there's something in there that we
could potentially reuse, but we hear you loud and clear that, it's not a
current area. have any of you looked at you mentioned the ZKP approaches,
Andre? Are you mentioning things like Longfellow ZK or circuit-based
cryptography?

Manu Sporny: Or are you alluding to something else when you say, ZKP appro
approaches have been looked at for ski sign.

Andrea Basso: The current method that I was mentioning uses generic hash
based zero knowledge proofs and tries to apply specifically to the kind of
language and isogynist used within key sign.

Manu Sporny: And forgive me my background is not in cryptography so you
will almost certainly need to simplify for me.

Manu Sporny: Are you saying that by hashbased I know the circuit based
cryptography depends heavily on hashbased is it in that kind of like Muth's
work in that area or is it separate from the long fellow ZK cryptographic
circuits based approach Okay,…

Andrea Basso: I'm not super familiar with the things you were mentioning,
so I don't want to speculate too much.

Manu Sporny: that's fine. Is there anyone else on the call that has been
looking at some of the cryptographic circuit approaches? This is something
that the European Union is considering for application to ISO, MDL, MDOC
and the SDJ PC stuff, right?
00:40:00

Manu Sporny: the challenge with the approach if there are folks that are
familiar with that work is that you have to agree to a cryptographic
circuit for every single type of disclosure you want to make it scalability
is a bit of a concern there whereas with BBS you don't need to commit to
the particular circuit that's being run the benefit of the longfellow ZK
approach especially in the EU perspective is that it can work on any kind
of legacy and futurefacing cryptography format.

Manu Sporny: So the presumption is that longfellow ZK would work for ECDSA.
It would work for EDDDSA, it would work for MLDDSA, it would work for
potentially the ski sign stuff as well. The downside being that the
cryptographic circuit I would imagine with ski sign because it has a number
of kind of more complex components that you put together the cryptographic
circuit might be very very large or the proof might need to be very very
large. h has anyone in the ski sign community, anyone else on the call
taken a look at Longfellow ZK or cryptographic circuits as they're applied
to ski sign.

Luca De Feo: So I'm just discovering about long fellow. just looking at the
page. it seems that you're talking about the same thing like what Andrea
called generic z case is what you mean by circuits. I'm not sure exactly
what cryptography is behind long fellow. I'm not been able to find any
source for this. but yeah, I will explore.

Greg Bernstein: Lee Harrow some of those techniques.

Luca De Feo: It's based on the arrow.

Greg Bernstein: Yes, Lee Harrow.

Luca De Feo: Then yeah, we're talking really absolutely about the same
things.

Manu Sporny: Okay, great.

Manu Sporny: Great. …

Luca De Feo: But yeah, sizes will be big because we know

Manu Sporny: Yes. Yep. All so there's nothing that's immediately apparent
where maybe liarero wouldn't be applicable. It's an area that needs for the
research but maybe that same approach would be applicable here as well
which would then give us at least some unlinkable mechanisms okay that
sounds good okay so maybe are there any other questions again I want to go
ahead Greg

Andrea Basso: It's

Greg Bernstein: This is because I didn't get through the entire mission. I
was reading through the submission. I was curious about the implementation
the size of the code and is it some of this is required by NIST. you had to
have just a plain C implementation or…

Andrea Basso: Excuse me.

Greg Bernstein: do you have multiples and are they available? I'm also the
person that runs the test vectors. So it's like if we were going to put
together start putting together the draft and I can get the code I can run
the algorithms and produce the signatures and things like that.

Greg Bernstein: What's the state of do you have open source code for this?

Greg Bernstein: I assume so. But in what languages

Andrea Basso: So I believe the only implementation complete mature that we
have is the one that is part of the NIST submission written in C.

Andrea Basso: But there are a few people here on the call that work
specifically on the implementation. So if they have anything else to add,
please go ahead.

Giacomo Pope: There's a few other implementations of verification but the
current implementation of signing is just written in C and…

Greg Bernstein: Okay. Yep.

Giacomo Pope: key generation but key generation and signing are kind of a
step more complicated than verification.

Giacomo Pope: So verification has been easier to port to other languages.

Manu Sporny: And I mean that gives us a base that we can implement from,…

Manu Sporny: right, Greg? I mean we can just for now just pull in the Z
version, put a couple of wrappers around it and use that as the thing that
generates the initial test vectors. I want to also talk a bit about
collaboration on this. do you have anyone in your community that's
currently working with the CFRG or Internet Engineering Task Force to
create drafts for Ski Sign? No. do you have anyone with that expertise? And
we're happy to work with you, but if you already have someone doing it,
that would be ideal because, the more we can parallelize the work, the
better. Do you know of anyone that is planning to submit anything to CFRG?
00:45:00

Luca De Feo: not really in the team but in IBM we have some experience. So
team adjacent we can talk to people here who have been part of these things

Manu Sporny: Do you feel like now is the right time to start knowing that
it can take years, right? do you want to and things can change. You don't
have to have everything locked down before you start. do you feel like now
would be a good time to start on that work or do you feel like you would
much rather to get to a more stable place before defining that how the
algorithms typically if you can write down 60% of the algorithm and feel
pretty good about it it's a good time to start. I don't know if that's for
key generation for signing for verification that sort of thing.

Manu Sporny: Go ahead Greg please.

Greg Bernstein: I was just curious about the relationship and…

Greg Bernstein: the timeline this with NIS because yes, you can go directly
to CFRG, but if it's still alive with NIST and NIST as a shorter time
frame, CF FRG, and IETF do just take things like some of the algorithms
that have been u blessed by NIST. And so it's kind of a combination because
we just saw Kangaroo 12 and some of Turbo Shake come out of CFRG. They
weren't going to come out from any place else. If you guys are on a fairly
quick track with NI, that's good, too.

Greg Bernstein: we can work with that and we don't have to have separate
blessing from the CFRG.

Greg Bernstein: So I wasn't quite sure we don't know what's happening with
the government. It's shut down right now and such. So…

Andrea Basso: Yeah, I believe it was announced that is considering going
for a third round after this one possibly towards the end of 2026.

Greg Bernstein: where are we?

Andrea Basso: So I guess it would be if they are going I mean I don't want
to speculate too much but I imagine that if they were going for a
standardization decision after round three this would come at the earliest
probably towards the end of 2027…

Greg Bernstein: Might be better to start now than at this or…

Andrea Basso: if not 2028.

Greg Bernstein: start sooner with the CFRG.

Manu Sporny: Yeah, I mean more coverage.

Manu Sporny: The only downside with dual tracking at NIST and CFRG is it's
more effort. Someone would have to do the work. it's not a tremendous
amount of effort, but it does require at least one or two people to be
dedicated maybe quarter of their time to moving that stuff forward. okay,
but I'm hearing that you don't currently have anyone that's applied to do
that. Go ahead, Luca, please.

Luca De Feo: Yeah, just as the person who tries to manage the sleep cycles
of the team and not to overload them. in my opinion, of course this needs
to be discussed, but in my opinion, dual tracking right now in NIST would
put lots of loads on the team and would probably lead to diverging
standards because I'm pretty sure that there will be changes when call for
the next round and of course if key sign advances to the third round we
would then want to want to apply them.

Luca De Feo: So I think that maybe the best time assuming that NIST doesn't
go for yet another round after the third one which I suppose didn't happen
I would expect them to finalize with this third round maybe the best time
to start thinking about going to CFRG is after we finish the submission to
the third round when we have a clear picture of what we want the final
version of sign to be and then one should still expect the NIS will make
changes if they ever standardize ski sign. But then at least internally
within the team, we have a good feeling of what we want ski

Manu Sporny: Okay.

Greg Bernstein: But we can run stuff at W3C separate of whether it goes
through NIST or CFRG. We just need to have algorithms and…

Greg Bernstein: things like that because once again we're a level up.
00:50:00

Manu Sporny: Yeah. Yeah.

Manu Sporny: Yeah. I mean I think what I'd suggest so as far as W3C is
concerned,…

Manu Sporny: we don't care where it's standardized, we don't care if it's
at NIST, if it's at Etsy, if it's at …

Greg Bernstein: Hey, so we don't care.

Manu Sporny: C CFRG, it doesn't matter. We just need a stable thing that
has been vetted to point so I hear you Luca. So maybe yes it's up to you to
figure out what the best thing for the team is. I think separate of that
decision I think we would like to start integrating it with the W3C data
integrity stuff immediately because what we need is to understand how
applications integrate with the technology. We need to generate signatures
and put them in QR codes and see how they work for things like vital
records birth certificates and driver's license. There you go.

Manu Sporny: so we need to put these things on paper. We need to integrate
them in with the protocols to understand what's the back and forth look
like over verifiable credential API or OID4 or the digital credential API.
so I think we would and we already have ski sign as a section in the
postquantum signature suite. I think Greg, the next thing that we need to
do is generate test vectors. not that they're final or anything. We just
say, "Hey, we'd like other implementers." do we know of anyone else that's
doing implementations right now that in anything, ABX, C, Python, whatever.

Manu Sporny: How many other do do we have other implementers in other
languages yet Yeah,…

Luca De Feo: There is some people who are outside the team who are working
on ADX pretty early stages. then we have a half working sage
implementation. but yeah that's a big dependency.

Manu Sporny: the reason I ask is because to get anything done at W3C, the
global standards track, you have to have a test vectors and at least two
completely independent implementations, right?

Manu Sporny: So one thing we couldn't do is just use the C implementation
for all the implementations and take't that won't work. so the other thing
that we'd need to get through the standardization process is at least two
independent implementations. I'm sure it will come in time right but the
sooner we can show that the better. okay so let's talk about then what are
the concrete next steps? I mean the first thing is we need connectivity
with your community because we're not cryptographers, we need to depend on
your work. I think what we're also saying is we're just going to wait to
see what the next round of NIST looks like, changes, is there going to be
another round, whatever, and make a decision on ITF at that point. So that
decision point is next year probably at some point.

Manu Sporny: But more immediately I think we're going to try to use your C
implementation get some test vectors into the postquantum signature
specification and then try to see what it looks like a full end to end with
verifiable credentials what that looks like.

Manu Sporny: Does that sound like a reasonable kind of set of next steps?

Greg Bernstein: Yeah, because I don't mind taking a look at the C
implementation to see…

Greg Bernstein: if I can get basic inputs outputs sign some data and things
like that even as I try to learn to get up to speed on isogynies. I saw
that folks have a good chunk.

Andrea Basso: Squitch.

Greg Bernstein: So you do have some stuff going on in Rust, which is great.
So, that would be very cool.

Manu Sporny: Yeah.

Greg Bernstein: Are there any other things we should know about using ski
sign as a drop in replacement for ECDSA, a postquantum?

Greg Bernstein: I mean, are there any key rotation issues or things like
that? The only thing so far you've mentioned is you don't have a constant
time thing. Some of us are doing stuff in languages that aren't constant
time. I mean, I have a independent BBS thing that's written in JavaScript
just so we have one more implementation. So, I'm not super concerned about
that. But is there any other finicky thing about ski sign for those of us,
not up to speed on the details yet?
00:55:00

Andrea Basso: Yes.

Luca De Feo: malability maybe. Yeah.

Greg Bernstein: Okay. Da from my perspective of somebody running it
algorithms on it.

Greg Bernstein: It's not So, I mean, which is the main thing we're shooting
for. I've seen certain folks, talking about combiners and such like that
over at I CFRG recently trying to get SUFF in like a hybrid and stuff like
that. but that sounds pretty good. because those signatures are nice and
short.

Greg Bernstein: And so I mean for me doing some postquantum stuff, one of
my very boring but aspects of it is when I create test vectors, how do I
deal with such a huge public key and a huge signature? I don't have that
problem with CI. So I appreciate it.

Manu Sporny: I think, we're almost out of time. Again, very much really
appreciate the presentation today. Thank you again very much to the Ski
Sign team, Thank you, and the rest of the community. this work is really
really important and exciting to us. I think the next steps is I'll send
out an email talking about how we can communicate better through mailing
list and things like that. I think next concrete step is Greg will just
start on trying to do a ski sign implementation test vector stuff at the
high level to just get that integrated and…

Greg Bernstein: We had a question.

Manu Sporny: then we'll be in touch I think over the next couple of weeks
to months.

Andrea Basso: I cannot hear you.

Manu Sporny: Yes,…

Greg Bernstein: Did Boris have a question? Oops.

Manu Sporny: please, Boris. you might be muted.

Boris Fouotsa: Hi. Okay.

Manu Sporny: There we go. Yes. Yeah,…

Boris Fouotsa: I wanted to know if you have at least one of solution for
all the things you were asking if we could long life only in life only in
you. Do you have at least one solution or…

Manu Sporny: I mean there three in the spec right now. Standard FIP stuff,…

Manu Sporny: MLDDSA, we're looking at Falcon, if it's…

Boris Fouotsa: I…

Manu Sporny: if it's coming out from NIST, we are supporting and then the
specification. but I mean, all of the solutions so far don't have the
qualities that Ski Sign has.

Manu Sporny: We would prefer to just use key sign understanding that it
still needs to go through N standardization. Did that answer your question?
Boris I don't think I'm understanding the question.

Boris Fouotsa: I don't know if it was the right what I was using but I
didn't meant signature part but the advanced signature properties that you
were asking for the unlinkable ring signature and all you also have them
from NDSA or…

Manu Sporny: You're saying do we have kind of ring style solutions from
MLDDSA?

Boris Fouotsa: You were asking about you mention lifelong unlinkability the
linkiness of Yes.

Greg Bernstein: Unlinkability.

Greg Bernstein: We only have DBS for that.

Manu Sporny: Yeah. We don't have unlinkability with any of the other
postquantum signatures.

Boris Fouotsa: So okay yeah Okay.

Manu Sporny: Yeah. the only solution to having unlinkability with the other
postquantum solutions right now is the liarero longfellow ZK stuff.

Boris Fouotsa: Okay.

Manu Sporny: And even that's the only hope. No one's actually demonstrated
that that's possible, right?

Greg Bernstein: Oliver Sanders group does have some stuff that looks
interesting with some trap doors with lattises but I haven't heard back
from him in a while. I had some emails at the beginning of the year and he
said we're not quite ready.
01:00:00

Greg Bernstein: …

Greg Bernstein: that's where we're at as far as inherent postquantum,…

Boris Fouotsa: Thank you very much. Yeah.

Greg Bernstein: unlinkable blind and such. the bearing is for getting the
isogynes right.

Manu Sporny: Yeah, exactly.

Manu Sporny: Okay, And what Dave Longley is saying in the chat right now,
the other reason we were excited about Ski Sign is you're doing pairing
like things.

Manu Sporny: And those seem to, be very conducive to doing unlinkable,
things. No,…

Giacomo Pope: Yeah. Yeah.

Manu Sporny: Luca is saying Okay. My heart is broken, Luca. And I was
hoping that.

Andrea Basso: Ouch. Peace.

Luca De Feo: Yeah. Yeah.

Luca De Feo: There's just a clash of meaning we use parents for going fast,…

Manu Sporny: That makes me so sad.

Luca De Feo: not for getting security. It's not going to happen that way.

Manu Sporny: Got it. Okay. that makes me sad. but thank you. That's why,…

Manu Sporny: it's important to understand that. okay. we are out of time.
Thank you again very much.

Manu Sporny: really appreciate all the work. We will be in touch over email.

Manu Sporny: Thanks Have a good one. Take care. Bye.

Andrea Basso: Thank you. Bye.

Luca De Feo: Bye-bye. Thanks.

Boris Fouotsa: Bye. Thank you.
Meeting ended after 01:01:27 👋

*This editable transcript was computer generated and might contain errors.
People can also change the text after it was created.*
Received on Thursday, 23 October 2025 22:15:23 UTC