STATUS: RAW DRAFT
Goal is an opinionated version of something like Cryptographic Right Answers but focused on the needs of the decentralized identity and cryptocurrency ecosystes, and the needs of the Patrons of Blockchain Commons.
See also my replies to:
- https://lists.w3.org/Archives/Public/public-credentials/2022May/0048.html
- https://lists.w3.org/Archives/Public/public-credentials/2022Apr/0109.html
In the [Cryptography Review of W3C Verifiable Credentials Data Model (VCDM) and Decentralized Identifiers (DIDs) Standards and Cryptography Implementation Recommendations] funded by US Department of Homeland Security: http://www.csl.sri.com/papers/vcdm-did-crypto-recs/
RECOMMENDATION: Transition all block ciphers to AES.
I don't agree with most of this document, in particular that the recommendations here are largely bad long-term — many are clearly better than current practices for incremental improvements for the short term. My concern is that they continue an old-style of thinking and lock you into architectural choices that are too limiting for the longer term.
AES certainly is a minimum viable block cipher, and older ones were long overdue to be deprecated. However, AES has been broken with demonstrated key-recovery attacks from side-channels in many practical settings, and there is a large group of cryptographers who don't consider it safe. I'll crib from last week's #RealWorldCrypto conference slides https://iacr.org/submit/files/slides/2022/rwc/rwc2022/105/slides.pdf — "there is more that we want from our block ciphers today":
- Format preserving encryption
- searchable encryption
- order-preserving encryption
- white-box cryptography
- full-disk encryption
- ciphers suitable for protocols like multi-party computation, zero-knowledge proofs, etc.
- Nonce-misuse resistance
- related-key security
- combined functionality
- inherent side channel resistance
- key commitment
- suitable for constrained environments etc.
Though there are a number of candidates in these areas, many practical implementations today are variants of, or leverage the ChaCha stream cipher, and the Poly1305 message authentication code (MAC), in particular ChaCha20-Poly1035 which is recommended for use by TLS 1.3. (we shortly will be supporting this directly as a CBOR object in Blockchain Commons specs). These two primitives also support a wide variety of other solutions, including in particular full-disk media encryption on all Android devices which doesn't require the overhead storage of nonces for their use case, and punctuated perfect forward secrecy in Signal. There is no mention of ChaCha or Poly1305 in the entire NIST document!
In my opinion, AES should be considered Legacy -> Deprecated. It should only be used if you are locked into using legacy because of NIST-certified low-performance chips that only have hardware support for AES and SHA256. And if you do, you need to deeply understand the differences and limitations of AEAD-AES-GCM-SHA & AES-CTR with HMAC. As we are beginning to see chip support for other block and stream ciphers in hardware, and many of those that don't have new primitives often can do ChaCha20-Poly1305 a reasonable amount of time using JavaCard code or other C libraries. If you can do ChaCha20-Poly1035, use it.
I do feel ChaCha20-Poly1305 isn't perfect. For one thing, it is overkill. I think a ChaCha8 would probably have been sufficient for the next decade(Google's Adiatum https://security.googleblog.com/2019/02/introducing-adiantum-encryption-for.html does ChaCha12). But it is now an IETF standard (RFC7539) and there is quality reviewed code available out there to implement it. Thus it rates Best-Practice in my book.
A long-time challege for internet security are low-entropy passwords used to authenticate a user with a server, in particular when the server may be compromized or honeypot to collect passwords from many users. The oldest techniques are to use a KDF (Key Derivation Function) to hash the password, and typically leveraged a MD5 or PKDF2. These are vulnerable to approaches like Rainbow Tables, and the oldest KDFs are now trivially breakable (see Hive Report 2022. Even more advanced techniques that do salting & 1000s of iterations like bcrypt & scrypt are beginning to show weaken against brute-force attacks.
With PAKE(Password-Authenticated Key Exchange), the two entities, who only share a password and may be communicating over an insecure channel, can authenticate each other and agree on a large session key for protecting their subsequent communication. These techniques typically leverage public key cryptography such as DH(Diffie-Helman Key Exchange).
The most interesting new approach to PAKE is OPAQUE, which improves significantly on many other PAKE schemes. It offers the ability to hide the password from the server, even during password registration, does not need to leverage PKI (Public Key Infrastructure), offers security against pre-computation attacks upon server compromise, provides forward secrecy, supports user-side hash iterations, and allows a user-transparent server-side threshold implementation. All powerful features. OPAQUE is reasonably well-reviewed, and is in the process of becoming and IETF Draft, however, many security architects worry that it is too new (2018). IMHO it should be the current best practice, and I also feel the general approach may have broader applicability to be used in future protocols.
-
OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-Computation AttacksPDFcited by
-
IETF draft-irtf-cfrg-opaque - This is the current IETF standards proposal, currently a draft version 8, being evaluated by the Internet Research Task Force (IRTF). Note that section 10.1 describes a number of design differences between it and the original OPAQUE paper.
-
IETF draft-sullivan-cfrg-hash-to-curve - OPAQUE requires a hash to curve function, and this document describes them. This is the current IETF standards proposal, currently a draft version 14, being evaluated by the Internet Research Task Force (IRTF). Interestingly, it does specify a suite for secp256k1 (in 8.7) one of the few IEFT standards that mention secp256k1.
Saved at 2022-05-24 20:20
slide on key & signature sizes
kxg committments https://twitter.com/bkiepuszewski/status/1518163771788824576?s=12&t=o4n8bUgfotR0DiWdLNiJ4A
- Frozen Heart - FoRging Of ZEro kNowledge
- Understanding PLONK
- Fast recursive arguments based on Plonk and Halo | Mir | Scaling Ethereum
- Plonky: Recursive proofs based on Plonk and Halo - Implementation - PLONK Café
- Zcash’s Halo Breakthrough Is a Big Deal – Not Just For Cryptocurrencies - CoinDesk
- https://eprint.iacr.org/2020/1573.pdf
- https://anoma.net/blog/an-introduction-to-zk-snark-plonkup/
- Halo Principle Explained. In series 2, we reviewed the… | by Sin7Y | Medium
- What is Jubjub? - Zcash
-
HARDWARE-BASED SECURITY PRIMITIVES AND THEIR APPLICATIONS TO SUPPLY CHAIN INTEGRITY
-
Watson, Moore, et al - Capability Hardware Enhanced RISC Instructions (CHERI)
-
Comments of the American Civil Liberties Union, Center for Democracy & Technology, Electronic Privacy Information Center, and Electronic Frontier Foundation to the Transportation Security Administration Dept. of Homeland Security on Minimum Standards for Driver's Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Waiver for Mobile Driver's Licenses (2023-10-16). [PDF document]. Retrieved 2024-01-02 from Electronic Frontier Foundation: https://www.eff.org/document/10-16-2023-aclu-eff-epic-comments-re-tsa-nprm-mdls.
TAGS: #DigitalIdentity #PrivacyRights #MobileDriversLicenses #FederalRegulations #CivilLiberties #RealIDAct #TSA #PrivacyPreservation #GovernmentStandards #IdentificationSecurity #PublicPolicy
SHORT ABSTRACT: "This document presents a collective response from the ACLU, CDT, EPIC, and EFF to the TSA's proposed standards for mobile driver's licenses. It critically assesses the privacy implications and the sufficiency of proposed security measures, urging caution against premature implementation without adequate privacy safeguards and interoperability standards. The comments emphasize the need for a comprehensive, privacy-preserving digital identity system and caution against vendor lock-in, underscoring the broader impacts on civil liberties and effective identity management."
KEY QUOTES:
- "The use of mobile driver's licenses (mDLs) in federal identification and screening processes, such as at TSA checkpoints, raises substantial privacy and civil liberties concerns that are not adequately addressed in the NPRM."
- "It is crucial that privacy and security considerations, particularly the minimization of data collection and sharing, be central to the development of mDL standards."
- "We are concerned that the proposed standards do not prevent unnecessary collection or retention of personal information by entities verifying an mDL."
- "The implementation of mDLs must include robust security measures to prevent unauthorized access to sensitive personal information."
- "The deployment of mDLs should not lead to mandatory use or become a de facto requirement for citizens, thereby infringing on individual choice and privacy."
- rwot7-toronto/offline-use-cases.md at master · WebOfTrustInfo/rwot7-toronto
- https://eprint.iacr.org/2017/339.pdf
- exa/ls47: Variant of hand-computable ElsieFour cipher with 7x7 3D-printable board - ls47 - Gitea on blesmrt.net
- Sami Lehtinen - LC4 & LS47 cipher printable tiles sheet (PDF & PNG)
- roconnor-blockstream/SSS32: A paper computer for Shamir's Secret Sharing over the Bech32 alphabet.
- Cryptology ePrint Archive: Report 2019/1004 - Forkcipher: a New Primitive for Authenticated Encryption of Very Short Messages
- Rudefox
- Uncrackable DIY Pencil-and-Paper Encryption - ITS Tactical
- How to Share a Secret in Production | by Web3Auth | Web3Auth | Medium
- https://eprint.iacr.org/2018/163.pdf
- Merlin Goes OPAQUE for Key Exchange | by Russel Van Tuyl | Posts By SpecterOps Team Members
- Oblivious transfer
- opaque-ke - crates.io: Rust Package Registry
- Let’s talk about PAKE – A Few Thoughts on Cryptographic Engineering
- novifinancial/opaque-ke: An implementation of the OPAQUE password-authenticated key exchange protocol
- GeorgeLyon/Opaque: An implementation of the OPAQUE protocol
- stef/libopaque: c implementation of the OPAQUE protocol with bindings for python, php, ruby, lua, zig, java, erlang, golang, js and SASL.
- draft-irtf-cfrg-opaque-08
- draft-irtf-cfrg-voprf-09
- Authenticated Key Exchanges - Dhole Moments
- cpace package - filippo.io/cpace - pkg.go.dev
- OPAQUE protocol versus PAKE protocol · Issue #2 · schollz/pake
- FiloSottile/go-cpace-ristretto255: An EXPERIMENTAL Go implementation of the CPace PAKE, instantiated with the ristretto255 group.
- draft-haase-aucpace-05
- BjoernMHaase/AuCPace
- pake - What's going on with the complicated implementations for map_to_curve in draft-irtf-cfrg-hash-to-curve? - Cryptography Stack Exchange
- pake-cpace — Rust crypto library // Lib.rs
- codahale/vrf: Ristretto255/STROBE-based VRF
- codahale/commit: Pedersen commitments with Ristretto255 and STROBE.
- Peer DID Method Specification
- decentralized-identity/peer-did-method-spec: A rich DID method that has no blockchain dependencies. The verifiable data registry is a synchronization protocol between peers.
- did-git-spec/did-git-spec.md at master · dhuseby/did-git-spec
- decentralized-identity/github-did: Decentralized Identity with Github
- KERI Resources - Keri.one
- Papers/KERI_for_Muggles.pdf at master · SmithSamuelM/Papers
- Papers/IdentifierTheory_web.pdf at master · SmithSamuelM/Papers
- keri/KERI-made-easy.md at master · decentralized-identity/keri
- Simplify Delegated Events using Hetero Attachments · Issue #146 · decentralized-identity/keri
- decentralized-identity/keri: Key Event Receipt Infrastructure - the spec and implementation of the KERI protocol
- Papers/KERI2_Overview.web.pdf at master · SmithSamuelM/Papers
- keri/Q-and-A.md at master · decentralized-identity/keri
- Update to the correct location of the did:keri specification. by pfeairheller · Pull Request #395 · w3c/did-spec-registries
- https://arxiv.org/pdf/1907.02143.pdf
- Yehuda Lindell on Twitter: "I have published a simple 3-round protocol for Schnorr on ePrint that relies on standard assumptions and is fully simulatable. This is a paper with a very conservative design, doing the obvious. It may make sense for deployment. See https://t.co/eFCc7mnyAP" / Twitter
- https://eprint.iacr.org/2022/374.pdf
- FROST [WIP] by jesseposner · Pull Request #138 · ElementsProject/secp256k1-zkp
- Replace MuSig(1) module with MuSig2 by jonasnick · Pull Request #131 · ElementsProject/secp256k1-zkp
- musig-cli/README.md at master · BlockchainCommons/musig-cli
- Completely switch to 32-byte public keys in bip-schnorr/taproot/tapscript by jonasnick · Pull Request #55 · sipa/bips
- decentralized-identity/SchnorrSecp256k1Signature2019: SchnorrSecp256k1Signature2019
- Implement BIP 340-342 validation (Schnorr/taproot/tapscript) by sipa · Pull Request #19953 · bitcoin/bitcoin
- Add schnorrsig module which implements BIP-340 compliant signatures by jonasnick · Pull Request #558 · bitcoin-core/secp256k1
- w3f/schnorrkel: Schnorr VRFs and signatures on the Ristretto group
- What The Heck Is Schnorr. On Digital Signatures and magic of… | by Rajarshi Maitra | BitHyve | Medium
- What The Heck is Script. Deep dive into Bitcoin Smart Contracts | by Rajarshi Maitra | BitHyve | Medium
- What The Heck is UTXO. Peeking into the Bitcoin Transaction… | by Rajarshi Maitra | BitHyve | Medium
- Submarine Swaps and the era of Trustware. | by Rajarshi Maitra | BitHyve | Medium
- script - Can Schnorr aggregate signatures be nested inside other Schnorr aggregate signatures? - Bitcoin Stack Exchange
- Schnorr multi-signatures
- musign - HackMD
- BlockchainCommons/bc-tor: Tor project fork for use with Blockchain Commons projects, particularly Tor.framework and Mac Catalyst builds
- BlockchainCommons/torgap-demo: Onion Service signing & timestamping demo
- musign-cli/MANUAL.md at master · BlockchainCommons/musign-cli
- BlockchainCommons/torgap-sig-cli-rust: Signing files and verifying signatures in pure Rust for the command line
- Summer 2022 Internship Projects
- BCSwiftFoundation/1-OVERVIEW.md at master · BlockchainCommons/BCSwiftFoundation
- schnorrsig: Adapt example to new API · bitcoin-core/secp256k1@f813bb0
- schnorr signature 32 byte - Google Search
- Introduction to Schnorr Signatures - Suredbits
- Schnorr basics | Popeller
- MuSig2: Multisig with Schnorr | Popeller
- FROST — Flexible Round-Optimized Schnorr Threshold Signatures | Cryptography, Security, and Privacy (CrySP) | University of Waterloo
- ROAST: Practical Asynchronous Distributed Key Generation
- https://eprint.iacr.org/2022/550.pdf
- decentralized-identity/SchnorrSecp256k1Signature2019: SchnorrSecp256k1Signature2019
- Implement BIP 340-342 validation (Schnorr/taproot/tapscript) by sipa · Pull Request #19953 · bitcoin/bitcoin
- w3f/schnorrkel: Schnorr VRFs and signatures on the Ristretto group
- Cryptology ePrint Archive: Report 2018/417 - On the Security of Two-Round Multi-Signatures
- Boneh Publications: A Survey of Two Signature Aggregation Techniques
- Top 5 Reasons Why Threshold Signature Wallets Are Better Than MultiSig — Sepior | by Frank Wiener | Medium
- The Soundness of MuSig | Reyify
- Schnorrless Scriptless Scripts | Reyify
- Multiparty S6 | Reyify
- Flipping the scriptless script on Schnorr | Reyify
- P(o)ODLE | Reyify
- credlib - Credential Library
- [bitcoin-dev] Multi party Schnorr Rust implementation
- [bitcoin-dev] Multi party Schnorr Rust implementation
- Cryptology ePrint Archive: Report 2017/682 - Conditional Blind Signatures
- ZenGo-X/multi-party-schnorr: Rust implementation of multi-party Schnorr signatures over elliptic curves.
- Introduction to Schnorr Signatures
- Introduction to Scriptless Scripts
- The MuSig Schnorr Signature Scheme
- threshold-schnorr-signatures
- The Quest for Practical Threshold Schnorr Signatures - Tim Ruffing - CES Summit '19 - YouTube
- Insecure Shortcuts in MuSig. How (not) to reduce the communication… | by Blockstream | Blockstream Engineering Blog | Medium
- 2020-06-17-tim-ruffing-schnorr-multisig
- MuSig-DN: Schnorr Multisignatures with Verifiably Deterministic Nonces | by Blockstream | Blockstream Engineering Blog | Medium
- MuSig-DN: Schnorr Multisignatures with Verifiably Deterministic Nonces | by Blockstream | Blockstream Engineering Blog | Medium
- MuSig2: Simple Two-Round Schnorr Multisignatures | by Blockstream | Blockstream Engineering Blog | Medium
- signature - Why is it important that nonces when signing not be related? - Bitcoin Stack Exchange
- Efficient reusable Taproot addresses
- CIW19 Keynote by Pieter Wuille on Prezi Next
- Introduction to Schnorr Signatures for Bitcoin & Lightning Network. Schnorr Signature Tutorial Part1 - YouTube
- Use Cases of Schnorr, MuSig, Adaptor and Blind Signatures ~ bitcoin-dev Mailinglist - YouTube
- Cryptoshorts e02: Schnorr signature - YouTube
- Tim Ruffing | MuSig 2: Simple Two-Round Schnorr Multi-Signatures | Real World Crypto 2021 - YouTube
- Building on Bitcoin - Blind Signatures in Scriptless Scripts - YouTube
- FROST: #Zcon2Lite - YouTube
- 06 - FROST: Flexible Round-Optimized Schnorr Threshold Signatures - YouTube
- Fully Homomorphic Encryption | The Future of Cryptography - YouTube
- https://eprint.iacr.org/2017/956.pdf
- Cryptology ePrint Archive: Report 2020/1057 - MuSig-DN: Schnorr Multi-Signatures with Verifiably Deterministic Nonces
- [bitcoin-dev] Overview of anti-covert-channel signing techniques
- [bitcoin-dev] Overview of anti-covert-channel signing techniques
- https://par.nsf.gov/servlets/purl/10094253
- Add OpSignToContract with tag
0x09
by apoelstra · Pull Request #14 · opentimestamps/python-opentimestamps - https://par.nsf.gov/servlets/purl/10094253
- Cryptology ePrint Archive: Report 2020/1057 - MuSig-DN: Schnorr Multi-Signatures with Verifiably Deterministic Nonces
- Anti-Exfil: Stopping Key Exfiltration | by Blockstream | Blockstream Engineering Blog | Medium
- Introduction to Schnorr Signatures
- Introduction to Schnorr Signatures - Suredbits
- Schnorr Applications: Blind Signatures - Suredbits
- Blockchain Consensus Types: Proof of Elapsed Time, Proof of Authority, Proof of Bandwidth — Official MinerGate Blog
- https://sia.tech/sia.pdf
- Green Paper - Chia Network
- BGP Blockchain
- https://eprint.iacr.org/2018/678.pdf
- What sets it apart: Filecoin’s proof system
- https://eprint.iacr.org/2021/086.pdf
- https://dl.ifip.org/db/conf/networking/networking2021/1570702775.pdf
- LighTx: A Lightweight Proof-of-Bandwidth Transactions Transfer System | Networked Systems
- proof-of-coverage | Helium Documentation