Nitrokey HSM2 - support for ed25519

szszszsz · July 8, 2020, 10:01am

Routing question from email:

Are there currently any plans to offer ed25519 and PKCS#11 support on the HSM2 via firmware updates or are there plans for a new HSM product that would support it?

cc: @sc-hsm

sc-hsm · July 8, 2020, 10:35am

The SmartCard-HSM relies on the CC-certified crypto library of the SmartMX2 security controller and that does not support ed25519. Unfortunately NXP has no plans to add support in that library, so we are unable to support that in our code either.

There is also little demand from the markets for which this chip is produced (large scale card deployments like banking, government, health), so I’m not optimistic that the situation will change.

Additionally, there is no real benefit of those curves over NIST and Brainpool curves when used in a secure element. The use case for ed25519 are private key operations in software, where a buggy implementation (i.e. weak randomness) can break ECDSA. In a security controller that is not really an issue (theoretically yes, practically no).

sanyo · July 10, 2020, 6:29pm

So many requests to support ed25519 and still no demand, it is laughable.
It looks like NXP is just not allowed to include ed25519 into the chip.

See the comments at the bottom of:

https://web.archive.org/web/20200710183650/https://www.nitrokey.com/news/2019/new-nitrokey-hsm-2-rsa-4096-ecc-521-aes-256

Are there any hardware keys with algos:
Curve25519, E-382, M-383, Curve383187, Curve41417, Ed448-Goldilocks, M-511, E-521

May be it is easier just to code them in software on STM or even some ARM board like Cortex A7?

A few devices mentioned:>

Hardware

SC4 HSM — a fully-open USB2 HSM (hardware-secure module)

crypto-in-a-box — Turns an Arduino into a cryptography token

YubiHSM 2 — a cost-effective Hardware Security Module (HSM) for servers and IoT gateways

Nitrokey Start — encrypts your emails, files, and server access

Howto: signify(1) signatures with a YubiHSM

Voting machines in Brazil — administered by Justiça Eleitoral brasileira; printable Ed25519-signed QR code paper trails

SafeNet Luna Network HSMs — High Assurance Hardware Security Modules

CEC1702 — ARM Cortex M4-based microcontroller with a complete hardware cryptography-enabled solution in a single package

sanyo · July 11, 2020, 9:00pm

According to:

@DavidsaysReinstateMonica It not only predated Ed25519, but ECDSA was made this way to work around patents . The more efficient and obvious Schnorr signatures (upon which EdDSA was based) were patented, so ECDSA had to be intentionally obtuse to avoid patent infringement. See Thomas Pornin’s answer over at: crypto.stackexchange.com/a/64852/75224; because of that patent, there was no other real choice at the time.

There may be patent issues with EdDSA which IMHO may prevent EdDSA to appear in desired NXP chips?

On the other hand Ed25519 algo is present in the following chip:
https://www.microchip.com/wwwproducts/en/CEC1702

Are there any USB sticks based on that chip?

szszszsz · July 13, 2020, 9:06am

Only NXP knows, why they do not have that implemented. By no demand I believe it is not requested by large volume or by corporations. Implementing cryptographic algorithms securely is not an easy task, and it’s not cheap either.
Regarding chip we do not use CEC1702 anywhere.
Nitrokey Start does have Curve25519 software implementation.
From the mentioned we have only Curve25519 AFAIK.