Nitrokey HSM2 - support for ed25519

Routing question from email:

Are there currently any plans to offer ed25519 and PKCS#11 support on the HSM2 via firmware updates or are there plans for a new HSM product that would support it?

cc: @sc-hsm

The SmartCard-HSM relies on the CC-certified crypto library of the SmartMX2 security controller and that does not support ed25519. Unfortunately NXP has no plans to add support in that library, so we are unable to support that in our code either.

There is also little demand from the markets for which this chip is produced (large scale card deployments like banking, government, health), so I’m not optimistic that the situation will change.

Additionally, there is no real benefit of those curves over NIST and Brainpool curves when used in a secure element. The use case for ed25519 are private key operations in software, where a buggy implementation (i.e. weak randomness) can break ECDSA. In a security controller that is not really an issue (theoretically yes, practically no).

1 Like

So many requests to support ed25519 and still no demand, it is laughable.
It looks like NXP is just not allowed to include ed25519 into the chip.

See the comments at the bottom of:

https://web.archive.org/web/20200710183650/https://www.nitrokey.com/news/2019/new-nitrokey-hsm-2-rsa-4096-ecc-521-aes-256

Are there any hardware keys with algos:
Curve25519, E-382, M-383, Curve383187, Curve41417, Ed448-Goldilocks, M-511, E-521

May be it is easier just to code them in software on STM or even some ARM board like Cortex A7?

http://web.archive.org/web/20200512234318/https://ianix.com/pub/ed25519-deployment.html

A few devices mentioned:>

Hardware

According to:

@DavidsaysReinstateMonica It not only predated Ed25519, but ECDSA was made this way to work around patents . The more efficient and obvious Schnorr signatures (upon which EdDSA was based) were patented, so ECDSA had to be intentionally obtuse to avoid patent infringement. See Thomas Pornin’s answer over at: crypto.stackexchange.com/a/64852/75224; because of that patent, there was no other real choice at the time.

There may be patent issues with EdDSA which IMHO may prevent EdDSA to appear in desired NXP chips?

On the other hand Ed25519 algo is present in the following chip:
https://www.microchip.com/wwwproducts/en/CEC1702

Are there any USB sticks based on that chip?

  1. Only NXP knows, why they do not have that implemented. By no demand I believe it is not requested by large volume or by corporations. Implementing cryptographic algorithms securely is not an easy task, and it’s not cheap either.
  2. Regarding chip we do not use CEC1702 anywhere.
  3. Nitrokey Start does have Curve25519 software implementation.
  4. From the mentioned we have only Curve25519 AFAIK.