The W3C Credentials Community Group

Meeting Transcriptions and Audio Recordings (2014-today)

Go Back

W3C CCG Weekly Teleconference

Transcript for 2024-03-19

Agenda
https://www.w3.org/Search/Mail/Public/advanced_search?hdr-1-name=subject&hdr-1-query=%5BAGENDA&period_month=Mar&period_year=2024&index-grp=Public__FULL&index-type=t&type-index=public-credentials&resultsperpage=20&sortby=date
Organizer
Mike Prorock, Kimberly Linson, Harrison Tang
Scribe
Our Robot Overlords and Our Robot Overlords
Present
Harrison Tang, Will, Erica Connell, Jaromil ☮️ Dyne.org, Andrea D'Intino | Forkbomb BV, pauld gs1, Rashmi Siravara, Susan Stroud, Laura Paglione, Gregory Natran, Filippo Trotter, Nis Jespersen , Manu Sporny, Jennie M, Emanuele di Lernia, Leo, Vanessa, Jeff O / HumanOS, Yassir SELLAMI, Benjamin Young, Joe Andrieu, Alex H, Nate Otto, Tim Bloomfield, Kayode Ezike, TallTed // Ted Thibodeau (he/him) (OpenLinkSw.com), Anil John, Simone (W3C)
Audio Log
Our Robot Overlords are scribing.
Andrea_D'Intino_|_Forkbomb_BV: Uh guys I prepared a presentation I like to share here in the chat so because there are a bunch of links.
Andrea_D'Intino_|_Forkbomb_BV: People may want to click on the links so should I just paste it in the chat.
Andrea_D'Intino_|_Forkbomb_BV: Sounds good just just give me a signal.
Harrison_Tang: Yes I think so usually yeah usually it does that thing so give me a second let me stop and restart it give me a second.
Our Robot Overlords are scribing.
Benjamin Young: https://canivc.com/
Benjamin Young: Yeah I just uh wanted to share the announcement we posted on the ccg list about can ic.com um if you haven't had a chance to look at that we'd love to get feedback on it it's an attempt to aggregate the uh various w3c test Suites for verifiable credentials um across both the uh verifiable credentials working group and the credentials community group.
Benjamin Young: And it's very much a work in progress but we'd love to.
Benjamin Young: Have more folks running the test suite and and get implementations added as well as get feedback on this.
Benjamin Young: Attempt to bring more visibility to um verifiable compliance basically with these test Suites.
Benjamin Young: So any.
Benjamin Young: Would be great.
Benjamin Young: Um on the mailing list is fine or you can reach out to me directly.
<harrison_tang> @benjamin cool spider web graph :)
Manu Sporny: Sorry um yeah just a quick um update uh the uh BBS crypto Suite uh that the verifiable credentials working group is working on is uh was was you know the the vote to transition it to the candidate recommendation phase at w3c uh was successful uh it is currently going through transition review and uh if everything goes well which we think it will um will uh transition to a candidate recommendation by the end of March so that basically means it's ready for people to start implementing it uh there will be a test suite for it um uh and so if you have put any of your implementations against any of the test Suites that either the ccg or the verifiable credential working group have been working on um it should be fairly easy to integrate uh with with this uh upcoming test Suite as well um we already have multiple implementations.
Manu Sporny: Which is good news.
Manu Sporny: To have that.
Manu Sporny: We are only required to have 2 independent interoperable implementations to exit Crescent so we're pretty confident we already have that but the more the merrier when it comes to implementers um so if you are interested in implementing unlikable signatures um.
Manu Sporny: And help.
Manu Sporny: Out with that.
Andrea_D'Intino_|_Forkbomb_BV: Hey man sorry if I crashed the party you you might you might have heard that we are involved in the review.
Manu Sporny: Yes which is fantastic.
Manu Sporny: It's very happy to to to um to have you review the BBS stuff I think that's a wonderful.
Andrea_D'Intino_|_Forkbomb_BV: Thank you for happy.
Andrea_D'Intino_|_Forkbomb_BV: It's here we go I'm going to post a link now uh.
Andrea_D'Intino_|_Forkbomb_BV: A few words of introduction uh I've some of you were met before but most of the names are new to me so I guess we're new to you as well I'm Andrea from uh dorg and fourth bomb BV I have my colleague Jill here as well as 2 new very very very new colleague to join I'm going to talk to you about our very very.
Andrea_D'Intino_|_Forkbomb_BV: 3 of PC of deleting debit received VC.
Andrea_D'Intino_|_Forkbomb_BV: Um I had a short meeting with the Harrison last week uh discussing about what I should talk about and he gave me a couple good hints on how to structure the presentation so uh I did summarize the work that is ongoing on Quantum proof cryptography uh I'll talk about our implementation and talk what we have so far and uh in what directions this this could develop both uh in terms of low-hanging fruit or in terms of uh.
Andrea_D'Intino_|_Forkbomb_BV: Longer uh time frame development.
Andrea_D'Intino_|_Forkbomb_BV: And I'm going to paste I already pasted presentation so I think I will just share my screen.
Andrea_D'Intino_|_Forkbomb_BV: Can you see my screen everybody.
Andrea_D'Intino_|_Forkbomb_BV: Uh Point number 1 Quantum proof cryptography why do we want to prove cryptography the answer is that a while ago uh someone calculated that quantum computers will be able to break uh most current cryptography that includes uh elliptic curve signatures uh some algorithms appear to be Quantum proof already like AES uh I believe that RSA will be affected anyway uh within a few years a lot of the cryptography that we do now uh will be broken by quantum computers uh therefore the nests started I believe in 2017 or maybe it was even earlier uh with a competition for Quantum proof algorithm and in 2022 or maybe 23 I can't remember the winners were announced and there were 4 winners uh kyber which is the only 1 in the key exchange mechanism category so this is a.
Andrea_D'Intino_|_Forkbomb_BV: little bit.
Andrea_D'Intino_|_Forkbomb_BV: The quantum improved version of.
Andrea_D'Intino_|_Forkbomb_BV: 1 I believe.
Andrea_D'Intino_|_Forkbomb_BV: Latisse cryptography and uh the the other winners so the the signature algorithms with that won the competition were dilithium Falcon and sphinx here I summarized the size of the signature for each of them were deleted being about 3 kilobytes Falcon being the smallest 666 for 1 version 1,200 for the other version Sphinx which is the algorithm uh that saw the participation of the DJ Burnstein as a massive 41 kilobyte signature size.
Andrea_D'Intino_|_Forkbomb_BV: How have these algorithms implemented so the the core implementation that is the 1 that was submitted to nist is always made in C uh some of them uh and you see here the for each case what happened uh for some of them uh alternative implementations have been done.
Andrea_D'Intino_|_Forkbomb_BV: The lithium they.
Andrea_D'Intino_|_Forkbomb_BV: Rust and 1 in.
Andrea_D'Intino_|_Forkbomb_BV: They also they only done implementation in Python so basically the core.
Andrea_D'Intino_|_Forkbomb_BV: Uh repositories um with uh with with with the source code for the.
Andrea_D'Intino_|_Forkbomb_BV: For the cryptographic flows are written in C.
Andrea_D'Intino_|_Forkbomb_BV: What did we do uh we did implement the dilithium and the kyber.
Andrea_D'Intino_|_Forkbomb_BV: See the legion signature the kyber uh key exchange mechanism along with anti which was included in uh open SSH inside our crypto V and Zen room uh I will talk about it uh on and off during the presentation so the presentation is not about Zeno is about how we implement dilithium signature in zambrow and based on that uh we did a first proof of concept of D3 CVC.
Andrea_D'Intino_|_Forkbomb_BV: Lithium compatible signature.
Andrea_D'Intino_|_Forkbomb_BV: What we did is that since then room is written in C we imported.
Andrea_D'Intino_|_Forkbomb_BV: The the respective libraries in C into our repo uh then we implemented The Interpreter of the English like domain specific language Zen code which we use to program Zen room which is written in Lua we implemented end-to-end Vector tests and uh if you click on the link of the presentation here you can see where we have the the vector test implemented uh before or at the same time no actually slightly after uh we created uh we we could sign stuff using dilithium we have implemented uh w3c did public keys in our did method and I will show that to you later uh super bonus uh 1 of 1 of our colleagues who was involved in the development wrote a post on medium about that.
Andrea_D'Intino_|_Forkbomb_BV: Further uh how why is it good to use 10 room instead of the C code well first of all Zen room Builds on every uh architecture on every platform but most important Zen room Trends compiled to wasm but was is wrapped in an an npm package therefore we can do dilithium signatures in the browser and in OJs.
Andrea_D'Intino_|_Forkbomb_BV: Uh furthermore uh given the nature of the.
Andrea_D'Intino_|_Forkbomb_BV: Um of our.
Andrea_D'Intino_|_Forkbomb_BV: It's uh pretty straightforward do a mishmash of different cryptographic algorithms so you could at the same time for example do a delete him signature and a BBS signature and a BLS 1231 signature in the same script within a few lines.
Andrea_D'Intino_|_Forkbomb_BV: And the the API that produces the the W3 CVC with dilithium signature I will I will show it to you how it's done but it's something that I did literally in less than half an hour I didn't touch it since.
Andrea_D'Intino_|_Forkbomb_BV: So it's pretty easy to do data manipulation and uh cryptography uh using our Tech.
Andrea_D'Intino_|_Forkbomb_BV: This is what you will see in the dilithium signature.
Andrea_D'Intino_|_Forkbomb_BV: So what's the the API that I will show you does something extremely basic it just takes a a Json payload and creates a proof.
Andrea_D'Intino_|_Forkbomb_BV: That contains the signature and adds a little bit of metadata into it so what I added is the time stamp.
Andrea_D'Intino_|_Forkbomb_BV: I added this uh string to Define what crypto suit is uh is is used obviously if you Google this you will not find this because that's something I made up.
Andrea_D'Intino_|_Forkbomb_BV: Then uh as ID of the credential I just hashed the the whole Json file and place it here.
Andrea_D'Intino_|_Forkbomb_BV: Then we have approved a purpose assertion methods pretty standard in w3c we see 1.1 proof value inside here you have the actual relative signature which is massive so it wouldn't fit in this page therefore I just added here Integrity proof and as verification method we have.
Andrea_D'Intino_|_Forkbomb_BV: The deletion public key of the did.
Andrea_D'Intino_|_Forkbomb_BV: Uh that is registered on our did service so here you read did uh column D column sandbox dot generic issue and this is the the idea of the of the did.
Andrea_D'Intino_|_Forkbomb_BV: Okay I can give you a uh I can give you a quick demo so the fastest way to uh distribute a very long long curve uh I found it was with the fast the fastest way I found is paste bin so if you click here.
Andrea_D'Intino_|_Forkbomb_BV: Should be able to.
Andrea_D'Intino_|_Forkbomb_BV: To get this.
Andrea_D'Intino_|_Forkbomb_BV: So I'm just going to copy that that I'm going to fire up.
Andrea_D'Intino_|_Forkbomb_BV: I'm going to paste the curl.
Andrea_D'Intino_|_Forkbomb_BV: I'm going to.
Andrea_D'Intino_|_Forkbomb_BV: Going to do.
Andrea_D'Intino_|_Forkbomb_BV: JQ to get it uh format it properly so as you can see in the curl I am calling this API which is the the API that is going to produce the the VC I'm simply passing it this.
Andrea_D'Intino_|_Forkbomb_BV: And uh what the API is going to do is going to answer the proof into this Json that's all pretty straightforward.
Andrea_D'Intino_|_Forkbomb_BV: Here we go.
Andrea_D'Intino_|_Forkbomb_BV: So inside here you find.
Andrea_D'Intino_|_Forkbomb_BV: Sorry let me.
Andrea_D'Intino_|_Forkbomb_BV: You find proof timestamp all the stuff that I mentioned before this is this massive thing is the dilithium signature.
Andrea_D'Intino_|_Forkbomb_BV: And this is the the did of the issuer.
Andrea_D'Intino_|_Forkbomb_BV: That sign is credential which we can have a look at here.
Andrea_D'Intino_|_Forkbomb_BV: So if you go to explore.org and press enter.
Andrea_D'Intino_|_Forkbomb_BV: And I'm just going to paste the date here.
Andrea_D'Intino_|_Forkbomb_BV: This is the the the document of the uh service that signed this and if you look into the context you will see that for some some of the Json LD definitions uh they are fetch straight from our repo.
Andrea_D'Intino_|_Forkbomb_BV: This is because at the time when uh when we put together the first version of our did we couldn't find uh any specification that worked so this is a BLS 1231 public key this is another BLS 1231 this is a BBS public key this is something that maybe I'll uh I'll talk about with Mano in a different session and this specification here is a specification of.
Andrea_D'Intino_|_Forkbomb_BV: the deleting.
Andrea_D'Intino_|_Forkbomb_BV: You can find here and the horse backs are.
Andrea_D'Intino_|_Forkbomb_BV: Here anyway let's scroll down and.
Andrea_D'Intino_|_Forkbomb_BV: Reflow reflux did you say did you say is for BBS and this is dilithium.
Andrea_D'Intino_|_Forkbomb_BV: Give you some.
Andrea_D'Intino_|_Forkbomb_BV: To give you some um.
Andrea_D'Intino_|_Forkbomb_BV: Uh context I'm going to paste this public key inside here and you see the size.
Andrea_D'Intino_|_Forkbomb_BV: Of the key we're looking at so that's the public key.
Andrea_D'Intino_|_Forkbomb_BV: That's how the quantum proof World unfortunately is like.
Andrea_D'Intino_|_Forkbomb_BV: This you can try at home that's something we saw already the the public key of the instrument did.
Andrea_D'Intino_|_Forkbomb_BV: then you.
Andrea_D'Intino_|_Forkbomb_BV: Try it home fun version if you want to try a simple Del lithium signature using our stack you just go to API room.net examples QP dilithium which I'm going to do for you right now.
Andrea_D'Intino_|_Forkbomb_BV: So this is APR room is the IDE of our cryptographic virtual machine we have a bunch of example here divided by uh by subject or by cryptography if you scroll down to the bottom you can see dilithium generic key generate public key create signature verify signature.
Andrea_D'Intino_|_Forkbomb_BV: Those scripts you can take them and use them as a base to create.
Andrea_D'Intino_|_Forkbomb_BV: I'll show you the the 1 that I use as a base to create the API that I showed you before.
Andrea_D'Intino_|_Forkbomb_BV: So the actual code that creates a signature is this.
Andrea_D'Intino_|_Forkbomb_BV: Given I am Alice given I have my key ring so this.
Andrea_D'Intino_|_Forkbomb_BV: Inside here I keep all my secret keys.
Andrea_D'Intino_|_Forkbomb_BV: Even have a string named message which is this give when I create the delete team signature off so this statement creates a deletion signature then in the end I'm printing out the signature and the message I press run and.
Andrea_D'Intino_|_Forkbomb_BV: So this is how you can uh.
Andrea_D'Intino_|_Forkbomb_BV: Play with dilithium signature at home.
Andrea_D'Intino_|_Forkbomb_BV: Uh yes this API room.net docs uh if you look at the curl we did.
Andrea_D'Intino_|_Forkbomb_BV: The curl is known to htbs API room.et API API slash generic issue.
Andrea_D'Intino_|_Forkbomb_BV: The name of the the endpoint is the is the API.
Andrea_D'Intino_|_Forkbomb_BV: If you copy paste this sorry.
Andrea_D'Intino_|_Forkbomb_BV: I'm just going to.
Andrea_D'Intino_|_Forkbomb_BV: This is the Swagger.
Andrea_D'Intino_|_Forkbomb_BV: That you that's uh shows well first of all you can do get and posts the the the actual API you have to use is this.
Andrea_D'Intino_|_Forkbomb_BV: Uh and uh in here uh I can also show you the actual code behind this API which is a chain of 2 scripts dilithium 01 and the lithium 02 where all the computation happens in the 01 in 02 I'm doing only data manipulation I had to I had to split this in 2 parts um for you know for because I was lazy I could have put everything in a single 1 but uh um yeah.
Andrea_D'Intino_|_Forkbomb_BV: So this is the most of the code that generates the diabetes CVC that you've seen.
Andrea_D'Intino_|_Forkbomb_BV: Which is again it just takes a Json file and signs it and it's far from from being interoperable and compliant but uh the technology is good to make quick and easy uh tests.
Andrea_D'Intino_|_Forkbomb_BV: so that.
Andrea_D'Intino_|_Forkbomb_BV: For the future low hanging fruits.
Andrea_D'Intino_|_Forkbomb_BV: Within minutes and when I say minutes I mean literally minutes I can create a microservices to do sign and verify so basically I can take this API and uh export it together with a with a shell script or into a Docker file that you could launch on a on a server to test the API itself this is something literally something I can do in minutes within uh 1 Hour 2 we can hack together a JavaScript uh Library.
Andrea_D'Intino_|_Forkbomb_BV: That within 1 file has uh we can have 2 API in the library 1 to sign 1 to verify so that you can do your own signatures and verifications in the browser or a note.
Andrea_D'Intino_|_Forkbomb_BV: Spend some time.
Andrea_D'Intino_|_Forkbomb_BV: Under I think.
Andrea_D'Intino_|_Forkbomb_BV: Or uh with also with a relatively slow effort we can uh insert the W3 CVC signing uh API into our identity solution which uh we are we're working on these days we're about to we're probably uh release uh beta in a few weeks uh which at the moment is focusing on aod e e u e u d i a ARF so the EI does 2 signatures meaning that the exchange Protocols are open ID for VCI and the credential format is as the job.
Andrea_D'Intino_|_Forkbomb_BV: What we could do pretty easily is instead of producing a nasty jot we could produce a lithium signature it would come out as a Frankenstein so I don't think it makes much sense.
Andrea_D'Intino_|_Forkbomb_BV: Uh we have to.
Andrea_D'Intino_|_Forkbomb_BV: Uh work with w3c VC apis that will require a little bit more work.
Andrea_D'Intino_|_Forkbomb_BV: That's something we can also discuss doing in in if anybody's interested so we can uh we can plug our uh signature uh.
Andrea_D'Intino_|_Forkbomb_BV: Technology into somebody else's flow or we could Implement our own something else we have been looking at is to implement Falcon uh the reason behind this uh being that Falcon is the smallest uh Quantum proof signature so it's the smallest 1 is 600 bytes versus 3 kilobytes of the lithium.
Andrea_D'Intino_|_Forkbomb_BV: I think that I'm wrong.
Manu Sporny: Yeah this is all uh fantastic stuff um Andreas so um.
Manu Sporny: I'm trying to think of which which thing to ask a question about first so the the the did documents are really interesting uh really neat that uh you were able to use the extensibility features of the did spec to add a whole bunch of different key representations in the did document um in that you know lithium was was 1 of those uh things along with BBs that was really neat to see um and then of course it was really neat to see that you're using uh you know the the data Integrity um uh proof expression mechanism to do the dilithium signature um and that looks I mean it looks very very close to what we would potentially end up standardizing right I mean it's like it's I only maybe a month at most work to go from what you have demonstrated to having a specification that we could probably take um uh standards track so that's uh really neat to see as well um I guess.
Manu Sporny: The the question to you.
Manu Sporny: Is uh you know where what.
Manu Sporny: Where do you.
Manu Sporny: What's the time.
<andrea_d'intino_|_forkbomb_bv> My presentation once again:
Manu Sporny: For example like you know right now the the verifiable credential working group um I think what we're planning to do is recharter the working group to go into maintenance mode and you know take the current specifications we have through to like Global standards so like the BBS suite and and that kind of stuff so dilithium you know we can't put the new dilithium work in uh just yet um but what we can do is maybe incubate that in the credentials community group and start talking to w3c about hey we can now do post-quantum signatures you know with dilithium kyber and Drew you know whatever we end up end up picking what what is your timeline like what would be what do you think is the ideal timeline what should we focus on uh with respect to post-quantum signatures um uh and like you know data integrity at at w3c.
Manu Sporny: Quickly do you think we could maybe get a specification together to to incubate.
Andrea_D'Intino_|_Forkbomb_BV: All right that's a very good question basically we implemented the stuff I believe uh in uh spring 2022 so we implemented it before the next company shows over and we picked the lithium and uh kyber because we thought that we're going to win and they did so it was a very lucky pick uh set that after we implemented it we actually didn't do anything with it uh we did present once the our delete uh did uh at some w3c meeting but maybe it was too early so we didn't actually get any feedback about that uh said that for the future um we haven't set any resources on this because we we we weren't aware of uh if and how people need this so based on the feedback we get that we can uh allocate some resources and then then we can uh we can work something out uh.
Andrea_D'Intino_|_Forkbomb_BV: So getting a Specs together.
Andrea_D'Intino_|_Forkbomb_BV: Terms of uh documentation that is something I know that would take a few weeks uh implementing um so making the verifiable credential itself interoperable I don't think it's going to be as you mentioned I think it's going to be a big deal uh but uh be aware that at the moment we're just taking a Json signing it so we're not doing any test whatsoever on the Json input and uh yeah we would have to work on the the error message and stuff like that if it's just the w3c VC it's feasible within you know a few weeks or couple of months or at most uh but it depends on where it has to be plugged meaning what exchange.
Andrea_D'Intino_|_Forkbomb_BV: Leads to this.
Andrea_D'Intino_|_Forkbomb_BV: And uh and uh what what it has to interpret with.
Andrea_D'Intino_|_Forkbomb_BV: The the the the the API you've seen making its uh making it interoperable and compliant I don't think is.
Andrea_D'Intino_|_Forkbomb_BV: Work and it can be done within the time frame you mentioned.
Andrea_D'Intino_|_Forkbomb_BV: Yeah I'm not sure I can follow I'm sorry.
Manu Sporny: Oh I was go go ahead Harrison I I can um I can follow behind you.
Harrison_Tang: No you you can go first.
Manu Sporny: Okay so so um so yes well the fundamentally you know crypto Suite data Integrity crypto so we just has the algorithm that you follow uh to do to do all the steps I think the good news here is that the only difference with what we all have already taken through the standardization process like so so you know the date Integrity crypto Suites have like um a couple of stages the first 1 is transforming the data uh then you hash the data and then you sign the data right and and Andrea has has demonstrated all of those you know processes and in in what he's shown today um so in the in the transform you either do like I think Andre you were just taking the Json as is in hashing it to sign is that right.
Andrea_D'Intino_|_Forkbomb_BV: I I will pass the question to jarmil uh I know that there are different Visions about U.
Andrea_D'Intino_|_Forkbomb_BV: Has to be.
Andrea_D'Intino_|_Forkbomb_BV: The the the the input has to be transformed I believe that we just take the Json as it is and sign it if if jar can say a word about it.
Andrea_D'Intino_|_Forkbomb_BV: Else else we will reply to you online I can look through the code.
Jaromil_☮️_Dyne.org: This is a 3 key thing that is not so clear in rexes or standard so when there is a structured data.
Jaromil_☮️_Dyne.org: How it is signed I think almost by convention we signed Json without spaces.
Jaromil_☮️_Dyne.org: It would be nice to nail that down.
Jaromil_☮️_Dyne.org: I've seen in other standards um Json Marshal inside other jsons with dots separating like the JWT.
Jaromil_☮️_Dyne.org: Which looks really bad to my eyes and um so I don't know if uh if I understood your question like what what will be signing I think we can stay with the the basic practice signing uh um a rendered string uh Json string uh without spaces.
Jaromil_☮️_Dyne.org: We this will not solve 1 big problem which is the deterministic Sorting of dictionary elements in Json strings.
Jaromil_☮️_Dyne.org: I think.
Jaromil_☮️_Dyne.org: This is a topic that covers pretty much every signature that we want to standardize and the problem is that.
Jaromil_☮️_Dyne.org: So most languages.
Jaromil_☮️_Dyne.org: Uh Grant deterministic sorting of keys into a dictionary.
<harrison_tang> Manu, you go first. My question is on a different topic.
Jaromil_☮️_Dyne.org: And the deterministic Sorting so anything that comes in will not be sorted out unless we apply alphabetic sorting explicitly which may break.
<manu_sporny> ok, thanks Harrison
Jaromil_☮️_Dyne.org: Tree the input data.
Jaromil_☮️_Dyne.org: So um this is just a call for perhaps a a a new subject for a working group that we have uh deterministic way to um.
Jaromil_☮️_Dyne.org: To have to to organize structured data.
Jaromil_☮️_Dyne.org: And uh it can stay in Json but we could say okay uh any sign data should be alphabetically sorted before and Json without spaces I hope I I address the issue at hand.
Manu Sporny: Yes absolutely so so here's the good news uh we have standardized at least 2 different ways to do that already so 1 of the things that um w3c has been working on is uh data set canonicalization which is the Sorting that you're talking about um w3c standardized rdf data set canonicalization which we use for w3c uh VCS that use data Integrity but data Integrity also supports Json canonicalization so uh you know the the the the thing that you were talking about uh about you know sorting dictionaries there is a there's a a specification a ITF RFC that exists already that's the standard uh called JCS Json canonicalization scheme that does that so we we have uh syntax specific mechanisms to do that that are already standards that's JCS and we have syntax agnostic mechanisms to do the.
Manu Sporny: Analyzation which is.
Manu Sporny: Is rdf data set canonicalization.
Manu Sporny: So the the.
Manu Sporny: I'm going to assert that that's a solved problem and they're already standard you know to do that so that's the transformation phase um then once you transform that's you know it's a that's kind of the Hard 1 of the hardest parts after you do that hashing is easy and straightforward there are plenty of standards that exist for that and then finally to generate the signature and the and the proof that's really the only thing that's remaining so going back to the question that will raised um.
Manu Sporny: The w.
Manu Sporny: Let's say post-quantum crypto Suites specification.
Manu Sporny: Would just be referring to other standards that already exist and the only new thing that that the w3c data Integrity post-quantum data Integrity crypto Suites would have to do is specify that we're using dilithium specify exactly which you know um uh signature size uh you know we'd be using we may want to also put in uh swing plus and true kyber as kind of a backup in case you know dilithium broken um but it's not a lot of work to do this like we what I'm saying is like the for the past 2 years the verifiable credential working group has created all the base Primitives that we need and those base Primitives are pretty much done at this point where we just reuse the existing base Primitives in the dilithium um specification so I I agree with Andre I mean.
Manu Sporny: This this is not a.
Manu Sporny: Tremendous amount of work.
Manu Sporny: Put this in specification in into a crypto Suite specifically.
Jaromil_☮️_Dyne.org: Thanks for the pointer to the Json communication I'll ask you the number of the RFC later because the European the current European effort that identity wallet do do not implement it at least in the reference implementation we have undetermined uh Behavior with the with the fields so it will be useful to follow.
Harrison_Tang: Yeah I'm just curious on a different topic like uh like Andrea like why did you pick a delete 3 and um to implement like uh is it just rolling the dice or like I'm I guess I'm curious about the pros and cons and the trade-off between the 4 options the 4 winners of the post Quantum cryptography and you mentioned that Falcon is the smallest size but uh like if that's the case then why would anybody like implements uh Sphynx for example.
Andrea_D'Intino_|_Forkbomb_BV: Um uh we when we implemented this uh I think that she was between the second and the third round at the time we had to pick uh between uh around 8 or 10 different signatures and uh we did Bat on uh kyber and uh the lithium because they both come from the same uh working team the crystals team which is mostly people at the University of luven in Belgium uh which is the mecca of cryptography uh so we we checked the people behind the algorithms and uh we thought that if they participated they they were expecting to win which more or less happened.
Jaromil_☮️_Dyne.org: Andrea you should also say that we spend more time following missed competitions than soccer game.
<harrison_tang> haha
<manu_sporny> haha, awesome
Andrea_D'Intino_|_Forkbomb_BV: Show the truth that that has been our main hobby for for a few months but anyway we did this uh before the end of the competition and we it was 50% we were all the dies and 50% we tried to guess which 1 would win we also implemented auntie auntie Roo which ended up ended up being implemented in open SSH but didn't win on this competition.
Andrea_D'Intino_|_Forkbomb_BV: I mean we implement the 3 and 2 were selected we were okay lucky I guess.
Harrison_Tang: Got it thank you and I I like the joke or maybe not joke about the soccer thing so.
Andrea_D'Intino_|_Forkbomb_BV: Uh we have not implemented parallel signatures in the way that Manu showed it a few weeks ago.
Andrea_D'Intino_|_Forkbomb_BV: But if you give me if you send me Jason I can within minutes hack together an API that creates 3 signatures and then I will need 1 more hour to manipulate the uh the Json and create a proof that is uh uh semi compliant not to create something like that.
Manu Sporny: That's it yeah and and add to that 1 of the 1 of the benefits of parallel signatures is that um you can you can have multiple different organizations put different signatures on the same payload so you know I mean it's not difficult to do a parallel signature implementation it's literally just an array of proofs like you just need to take your proof and then put it in an array and you've got a parallel signature so um it would not be you know as as Andre said it would not be difficult for them to implement parallel signatures it would you know take an hour at at most um but I think the the other thing that's really interesting is that um.
Manu Sporny: We could we could experiment you know as Andrea was showing in in his example you know the crypto Suite started off with experimental Dash so it's an experimental crypto Suite um but the nice thing about you know parallel signatures is that we can put experimental signatures uh alongside you know officials approved you know ecdsa signatures today or beside you know BBS signatures today so um the other thing that we could also do is you know use the VC playground if if Andre and his um uh and and their team um uh the dine team uh could put together like a a credential issuer through Zen room um then we could just add them to the list of issuers and call out to their system to do the dial lithium signatures um in the playground which basically means like you know if we if you wanted to dial lithium signature on any of the verifiable credentials in the playground.
Manu Sporny: The playground would just.
Manu Sporny: Reach out to.
Manu Sporny: Mentation to Zen.
Manu Sporny: Room to add the.
Manu Sporny: Um so we already have you know a number of really useful Primitives to pull in the good work that um Andre our Mill and their team uh is doing.
Andrea_D'Intino_|_Forkbomb_BV: Uh I can tell you that we have been looking at it uh we also had a very productive meeting with Benjamin about w3c VC API uh.
Andrea_D'Intino_|_Forkbomb_BV: Uh test I think I think it's called and uh we saw we saw today yesterday the announcement of uh can IBC.
Andrea_D'Intino_|_Forkbomb_BV: So that's something we're looking at and we are pushing out the release in the next few weeks but we hope we'll have the chance to look at into that as soon as we don't with uh with our deadlines.
Manu Sporny: Well I I don't want to hog the questions but it's it's rare to have somebody on a call that knows both BBS and and post Quantum stuff like Andre and are so um the the general question is um what are your thoughts on unlink Quantum signatures or is there any particular team that you're looking at right now um that's working on um post-quantum on linkable digital signatures.
Andrea_D'Intino_|_Forkbomb_BV: Uh the lithium is linkable because you have to distribute the public key.
<will> That was my one too :)
Andrea_D'Intino_|_Forkbomb_BV: Unlink the lithium or I need to think about this so in you think of making something like the equivalent of nasty jot or a zero proof based on the lithium um.
Manu Sporny: More like BBS you know something closer to BBS with the post-quantum scheme.
Andrea_D'Intino_|_Forkbomb_BV: I that's not something I have been thinking about I don't know if jarm left thoughts.
Jaromil_☮️_Dyne.org: We did we did something similar Andrea for which we cannot really talk about for our clients in Denmark using old.
Jaromil_☮️_Dyne.org: Old and yeah sort sort of interesting uh protocol and uh yeah I mean I think that looking at all the ways to do.
Jaromil_☮️_Dyne.org: to do.
Jaromil_☮️_Dyne.org: Uh zero knowledge proof.
Jaromil_☮️_Dyne.org: Could lead to some success I'm not sure if we have um.
Jaromil_☮️_Dyne.org: But this will be not really like deeply integrated into post-quantum Tech just using certain post-quantum malos in place of others to do old school uh de la proof.
Jaromil_☮️_Dyne.org: So yeah the answer we we don't see anything Innovative right now.
Andrea_D'Intino_|_Forkbomb_BV: But Manu just uh just uh for us to understand each other the lithium is just a bigger ecdsa.
Andrea_D'Intino_|_Forkbomb_BV: So um I've seen I've seen your.
Andrea_D'Intino_|_Forkbomb_BV: Uh SAC disclosure ecdsa.
Andrea_D'Intino_|_Forkbomb_BV: That can be done with the lithium but that's as far as you get I don't think that the lithium allows to have a selected disclosure within the signature I mean not as far as uh as we have seen or implemented it's just a factor ecsa.
Manu Sporny: Yes AB absolutely completely agree with that um so we could take the existing ecds ASD suite and we could apply dilithium to it and we would just get selective disclosure um uh out of it which which is great I mean you know that's that's that's beneficial uh but of course you know everyone's wondering well what about BBS BBS is not post-quantum secure um we need uh you know replacement there I know there's some work uh that that um folks are doing on post-quantum on linkable schemes but it's very very you know early days um but at the same time you know it is um.
Manu Sporny: It is uh you know it's an area of Interest people want to see a post-quantum unlabel uh signature it is possible but you know research is very very new in that area and it's probably going to take you know 5 to 7 years for anything worthwhile to kind of pop out there um the other thing that's that's kind of interesting and I'm wondering if if either of you have have um looked into this is is um a hybrid selective disclosure scheme so there are um.
Manu Sporny: You know the way the ecdsa SD um a signatures work is you generate an ephemeral key pair and you use that ephemeral key uh to digitally sign each selectively disclosed um uh entry um and then you use like a hardware back key to digitally sign everything the ephemeral key and all of the selectively disclose statements um uh or rather its you use you use your Hardware back key to sign the ephemeral key which is the thing that signs all the selectively disclosed statements now in in a post-quantum signature scheme um the problem is like the signature sizes like if you're using for example if you're using like Sphinx you're looking at you know 41 kilobyte signatures for each selectively disclosed statement which means that your verifiable credential is gigantic it's multiple hundreds of kilobytes for you know something like a a European.
Manu Sporny: Uh pit or or something of that nature so 1 of the 1 of the other things that we were looking at is this concept of using like Watts or Watts plus um the the idea here is that you can create you know these single time pad signature schemes that are highly space efficient where the signature is space efficient and you can you can use that to generate effectively like 32 to 64 bytes signatures per selectively disclose statement.
Manu Sporny: But then.
Manu Sporny: Over the entire.
Manu Sporny: Using a post-quantum uh scheme so you effectively what you end up with is um a efficient selectively disclosed post-quantum uh scheme that does not have any of the the uh data leaking issues that SD jot uh has have you hopefully 1 that made sense in in 2 have uh you looked into watts and and and kind of uh pad 1 Time Pad based uh schemes as like a hybrid um of of post-quantum schemes.
Andrea_D'Intino_|_Forkbomb_BV: I'm not familiar with what's what's plaster that not sure I heard the name before I don't know if jar knows about it.
Jaromil_☮️_Dyne.org: No no we haven't looked into that in general the wrapping uh approach that you mentioned I think is the most valid right now and I would say it's a nice idea to wrap.
Jaromil_☮️_Dyne.org: Effective disclosure with with the quantum signature uh we we can do it right away with with our like DSL with our domain specific language.
Andrea_D'Intino_|_Forkbomb_BV: Yeah we I mean wrapping signatures 1 into another we can do it literally no time uh something you mentioned about uh Hardware signature Hardware keys so Hardware based secret Keys uh something we looked at in different situations is um.
Andrea_D'Intino_|_Forkbomb_BV: I I had I had the the word and the tape on my tongue uh when you start with the secret key and generate the following secret Keys uh.
Manu Sporny: Hierarchical deterministic key stuff.
Andrea_D'Intino_|_Forkbomb_BV: Correct correct that's.
Andrea_D'Intino_|_Forkbomb_BV: all yes.
Jaromil_☮️_Dyne.org: Yes yeah the HD yeah if 32.
Andrea_D'Intino_|_Forkbomb_BV: Bip 32 yes that that's also something we looked at we haven't uh we haven't done much work with it but that is also something we can do I believe we can really do uh with what we have in Zen room using the the statements we have so we can.
Jaromil_☮️_Dyne.org: The derivative case is interesting there is another standard I'm looking into right now which is the carry.
Andrea_D'Intino_|_Forkbomb_BV: K e r i.
Jaromil_☮️_Dyne.org: Uh standard well yeah key e r i for for for key rotation apparently popular in Asia.
Andrea_D'Intino_|_Forkbomb_BV: But but anyway key derivation is something that we can look at pretty pretty comfortably.
Harrison_Tang: Yeah I have a question uh by the way this is a relatively new be cryptographic uh question is earlier Andrea you you mentioned that the theory and you can think of it as a bigger like AdWords like EDSA and my understanding is EDSA is more like a curve based um no cryptography whereas uh post quantitative space so if that's the case what's the relationship between the curved base versus like ladder space like photography know.
Andrea_D'Intino_|_Forkbomb_BV: We we are comparing uh uh so with Manu we're comparing let's say regular signatures with uh signatures that allow homomorphic sums like BBs.
Andrea_D'Intino_|_Forkbomb_BV: So with BBs you have you add stuff on on the curve while with the CSA DSA and the lithium just signed 1 Thing on you cdsa you have the signatures 1 point on the lithium is uh is Latisse so it's points connected together but basically the the the juice of the conversation is that we haven't yet seen uh um.
Andrea_D'Intino_|_Forkbomb_BV: Sure that as the.
Andrea_D'Intino_|_Forkbomb_BV: Which allow to uh do a zero proof in the way that BBS does.
Andrea_D'Intino_|_Forkbomb_BV: Be just like some features.
Harrison_Tang: And sorry 1 last question uh completely different question uh do you know of any like kind of commercial application of post Quantum cryptography where is it still mostly in the public and academic sectors.
Andrea_D'Intino_|_Forkbomb_BV: Is that this is the question to me.
Andrea_D'Intino_|_Forkbomb_BV: Uh we know that uh we have heard that several uh enforcement agencies are looking to that.
Andrea_D'Intino_|_Forkbomb_BV: Uh specially the the interest uh uh went up uh since uh uh the februari 20122 events.
Andrea_D'Intino_|_Forkbomb_BV: That's uh I am not aware of uh anybody.
Andrea_D'Intino_|_Forkbomb_BV: Um I I if you ask me if we have any competitor I have no idea I don't think so.
Harrison_Tang: Got it thank you.
<harrison_tang> thank you very much for your great presentation!!
Andrea_D'Intino_|_Forkbomb_BV: Sure let's let's be let's be in touch if uh.
Andrea_D'Intino_|_Forkbomb_BV: Um based on our conversation if anyone has some homework we could do uh in the next uh month or so then we can try to.
Andrea_D'Intino_|_Forkbomb_BV: To do some work on it so mono mentioned specification.
Andrea_D'Intino_|_Forkbomb_BV: Uh VC playground.
Manu Sporny: Yeah and and to be clear we would be very happy to put together a a a post-quantum um dating Integrity crypto Suite with with you I think that's the that's something that we could kind of create in incubate in ccg and get more implementers behind and then potentially take Global standards track.
<jaromil_☮️_dyne.org> ciao ! :^)
Andrea_D'Intino_|_Forkbomb_BV: My mom thank you guys thank you tension.