Hi all, [cc’ing Veronica, Denis]
thank you Tom for the pointer. we had this discussion also in the W3C Security Interest Group. Part of the discussion was that, using the hybrid approach, Ed25519 is still valuable, but I cc’ed the cryptographers. If we believe there are limitations, it is useful to include them in the considerations section. Thank you, Simone > Le 24 mai 2025 à 00:43, Tom Jones <thomasclinganjo...@gmail.com> a écrit : > > Thanks for that message - I don't think I understood the point before. > Frankly speaking, I don't think anyone else beyond your team understands > what's going on either. > So is the solution (1) either-or (2) both-and. I don't think that is the > same from one group in W3C to another. (I include OID4xxx in that list) > let's just get everyone on PQC. > https://thequantuminsider.com/2025/05/21/microsoft-brings-post-quantum-cryptography-to-windows-and-linux-in-early-access-rollout/ > > Peace ..tom jones > > > On Thu, May 22, 2025 at 1:42 PM 'Daniel Huigens' via blink-dev > <blink-dev@chromium.org> wrote: > Hi Tom, > > Bit late to the party, but I wanted to mention that even in the transition to > PQC, Ed25519 is still relevant, in hybrid/composite constructions; the idea > being that you sign and verify with both algorithms, so that an attacker > would need to break both of them. > For example, see draft-ietf-lamps-pq-composite-sigs and > draft-ietf-openpgp-pqc, both of which define constructions combining ML-DSA > and Ed25519/Ed448. > To quote the former: > > This document defines combinations of ML-DSA [FIPS.204] in hybrid with > > traditional algorithms (...) Ed25519, and Ed448. These combinations are > > tailored to meet security best practices and regulatory requirements. > > Composite ML-DSA is applicable in any application (...) where the operator > > wants extra protection against breaks or catastrophic bugs in ML-DSA. > > Since crypto.subtle is a low-level API, we want to define both components of > such a construction, so that libraries can implement them however they're > combined. > (A draft for the ML-DSA part of that is at > https://twiss.github.io/webcrypto-modern-algos/pqc.html, but that's less far > along.) > > Best, > Daniel > > > > Op zaterdag 12 april 2025 om 20:46:04 UTC+2 schreef Tom Jones: > to be clear - ED25519 is much faster than the quantum-resistant alternatives, > but that does not make it long term secure. > To be more specific, we could see an announcement any day that someone has > developed a quantum computer that will break it. > Or it could be 5 more years - who knows. > Google and Microsoft are two of the companies trying to break it. > https://hedera.com/blog/are-ed25519-keys-quantum-resistant-exploring-the-future-of-cryptography > > Peace ..tom jones > > > On Fri, Apr 11, 2025 at 3:34 AM Anna Weine <nkul...@mozilla.com> wrote: > @Tom do you have any link/article/post about the Ed25519 deprecation? I've > not heard about that so I'm very curious. > > Thanks, > A > > On Thursday, April 10, 2025 at 9:12:39 PM UTC+2 Tom Jones wrote: > I have been hearing other teams asking to use this "new" crypto in other > standards, but i cannot for the life of me understand why any effort is being > put into a crypto scheme that will surely be deprecated (at least by the NSA) > by the end of this year. I didn't object to adding it here until others > started to add it to new protocols - which is CLEARLY A BAD IDEA. > > ..tomj > > On Wednesday, April 9, 2025 at 8:17:38 AM UTC-7 Chris Harrelson wrote: > LGTM3 > > On Thu, Apr 3, 2025 at 1:51 AM Yoav Weiss (@Shopify) <yoav...@chromium.org> > wrote: > LGTM2 > > On Wed, Apr 2, 2025, 16:18 Daniel Bratell <brat...@gmail.com> wrote: > LGTM1 > /Daniel > On 2025-03-31 11:42, Javier Fernandez wrote: >> Contact emails jfern...@igalia.com >> >> Explainer >> https://github.com/WICG/webcrypto-secure-curves/blob/main/explainer.md >> >> Specification https://w3c.github.io/webcrypto/#ed25519 >> >> Design docs >> https://docs.google.com/document/d/1fDTUY3HVAXehi-eSfbi7nxh8ZPw4MpSKM8U1fMdqJlU/edit?usp=sharing >> >> Summary >> This feature adds support for Curve25519 algorithms in the Web Cryptography >> API, namely the signature algorithm Ed25519 >> >> >> Blink component Blink >> >> TAG review https://github.com/w3ctag/design-reviews/issues/466 >> >> TAG review status Issues addressed >> >> Risks >> >> Interoperability and Compatibility >> WebCrypto API was specified to allow the addition of new (normalized) crypto >> algorithms. When an algorithm is not yet supported by a browser, an >> exception of unrecognized algorithms would be thrown after invoking related >> APIs. >> >> >> Gecko: Shipped/Shipping >> (https://bugzilla.mozilla.org/show_bug.cgi?id=1804788) >> https://www.mozilla.org/en-US/firefox/130.0/releasenotes/ >> >> WebKit: Shipped/Shipping (https://bugs.webkit.org/show_bug.cgi?id=246145) >> https://developer.apple.com/documentation/safari-technology-preview-release-notes/stp-release-178 >> >> Web developers: No signals >> >> Other signals: >> >> WebView application risks >> >> >> >> Debuggability >> >> Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, ChromeOS, Android, and Android WebView)? Yes >> >> Is this feature fully tested by web-platform-tests? Yes >> https://wpt.fyi/results/WebCryptoAPI?label=experimental&label=master&aligned >> >> >> Flag name on about://flags WebCryptoEd25519 >> >> Finch feature name None >> >> Non-finch justification >> The feature has been implemented behind WebCryptoEd25519 runtime flag. >> >> >> Requires code in //chrome? False >> >> Tracking bug https://bugs.chromium.org/p/chromium/issues/detail?id=1370697 >> >> Availability expectation The feature is already available on the Web >> Platform, and shipped enabled by default in Firefox and Safari. >> >> Adoption expectation This feature is considered a best practice for web apps >> that need support of Ed25519 signing and X25519 key sharing. Relying on >> external libraries (JS, WASM) is the alternative and implies security risks. >> >> Estimated milestones Shipping on desktop 137 Shipping on Android 137 >> Shipping on WebView 137 Shipping on iOS 137 >> >> Anticipated spec changes >> small-order checks - >> https://github.com/WICG/webcrypto-secure-curves/issues/27 >> randomized signatures - >> https://github.com/WICG/webcrypto-secure-curves/issues/28 >> >> Link to entry on the Chrome Platform Status >> https://chromestatus.com/feature/4913922408710144?gate=5015367861141504 >> >> Links to previous Intent discussions Intent to Prototype: >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/faf4f153-1d4c-915d-53d0-0968833cfe55%40igalia.com >> >> >> This intent message was generated by Chrome Platform Status. >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+...@chromium.org. >> To view this discussion visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/dc12dc7c-1d3d-4b94-9507-2b7226b85622%40igalia.com. > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+...@chromium.org. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d2e25048-e41b-47dd-b442-c0c403bb4d1c%40gmail.com. > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+...@chromium.org. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSL4%2BSfY2%2BwYKK_MFrK3GXTMeeq0xrOD3pxdsN5P1Oa_Aw%40mail.gmail.com. > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bba3ebd5-5391-4113-a0e2-c3e18c560f60n%40chromium.org. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/0D35509E-E4C7-4C5E-8918-1CC1B2C0A69B%40w3.org.
