# Joint Comments from ConsenSys, DIF, EEA, … TBD **IETF Version** Comments on SP 800-186 and FIPS 186-5 From https://www.federalregister.gov/documents/2019/10/31/2019-23742/request-for-comments-on-fips-186-5-and-sp-800-186#p-17: [...] “Furthermore, NIST seeks input on the allowed hash functions specified for use with EdDSA.” [...] “NIST also requests comments on the set of recommended and allowed elliptic curves included in draft NIST SP 800-186. In particular, NIST requests feedback on the use of these curves by industry, and industry's need for additional elliptic curve specifications to meet security or customer requirements.” [...] **Comments Close (EEA / HL / W3C / DIF / IETF): 01/17/2020** **Comments Close: 01/29/2020** # Applicable Documents - SP 800-186, Recommendations for Discrete Logarithm-Based Cryptography: Elliptic Curve Domain Parameters: https://csrc.nist.gov/publications/detail/sp/800-186/draft - FIPS 186-5, Digital Signature Standard (DSS): https://csrc.nist.gov/publications/detail/fips/186/5/draft ## Joint Comments to the Applicable Documents by the following Organizations - ConsenSys AG - Decentralized Identity Foundation - Enterprise Ethereum Alliance - TBD: Hyperledger Project of the Linux Foundation - TBD: IETF - TBD: Individual W3C Member Organizations # Executive Summary Since the Bitcoin Genesis block in January 2009, Blockchain and more broadly Distributed Ledger Technology (DLT), has seen exponential growth in its usage and applications. While DLT applications were initially only available on public networks that anyone could join, enterprise applications with their own requirements for security and privacy have become more prominent, and there are now thousands of both public and enterprise projects, directly or indirectly touching the lives of hundreds of millions of people. One of the key technology foundations of DLT is public-key cryptography, in particular elliptic curve cryptography. The most widely adopted elliptic curve in the DLT space by far is secp256k1 and the hash function keccak-256. Unfortunately, neither secp256k1 nor keccak-256, are endorsed in SP 800-186 and FIPS 186-5. This is despite the fact that there are no significant security differences between for example the NIST endorsed secp256r1 and secp256k1 or the sha3-256 hash versus keccak-256. The current decision by NIST will have a significant impact on business in this space. Since any effort to cater to both the large global market for DLT applications based on secp256k1 and keccak-256 and customers who require NIST-compliance in their systems necessitates a far more complex programming effort in order to maintain multiple approaches to the same problem. The likely outcome of the resulting competing business requirements and continued technology uncertainty is increased slower development, reduced and delayed investment, and increased cost in order to reach some level of industry convergence. Furthermore, these developments could lead to either of two undesirable outcomes, market fragmentation into technology silos or technology stack and, consequently, vendor monopolies. Either outcome would lead to higher costs. Most importantly, existing deployments of DLTs based on secp256k1 and keccak-256 already affect hundreds of millions of people, and those currently under development will affect even more, as detailed in the section on Industry Adoption and Impact below. To minimise the damage to innovation and markets caused by the difference between the standards being adopted by the world and those currently endorsed by NIST, we request that NIST include the secp256k1 curve as part of the endorsed ECDSA schemes, and the use of keccak-256 in the secp256k1 signature schemes. ## About secp256k1 and keccak The curve secp256k1 is an elliptic curve of Koblitz type, defined in the Standards for Efficient Cryptography paper [SECG2]. It is currently used together with the ECDSA signature algorithm in order to create digital signatures. Other signature types like Schnorr can also be used with this curve, but these have not been widely deployed. The security of general Koblitz type elliptic curves is covered in [SECG1], and the secp256k1 curve has a security level of 256 bits, which is considered secure. The secp256k1 curve has been used extensively in the blockchain space, starting with the launch of Bitcoin in 2009 and also used as a core feature of Ethereum, which enables applications far beyond cryptocurrency. The security of this curve continues to be relied upon for billions of dollars worth of blockchain transactions daily. The core reference library libsecp256k1 [libsecp256k1] has been tested extensively and has undergone thorough optimizations, which leads to the signature algorithm being very fast. Ethereum uses a hash function called keccak-256 which is used with secp256k1 signatures. This hash function was chosen due to the fact that it was the winner of the SHA3 competition. However the final version of the SHA3 standard included an extra padding byte to the message before applying the keccak hash, which means that the keccak-256 hash function has a different output than the FIPS approved SHA3. The only difference between these functions however is the extra padding of the message. Industry Adoption and Impact Below we will be delineating the extent and importance of the usage of secp256k1 and keccak-256 across all industry verticals by detailing current and expected (2020) usage patterns and user basis for the currently predominant industry verticals and cross-industry functions. ## Decentralized Identity Decentralized identity has the potential to become the first universal digital identity for individuals, legal entities and things. It dramatically increases the user’s privacy while creating new revenue channels for companies and government, and reducing costs for consumers of digital identities. Incubated over a period of years and tested in numerous companies (including Fortune 500) and consortia across many industry verticals around the world, the recently approved W3C Verifiable Credentials standard [W3C.VC] paves the way for major adoption in production systems. We are very pleased that the United States, e.g., NIST [NIST], Department of Homeland Security (DHS) [DHS], recognizes the great value of this new identity management paradigm based on the W3C Verifiable Credentials standard [W3C.VC]. Other governmental and public sector organizations/ initiatives are investing a lot of effort to explore these new technologies, including the European Commission [EC][ESSIF], Spain’s national Alastria network [Alastria], The UK’s Financial Conduct Authority [FCA] and the Government of British Columbia [VONX]. In addition, existing trust anchors such as the Global Legal Entity Identifier Foundation (GLEIF) are partnering with decentralized identity platform providers to issue W3C Verifiable Credentials to legal entities and their corporate officers [GLEIF]. Amongst others, some platforms anchor DIDs on the Ethereum or Quorum network which is based on secp256k1/ keccak-256 cryptography. Generally speaking, secp256k1 is very popular in the decentralized identity community for authentication purposes. For this reason, support for secp256k1 is crucial to stay interoperable in this open standards-driven ecosystem. Many decentralized identity projects use the decentralized and immutable nature of blockchains in order to add integrity protection to decentralized identifiers and their associated public keys. These projects mainly use hash functions SHA2-256, RIPEMD-160 and keccak-256 as hash functions. Without official endorsement public sector applications will not be able to make full use of the above efforts and systems. ## Trade and Supply Chain The trade industry is moving quickly to leverage blockchain for trade finance, shipping and freight, digitization of documents, and maintaining expansive networks. One example of a platform in production leveraging the Ethereum-based Quorum blockchain infrastructure is komgo, a fully decentralized commodity trade finance network. Investors and shareholders of the company include Citi, ING, Credit Agricole CIB, BNP Paribas, Societe Generale, ABN Amro, Macquarie, MUFG, Natixis, Rabobank, Gunvor, Mercuria, Koch, Shell, and SGS, which has already channeled more than $1 billion of financing on the platform. Within supply chain management - retail, manufacturing, and logistics - many companies have begun using blockchain solutions for traceability, transparency, and efficiency in their processes. Treum, which leverages the ethereum blockchain, builds asset and industry agnostic supply chain solutions, including Food, Consumer Products, Oil & Gas, Healthcare, Luxury Goods, Energy, Land, and Art. Companies that have tested supply chain solutions include Glaxo Smith Kline, Proctor and Gamble, Johnson and Johnson, Mars, and many others. ## Financial Services In Deloitte’s 2018 global blockchain survey, which drew responses from 1,053 executives across seven countries, 74 percent reported that their organizations see a “compelling business case” for using blockchain technology. In 2019, JP Morgan created their stable coin, Fidelity launched its digital asset custody service, and aims to roll out a crypto trading service for its clients, State Street Bank is investing in research and development for digital assets, stablecoins, custody, and the USC initiative [the Utility Settlement Coin being developed by bank consortium Fnality. These are a few of the many banks globally working on solutions for capital markets, investment management, payments and remittances, treasury liquidity and foreign exchange, and insurance. ## Government: Access Control and Credential Management The US, UK, Canadian, the United Nations, and International non-governmental organizations such as the World Bank and the Inter-American Development Bank are evaluating the use of decentralized identity solutions for credential management, access control, and track and trace of government issued payments. ## Telecommunication A consortium of global telecommunications carriers comprising roughly 80% of global voice and data traffic is creating a global DLT network in 2020 comprised of several DLT stacks including Enterprise Ethereum which utilizes secp256k1 and keccak-256. The DLT network is to financially settle inter-carrier voice and data transactions of their several billion clients and provide an identity, compliance, and reputation layer for participating carriers and their authorized delegates. Besides improving inter-carrier voice and data-on-demand settlement speeds saving billions of dollars for carriers globally, the applications will allow for the 1st time to introduce carrier reputation, battling global carrier fraud which impacts not only carrier bottom lines globally to the tune of several billion dollars a year but also virtually every telecom customer through dropped or not completed calls. While carrier customers are not directly using secp256k1 and keccak-256, the carriers do so on behalf of their customers during inter-carrier voice and data-on-demand settlements when utilizing voice and data-on-demand settlement solutions. In addition, telecom regulatory authorities around the world are starting to mandate the usage of blockchain/DLT technology in their regulatory frameworks such as the Telecom Regulatory Authority of India (TRAI) mandating the usage of DLT technology to prevent text messaging spam in 2018 [TRAI].This directly impacts over 1 billion Indian mobile customers. In fact, the Tech Mahindra implementation of the Anti-spam TRAI requirement currently reaching about 300 million indian mobile users is based on the Nexledger which is an Ethereum-compatible Blockchain using secp256k1/ keccak-256. ## Mobility Similar to efforts in the telecom industry vertical, there is an effort underway in the mobility industry vertical by members of the Mobility On the Blockchain Initiative (Mobi) to create a global DLT network in 2020 consisting of global vehicle manufacturers such as GM, Ford, BMW, Honda, etc. and vendor organizations such as Accenture as consultancies or Microsoft as product companies. The global DLT network is intended to be comprised of several DLT stacks including Enterprise Ethereum which utilizes secp256k1 and keccak-256. The network will first provide verifiable identities and credentials of vehicles as well as an identity, compliance, and reputation layer for participating carriers and their authorized delegates. This will enable real time registration and verification of vehicles saving billions of dollars in manual processes globally. In addition, the DLT network intends to use utility tokens such as asset-backed stable coins for service payments by a vehicle or tokens issued by municipalities representing access rights for things such as neighborhood parking or congestion pricing.This will require vehicle buyers to use secp256k1 and keccak-256 directly through tokens and indirectly through verifiable vehicles identities and associated credentials. Given that there are over 1.2 billion vehicles globally, 64 million connected cars are to ship in 2019 and mobility IoT services such as Lime, Bird, Ofo or Blue Bike are rapidly increasing in popularity and thus the size of both fleet and customer base at a global level -- Lime reached the 50 million trip mark in significantly less than half the time (~ 2 years) than Uber did -- the DLT network is expected to reach over 100 million vehicle identities and several million token transactions in 2020. ## Consumer Products - Entertainment, Music, Sports, Fashion, CPG and other Retail Endconsumer focused products (B2C or B2B2C) are different to the B2B verticals discussed above because of the very different problems they solve: Customers or Fans of brands demand personalized and unique experiences any time, anywhere, on any device. In addition, we have an increasingly fragmented and saturated advertising landscape which together with siloed customer systems prevents brands from effectively reaching, engaging, and understanding their target audience. New end consumer focused, blockchain enabled solutions such as Sorare, Socios or Kapture are starting to address this need, albeit in very different ways though typically it involves combining several technologies such as Augmented Reality, Machine Learning and Social Media with DLT technologies. With very large brands in different verticals such as Sports -- the NBA, the Los Angeles Dodgers, the Sacramento Kings, Juventus Turin, Manchester United, FC Barcelona -- or Entertainment -- Warner Brothers, Capitol Records -- or retails brands such as Anheuser Busch engaged in this area, the number of consumers directly touched by these products, in particular through social media with influencer marketing, is expected to reach 100M+ in 2020. For example, one anticipated pilot in India around a well-known sports franchise can easily reach a few hundred thousands per mobile media event through social media sharing, and, thus, the pilot could easily engage over a million sports fans. Given that most of the above mentioned end consumer products are built on either Enterprise Ethereum, public Ethereum or Ethereum-like chains, the situation in terms of impact of the usage of secp256k1 and keccak-256 is very similar in terms of impact on end users as for the above mentioned, primarily B2B verticals; in particular mobility, given the required usage of wallets for digital assets such as stable coins, utility tokens, loyalty tokens or digital collectibles. ## Healthcare TBD ## Industry Standards Adoption The following is a non-exhaustive list of standards and specifications that recognize secp256k1: - As a proof algorithm in W3C Verifiable Credentials Standard [W3C.VC] - As a proof algorithm for DID for W3C Decentralized Identifiers [W3C.DID] (future standard) - As the signature algorithm of authenticators in the FIDO 2.0/ W3C WebAuthn Standard [WebAuthn] - Signature algorithm for the COSE/ JOSE family [JOSE] - JSON-LD Linked Data Signature specification based on secp256k1 [JSON-LD] - EEA Ethereum Enterprise Client Specification V4.0 [EEA.Client] - EEA Off-Chain Trusted Compute Specification V1.1 [EEA.TC] - ... ## Independent Implementations The following is a non-exhaustive list of independent cryptography and related libraries with support for secp256k1: - OpenSSL CLI tool and Open Source cryptography library [OpenSSL] - Bouncy Castle cryptography library for JAVA applications [BouncyCastle] - Node.js native cryptography library [Node.Crypto] - Secp256k1 reference implementation in Bitcoin [libsecp256k1] - “jose” which is a Node.js JOSE library [Node.JOSE] - Nimbus JWT library for JAVA applications [Nimbus] - JWT library based on Decentralized Identifiers in JavaScript [DID.JWT] - JSON-LD Linked Data Signatures in JavaScript [JSON-LD.Lib] - … Please note that many of these libraries have significant industry adoption and use. ## Organizations supporting this Letter ### Consensys Web: https://consensys.net/ TBD ### Decentralized Identity Foundation (DIF) Web: https://identity.foundation/ With more than 90 member companies such as Consensys/ uPort, Microsoft, Sovrin, Evernym, IBM, Blockstack, Mastercard, Accenture, Ministry of British Columbia, Workday and many more, DIF sees a lot of adoption of secp256k1 and keccak-256 in the decentralized identity community in the area of authentication, verifiable credentials exchange and more general of proofing control over a DID. Endorsing secp256k1 and keccak-256 officially by FIPS 186-5 and SP 800-186 will allow many decentralized identity solutions to be adopted by the public sector and it will ensure the public sector will be able to interact with decentralized identity applications in the private sector in the future. ### Enterprise Ethereum Alliance (EEA) Web: https://entethalliance.org/ Description: The Enterprise Ethereum Alliance is a member-driven standards organization, with over 120 organizations, whose charter is to develop open, blockchain specifications that drive harmonization and interoperability for businesses and consumers worldwide. The global community of members is made up of leaders, adopters, innovators, developers, and businesses who collaborate to create an open, decentralized web for the benefit of everyone. ### Supporting W3C Member Organizations #### Org1 Web: TBD TBD: Description #### Org2 Web: TBD TBD: Description ### IETF CFRG Web: TBD TBD: Description # References - [SECG1] http://www.secg.org/sec1-v2.pdf - [SECG2] http://www.secg.org/sec2-v2.pdf - [NIST] A Taxonomic Approach to Understanding Emerging Blockchain Identity Management Systems, NIST: https://csrc.nist.gov/publications/detail/white-paper/2019/07/09/a-taxonomic-approach-to-understanding-emerging-blockchain-idms/draft - [DHS] News Release: DHS Awards $198K for Raw Material Import Tracking Using Blockchain, DHS: https://www.dhs.gov/science-and-technology/news/2019/11/08/news-release-dhs-awards-198k-raw-material-import-tracking - [TRAI] Tech Mahindra launched Blockchain solution to curb spam calls in India: https://telecom.economictimes.indiatimes.com/news/tech-mahindra-launched-blockchain-solution-to-curb-spam-calls-in-india/69147376 - [EC] Blockchain and Digital Identity, European Blockchain Observatory and Forum: https://www.eublockchainforum.eu/sites/default/files/report_identity_v0.9.4.pdf?width=1024&height=800&iframe=true - [ESSIF] European Self-Sovereign Identity Framework: https://www.eesc.europa.eu/sites/default/files/files/1._panel_-_daniel_du_seuil.pdf - [GLEIF] https://medium.com/uport/uport-partners-with-the-gleif-network-to-launch-decentralized-corporate-identity-management-2a7a20be3354 - [W3C.VC.UseCase] Verifiable Credentials Use Cases, W3C VC WG: https://www.w3.org/TR/vc-use-cases/#legal-identity - [W3C.VC] Verifiable Credentials Data Model, W3C VC WG: https://www.w3.org/TR/vc-data-model/ - [W3C.DID] Decentralized Identifier Specification, W3C DID WG: https://www.w3.org/TR/did-core/ - [Alastria] Alastria ID: https://alastria.io/en/id-alastria/ - [komgo] What is komgo? | Commodity Trade Finance Meets Blockchain https://www.tradefinanceglobal.com/posts/what-is-komgo-commodity-trade-finance-meets-blockchain/ - [VONX] Verifiable Organizations Network, Government of British Columbia: https://vonx.io/about/ - [FCA] Regulatory sandbox - cohort 5: https://www.fca.org.uk/firms/regulatory-sandbox/cohort-5 - [WebAuthn] Server Requirements and Transport Binding Profile: https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html - [JOSE] https://tools.ietf.org/html/draft-ietf-cose-webauthn-algorithms-03 - [EEA.Client] https://entethalliance.org/wp-content/uploads/2019/11/EEA_Enterprise_Ethereum_Client_Specification_V4.pdf - [EEA.TC] https://entethalliance.org/wp-content/uploads/2019/11/EEA_Off-Chain_Trusted_Compute_Specification_v1.1.pdf - [OpenSSL] Command Line Elliptic Curve Operations, OpenSSL: https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations - [BouncyCastle] The Legion of the Bouncy Castle: https://www.bouncycastle.org/ - [Node.Crypto] https://nodejs.org/api/crypto.html - [Node.JOSE] https://www.npmjs.com/package/jose - [libsecp256k1] https://github.com/bitcoin-core/secp256k1 - [Nimbus] https://connect2id.com/products/nimbus-jose-jwt/examples/jwt-with-es256k-signature - [DID.JWT] https://github.com/decentralized-identity/did-jwt - [JSON-LD] https://w3c-dvcg.github.io/lds-ecdsa-secp256k1-2019/ - [JSON-LD.Lib] https://github.com/digitalbazaar/jsonld-signatures