HDK Feedback: Encourage cryptographic algorithms that avoid patent risks
sander opened this issue · 3 comments
Context: #282
This feedback is related to the work on Hierarchical Deterministic Keys (HDK), but not part of the working group’s deliverable.
To address the risk of correlating users across presentations to Relying Parties, an EU Digital Identity Wallet needs to be able to present documents bound to many unique one-time-use public keys. This potentially creates an insurmountable key management challenge, especially when implemented centrally in a WSCA.
Solutions such as HDK could help address this challenge, distributing key management across the WSCA and the Wallet Instance, while leveraging existing certified WSCD solutions (#283).
Distributed key management involving existing certified WSCD solutions is possible with ECDSA, EC-SDSA (EC-Schnorr) and ECDH-MAC. These are likely candidates for proof-of-possession algorithms in the short term. However, while researching the options for HDK as reported in ETSI TR 119476, several granted and pending patent claims of organisations within and outside of the EU were found potentially applicable to distributed ECDSA. Such claims could create implementation risk.
To avoid this risk in the ecosystem, consider encouraging the use of EC-SDSA or ECDH-MAC for WSCD-binding in the ARF. Methods implementing these algorithms in a distributed way have been widely applied in open source communities for a long time, which makes patent claims significantly less likely.
Such ARF encouragement should be complementary to the essential patent disclosure process of standards organisations. These should be started as well, but may not provide sufficient clarity in time for implementation of the EU Digital Identity as described in the ARF.
Details: ETSI TR 119476 version 1.2.1 § 4.4.4.2 on Hierarchical Deterministic Keys and blinded key proof of possession, HDK v0.1.0 section on Generic HDK instantiations.
ARF version: 1.4.0
Some examples were identified on Cryptography Stack Exchange during the work on ETSI TR 119476: in the context of batch issuance and proof of association, WO 2024/123181 claims distributed ECDSA, more broadly than the Split-ECDSA patent WO 2022/050833. It seems to apply a similar technique as US 10530585 and US20030059041.