Open sander opened 4 months ago
Some examples were identified on Cryptography Stack Exchange during the work on ETSI TR 119476: in the context of batch issuance and proof of association, WO 2024/123181 claims distributed ECDSA, more broadly than the Split-ECDSA patent WO 2022/050833. It seems to apply a similar technique as US 10530585 and US20030059041.
This is an important concern, priority should be given to algorithms that are available under creative commons and public good friendly licenses. As a key example the ISO20008 states that there may be patent issues. (Apparently from NEC and ETRI), for various "anonymous signatures" algorithms included in that standard.
Any approved cryptography should be free of intellectual property issues in order to facilitate adoption of the EUDI wallet spec.
Thank you very much for the received input. We recognize the issues you raise and have been in contact with you in the meantime. We are looking forward to work with you and other experts to get these issued solved in the near future. Potential changes in the ARF to enable the use of HDK will however not be part of the next ARF version, v1.5.0.
Context: https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/discussions/282
This feedback is related to the work on Hierarchical Deterministic Keys (HDK), but not part of the working group’s deliverable.
To address the risk of correlating users across presentations to Relying Parties, an EU Digital Identity Wallet needs to be able to present documents bound to many unique one-time-use public keys. This potentially creates an insurmountable key management challenge, especially when implemented centrally in a WSCA.
Solutions such as HDK could help address this challenge, distributing key management across the WSCA and the Wallet Instance, while leveraging existing certified WSCD solutions (https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/issues/283).
Distributed key management involving existing certified WSCD solutions is possible with ECDSA, EC-SDSA (EC-Schnorr) and ECDH-MAC. These are likely candidates for proof-of-possession algorithms in the short term. However, while researching the options for HDK as reported in ETSI TR 119476, several granted and pending patent claims of organisations within and outside of the EU were found potentially applicable to distributed ECDSA. Such claims could create implementation risk.
To avoid this risk in the ecosystem, consider encouraging the use of EC-SDSA or ECDH-MAC for WSCD-binding in the ARF. Methods implementing these algorithms in a distributed way have been widely applied in open source communities for a long time, which makes patent claims significantly less likely.
Such ARF encouragement should be complementary to the essential patent disclosure process of standards organisations. These should be started as well, but may not provide sufficient clarity in time for implementation of the EU Digital Identity as described in the ARF.
Details: ETSI TR 119476 version 1.2.1 § 4.4.4.2 on Hierarchical Deterministic Keys and blinded key proof of possession, HDK v0.1.0 section on Generic HDK instantiations.
ARF version: 1.4.0