BLS Signature and HSMs

hermanjunge · September 16, 2019, 5:12pm

Dear All,

My team has been working on designing a set of tools to deploy and monitor validator clients in any cloud.

A key element in this kind of deployment is the HSM component. To date (2019.09.16), there are not known support for the BLS12-381 curve and the BLS signature. Then a great task is start evangelizing cloud and hardware providers on this requirement.

Anybody in this forum is familiar with the steps it takes for both the curve and the signature scheme to be NIST / FIPS compliant? (any of them, either or both). Any pointer to cover this subject will be extemely appreciated.

Herman

PS: I plan to use that article’s url and this thread as the main redirection links for the subject of HSM support.

hermanjunge · September 17, 2019, 12:00am

This is a quick “BLS for busy people” guide. With a summary, some discussion and the links I’ve visited the most during my little information gathering.

gist.github.com

https://gist.github.com/hermanjunge/3308fbd3627033fc8d8ca0dd50809844

BLS_Signature.md

# BLS Signature for Busy People

## Summary

* BLS stands for
  * Barreto-Lynn-Scott: BLS12, a Pairing Friendly Elliptic Curve.
  * Boneh-Lynn-Shacham: A Signature Scheme.

* **Signature Aggregation**
  * It is possible to verify `n` aggregate signatures on the same message with just `2` pairings instead of `n+1`.

This file has been truncated. show original

kladkogex · September 18, 2019, 11:36am

BLS signatures can not be FIPS validated since BLS has not been validated as FIPS compliant by the US government.

At SKALE we are developing SGX based crypto wallet, which can be used to protect BLS. We are planning to opensource it soon.

hermanjunge · September 18, 2019, 7:53pm

Stan, thank you for your answer.

I have to gain further understanding on the topic of SGX. For now, It is correct to assume that I can build a secure enclave in a cloud (e.g. AWS), leveraging SGX?

kladkogex · September 19, 2019, 4:06pm

You can use Microsoft Azure, AWS does not support it yet

It is basically a programmable HSM inside of Intel CPU

deejvince · April 24, 2020, 8:26am

SGX has many downsides and security issues exposed recently. AWS has developed their own Enclave technology called: Nitro Enclave