Announcing Halo 2

mistfpga · January 29, 2021, 2:02pm

Halo curves are completely new right? The idea is v smart but im worried about HSM support.

This is the fastest out there. the Luna 7 - Luna Network Hardware Security Modules (HSMs) | Thales

“Asymmetric: RSA, DSA, Diffie-Hellman, Elliptic Curve Cryptography (ECDSA, ECDH, Ed25519, ECIES) with named, user-defined and Brainpool curves, KCDSA, and more”

depending on how different halo is, it might not even be supported by other hsm manufacturers.

Has anyone asked/calculated the TPS of the halo curves on something like a luna 7?

daira · February 1, 2021, 2:58am

An HSM that supports arbitrary ~256-bit short Weierstrass curves would support the Pasta curves. I can’t think what else “user-defined curves” would mean, although you’d have to ask the vendor’s tech support people in order to be sure.

secparam · February 1, 2021, 3:17am

I had a long call with coinbases key management talking about research (this was wearing my professor hat). General point though: no way an exchange swaps HSMs or adds extra HSMs just to get support for a given crypto currency. So we need to get support on most HSMs that are used. And even then I bet firmware updates are a pain.

It would be interesting if we could do pay to script hash for Zcash. If you can’t sign under the public key in a Zcash transaction, you can reveal its g^hash(script) and then present something that verifies under the script. This would let you store shielded Zcash in existing custody solutions at the cost of leaking the script when you move the money. Which isn’t too bad if all it can be is a multisig and u don’t reuse addresses. I don’t think this even needs a circuit change for either sapling or Orchard.

mistfpga · February 1, 2021, 8:11am

Good job one someone is on it then - or is it? Should I stop?

EDIT: I sent these are the start of Nov. When I was first approached about possible HSM stuff. I did this before the proposal, not after. A few people have made that mistake. There are well respected community members who will back me up on this.

This was the main point of my proposal.

@secparam It depends on their hardware. Ideally you get the z-support at HSM level. - a lot of these work at on licencing models. I had a proposal that I thought covered all this, but I screwed it up. so I guess good luck

Senior Director of Payments and bespoke crypto solutions:

Re:Thales/nCipher – basically, what happened is we bought Gemalto, but anti-trust regulators rightfully recognized that would create a monopoly in HSMs (nCipher (eSecurity) & Luna (Gemalto). So, in order to make the bigger transaction happen, we had to divest in nCipher (the Cambridge office, basically). So we carved that out, and it got sold to Entrust. So Thales has payShield & Luna (from an HSM standpoint), but have lots of other stuff like smartcards, enterprise encryption, network encryption, etc. So when you say ‘Edge’ and ‘Solo’, those are nCipher products.

That said, on your point with respect to exchanges having needs, we’ve definitely partnered with some in the past, but there are two challenges – firstly, most general purpose HSMs can’t keep up with high transactional volumes of exchanges so they tend to use HSMs for offline protection & root key stuff. Secondly, the general purpose isn’t a good fit for blockchain & requires custom code – which we’ve done in the past, but tends to be dedicated to specific customers.

That said, payShield would likely be a good choice and there is a robust ‘custom application’ process (at fairly reasonable prices), but I’m not aware of any exchanges or blockchain tech taking advantage of it.

Hey Steve,

Yes, of course – once you have a handle on what you’re looking for, I can make the right introductions to the Luna & payShield PMs so they can help you navigate the options. ** Being transparent, I will say that non NIST curves on our platforms will be somewhat of a bigger ask than standard firmware changes, and the performance might not blow your socks off.**

I would recommend for your proposal, make sure that you are clear about your expectations for performance, whether it be average throughput (TPS) or latency (min/max on a per-operation standpoint) for the most critical transactions you have. You’ll also want to be clear about what actual crypto is needed (i.e. rather than saying “implement all ZCASH crypto”, it should be explicit about the asymmetric mechs, symmetric mecs, hashing mechs, and composite transactions that you need) – this will help speed the conversations and more quickly get to solutions.

Looking forward to your Crayola proposal!

Im still not sure if my proposal was accepted for deliberation or not. or which version. but there you go. Im guessing none.

how useful would a luna10k be to the zfnd? or the PCI-e drop in card version? - like dev versions you can play with? @dconnolly

So for example 1 Luna could enable 25 payshilelds. to do z2z. (rough numbers from real time convs i dont really remember that well)

@antonie - I Hope you can see why my proposal a mess (that and Ive never really used google docs, we always used hackmd.io or opensource stuff before.) - my edit were meant to be explanatory comments.

Oh I have started setting up verification channels for my real ID if anyone cares.

Topic		Replies	Views
Announcing ZIP 224: Bringing Halo 2 to Zcash General	11	1115	January 15, 2021
Bring Halo2 to Zcash（Zcash on Halo2简介） Chinese	0	1093	January 20, 2021
TGPPL: okay General	14	970	September 3, 2020
Using Halo/Halo 2 for short-term improvements to Zcash's Scalability Technology	10	1418	September 14, 2023
Ecc-releases-code-for-halo-2翻译中文版 Chinese	0	846	January 21, 2021

Announcing Halo 2

Related topics