Gnuk Mirae and Reproducible Procurement

Thu Aug 8 06:23:12 CEST 2024

Hi

Thanks for your presentations!  I like the minimal approach - did you look at the Tillitis key?

https://tillitis.se/

They take an even more minimal approach and doesn’t even have on board storage.

A minimal approach (no CCID, less PGP) seems like a good idea. The tillitis key only has a ed25519 signer, nothing more. I think that is a good interface but I think storage is important - so you can store PGP-related stuff, for some glue code on the host. I also dislike how it is impossible to use your own private key with tillitis, this is an important use-case for trust reasons. Ed25519 is easily compromisable (nonce gen) for hardware-bound private keys.  A pure ed25519 interface also make supporting non-PGP simple, assuming it supports ed25519.

However, I have a question: would you consider including some relative performant target board as well?  Something that could do Classic McEliece or SPHINCS+ without significant effort?  Just add some of the reference code and it would fit without storage issues. Could even be a raspberry pi zero or similar.

/Simon

> 8 aug. 2024 kl. 04:24 skrev NIIBE Yutaka <gniibe at fsij.org>:
> 
> Hello,
> 
> I had a talk at Debconf24 in Busan, and I did valuable conversations
> with our token users (not only Gnuk, but also other ones, including
> proprietary Yubikey).  From ShenZhen friend, I got one token
> implementation, named CanoKeys.  The website seems:
> https://www.canokeys.org/
> 
> Debconf24's main venue was "Mirae" building.  Mirae means future.  So, I
> named the next version of Gnuk as "Mirae".
> 
> After some discussions in Busan, my major idea for Gnuk Mirae is:
> 
> - minimize the implementation, to be bare crypto operations
> - moving code from the implementation on device side to host side
> 
>            *    *    *
> 
> I started Gnuk Mirae development with CH32V203 MCU.
> 
> Major social/technical difficulty for this stage would be "reproducible"
> procurement for development environment.  If you have a good Chinese
> contact, no problem.  However, using AliExpress/Taobao/etc. is a bit
> difficult for foreign person.  At least for me, buying some parts/boards
> is not always reproducible.
> 
> Thus, today, I'd like to share information for procurement.  I'm not
> sure if it's effective for you, but it can give you some hints.
> 
> 
> (1) The development board
> 
> aliexpress.com:
>    CH32V203G8R6-EVT-R0
> 
>    WCH Official Store
>    2Pcs/Lot CH32V203 Evaluation Board low-power consumption
>    small-medium capacity
> 
> This is a board with CH32V203G8R6 MCU.
> 
> CH32V203C8T6-EVT-R0 is also good.  I selected CH32V203G8R6 for now,
> considering the possible my own handsoldering of the chip (It's easier
> when it has less pins.  TSOP is a bit easier than QFP).
> 
> 
> (2) The debugger
> 
> aliexpress.com:
>    WCH LinkE
> 
>    CNEWTEC Electronics Store
>    WCH LinkE Online Download Debugger Support WCH RISC-V
>        Architecture MCU/SWD Interface ARM Chip 1 Serial Port to USB Channel
> 
> This is a clone of WCH LinkE.  WCH LinkE mini (another clone) would also
> work well (I don't use that yet).  I selected the clone, because
> official ones are tend to change (to be newer versions of firmware).
> YMMV.
> 
> 
> (3) Jumper wires
> 
> mouser.com:
>    SchmartBoard
>    Jumper Wires
>        920-0112-50
> 
> This is reproducible.  I use these juper wires to connect the board
> to the debugger.  I also use them to connect LEDs on the board to
> GPIO pins.
> --
> 
> _______________________________________________
> Gnuk-users mailing list
> Gnuk-users at gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnuk-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnuk-users/attachments/20240808/78dfbe47/attachment.html>