Support for HSMs

[andrewwhitehead]

I'm just opening this issue for discussion of whether the current algorithms preclude support for signing by an HSM (hardware security module) or other types of key vaults.

Some questions that come to mind:

• Is it reasonable to assume that the HSM will compute (or ship with) the required generator points, or would they need to be submitted by the caller?
• Would there need to be a limit on the number of signed messages?
• Should the messages be submitted as scalars in order to support different message encodings?
• Do specific ciphersuites need to be explicitly supported (and perhaps included in the key metadata to prevent reuse across ciphersuites)?
• What would support for blind signing look like?

And in general, are there examples of multi-message signing APIs for comparison?

[mikelodder7]

The problem with HSMs is you can only multiply a point by the secret value and they only return the X coordinate which means you have to figure out which Y coordinate to use otherwise it breaks. Until they support returning the full point I’m not sure how the HSM can help. Software enclaves can do much better so perhaps that should be the focus first