Deterministic hierarchical keys &
140 views
Skip to first unread message
Dawid Ciężarkiewicz
Dec 16, 2020, 9:08:08 PM12/16/20
to age-dev
Hi,
Please excuse not being strictly about age, but being related, I hope to reach some people who will be able to give me feedback and possibly forward the idea around so maybe it could one day come to fruition.
In Bitcoin land, the problem of secret key material has one of the most pragmatic and simple approaches.
Users generate secret key once, potentially completely offline on paper and using coin flips using BIP39:
and then are able to infinitely derive endless amount of deterministic derived keys using BIP32:
This simplifies backups, disaster recovery, interoperability and so on.
After so many years, I can't believe that we still can't use the same approach (and even the same keys and hardware devices (aka hardware wallets) in other software.
I'm not a cryptographer, so the main blocker for me implementing a prototype tool like this myself is lack of deterministic key derivation implementations for anything other than secp256k1 which seem to support only signing (and not de/encryption). ed25519 seem to support encryption, but not deriving keys.
I tired to get more feedback in other places, including:
twitter and some cryptography-related chats, but I never made any progress engaging.
I would really appreciate any feedback helping me move this idea forward.
Regards,
Dawid
Tony Arcieri
Dec 16, 2020, 9:25:24 PM12/16/20
to Dawid Ciężarkiewicz, age-dev
On Wed, Dec 16, 2020 at 6:08 PM Dawid Ciężarkiewicz <d...@ucore.info> wrote:
I'm not a cryptographer, so the main blocker for me implementing a prototype tool like this myself is lack of deterministic key derivation implementations for anything other than secp256k1 which seem to support only signing (and not de/encryption). ed25519 seem to support encryption, but not deriving keys.age-dev/303c2615-7a5a-46c9-9f47-0c7e00f0aacan%40googlegroups.com.
There are a few different constructions for this, most notably BIP32-Ed25519 (a.k.a. Ed25519-BIP32):
I wouldn't recommend using it though. It derives 224-bit scalars, so each level of derivation weakens the effective strength of the computed scalar value:
The spec works around this by constraining the number of levels in the hierarchy, but it's still an undesirable property, IMO.
The complication which is the cause of this problem is Ed25519's cofactor. secp256k1 is prime order (i.e. no cofactor) and as such the original BIP32 does not have this problem.
I have been meaning to write an abstract implementation of BIP32 that allows substituting an underlying prime order elliptic curve group. Another interesting alternative group to use is https://ristretto.group/
Tony Arcieri
Dawid Ciężarkiewicz
Dec 16, 2020, 10:39:04 PM12/16/20
to age-dev
Thank you very much for all these references!
Do you think something like https://crates.io/crates/curve25519-dalek would allow achieving all the required properties? It does mention Ristretto. Would it be something that not a cryptographer, but a general SWE cryptography practitioner could build on?
I strongly believe that such a construction could improve the usability of cryptography for the general public, freeing them of the burden of key management, simplifying and automatic key rotation, revocation, identity management and so many other things.
Regards,
Dawid
Tony Arcieri
Dec 16, 2020, 10:47:26 PM12/16/20
to Dawid Ciężarkiewicz, age-dev
Yes, that's pretty much the ideal thing to build on.
Give me a few days and I might actually write a generic `bip32` crate that implements both ;)
--
You received this message because you are subscribed to the Google Groups "age-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to age-dev+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/age-dev/0c690acf-a4c2-430a-b037-adfa0d16d37an%40googlegroups.com.
Tony Arcieri
Dawid Ciężarkiewicz
Dec 16, 2020, 11:10:01 PM12/16/20
to age-dev
On Wednesday, December 16, 2020 at 7:47:26 PM UTC-8 bas...@gmail.com wrote:
Yes, that's pretty much the ideal thing to build on.Give me a few days and I might actually write a generic `bip32` crate that implements both ;)
Perfect. Looking forward to it!
Regards,
Dawid
Neil Madden
Dec 17, 2020, 2:24:30 AM12/17/20
to Dawid Ciężarkiewicz, age-dev
BIP32 has the magical property that you can not only derive child key-pairs from a parent secret key, but you can also derive child public keys from knowing only the parent public key.
This is a useful property but not always needed. If you don’t need it then you can use simpler schemes like HKDF [1] to derive secret keys and key-pairs from a parent secret key.
You do have to be a little bit careful because the output of HKDF is uniform random bytes which might not be suitable for every algorithm. Ironically in this case it’s easy to generate Ed25519 secret keys as these are defined as any 32-byte uniform random value. For other curves like secp256r1 the value has to be within a certain range so you may have to derive the child key multiple times (varying a salt input) until you hit a suitable value.
— Neil
On 17 Dec 2020, at 02:08, Dawid Ciężarkiewicz <d...@ucore.info> wrote:
--
You received this message because you are subscribed to the Google Groups "age-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to age-dev+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/age-dev/303c2615-7a5a-46c9-9f47-0c7e00f0aacan%40googlegroups.com.
d...@ucore.info
Dec 17, 2020, 1:08:09 PM12/17/20
to Neil Madden, age-dev
On Wed, Dec 16, 2020 at 11:24 PM Neil Madden <neil.e...@gmail.com> wrote:
BIP32 has the magical property that you can not only derive child key-pairs from a parent secret key, but you can also derive child public keys from knowing only the parent public key.
Right. I forgot to mention it, but public key derivation allows a lot of neat things, so ideally a solution coming out of this discussion would support it as well.
Regards,
-- Dawid Ciężarkiewicz
Tony Arcieri
Dec 17, 2020, 2:05:08 PM12/17/20
to d...@ucore.info, Neil Madden, age-dev
Right. I forgot to mention it, but public key derivation allows a lot of neat things, so ideally a solution coming out of this discussion would support it as well.
One thing that's worth noting is that BIP32's "non-hardened" derivation uses addition instead of scalar mult. This makes it unsuitable for a key blinding mechanism, as point addition is a reversible operation.
Key blinding seems like potentially the most interesting use case for age. If that sounds interesting, I'd suggest checking out the design of Tor's Ed25519 hidden service keys, which use scalar mult:
(note: I believe the scheme as described in this paper differs from what is actually implemented as it predates the implementation quite a bit)
Tony Arcieri
Dawid Ciężarkiewicz
Jan 20, 2021, 2:17:46 AM1/20/21
to age-dev
Hi,
Did you ever got a chance to jam on it?
Regards,
Tony Arcieri
Jan 20, 2021, 7:19:23 PM1/20/21
to Dawid Ciężarkiewicz, age-dev
I've been working on a `bip32` crate based on `k256`.
It isn't ready to publish yet (not yet passing the test vectors).
--
You received this message because you are subscribed to the Google Groups "age-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to age-dev+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/age-dev/e8523890-6570-4638-971d-663b55833954n%40googlegroups.com.
Tony Arcieri
Reply all
Reply to author
Forward
0 new messages