Re: [Cfrg] Questions regarding BIP32-Ed25519 (was: Interest in an "Ed25519-HD" standard?)

Dmitry Khovratovich <khovratovich@gmail.com> Tue, 04 April 2017 09:40 UTC

Return-Path: <khovratovich@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6FD1128792 for <cfrg@ietfa.amsl.com>; Tue, 4 Apr 2017 02:40:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hEbxS-oY2U23 for <cfrg@ietfa.amsl.com>; Tue, 4 Apr 2017 02:40:52 -0700 (PDT)
Received: from mail-yb0-x236.google.com (mail-yb0-x236.google.com [IPv6:2607:f8b0:4002:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D499E12955B for <cfrg@irtf.org>; Tue, 4 Apr 2017 02:40:44 -0700 (PDT)
Received: by mail-yb0-x236.google.com with SMTP id i124so51758051ybc.3 for <cfrg@irtf.org>; Tue, 04 Apr 2017 02:40:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=q8v1w5YzoIR/3vLF3fvmxQ6wJVsHxYrp6j8PDc8JTDA=; b=phSU1iqeJAycojAP5NTl8cwML9kcMszuYF8mvT2kxxYkBroDlS/a/Y1nP4OYMCrNCp SPPZK8n7pY33WNxJg32Xa+Lk5jhpZAt2YtOo39b6SYvhgH8ZVSJnt5amrFTplWYU7DvD Ew8i0HU4mFBw2Jo6SdS5Vz/6hvQx07DxbEG2gUs/Urxwh7DDQGjzj1ogL1EXv+Bn6bB9 hcUfKeSXfLQPcfz2HiihzBLznNER2fC7DKXv8jr3ERWbYoIIOFcdF2KXPvKbZfrFnT14 dF/kKw/k7+mOk1+VlKOCLYAArk9hxlRLBtm5Z9VNG3w+09OdR+MTTEVJFDnURFRIakPy opYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=q8v1w5YzoIR/3vLF3fvmxQ6wJVsHxYrp6j8PDc8JTDA=; b=HR6UeIGDmQNZis+WDrWxa1b3RA54YORBhuIytLTo/eReZdM5HT95YGhaMMi4weNY23 ja1l26PccWSchgeN4w7VCOFZgi4392BMSg5BqTqhKgoqxx19EK3heKVnK2IQf0S64qd5 uiu7+FUQLbwIlBwhLlylxjVfBLK8ey0jswh9wiO/34+cdq2BEFi5rP/YPbI2EoYSN4pV Bl1yrZQpsgMdq587nYX8u6QAwxKUGJptzHVQiQ375MSMZGHv5WdpeO6k/UFRQxaDJ+t/ giinxUVs41McEXdWVKKej3ynbPel3gArQvG3901ohtggXIt8HZghS0DZ6ENLYrLxWBv3 fJ8A==
X-Gm-Message-State: AFeK/H00unxZdd22+EAzSLk1utYrs4np63ZoEV8mV8hc6uH1PCZ33jcbhiFSZ8uQ3H2nNfgk8hJ7k9rtH/VWSg==
X-Received: by 10.37.80.208 with SMTP id e199mr12726869ybb.165.1491298843959; Tue, 04 Apr 2017 02:40:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.83.67.5 with HTTP; Tue, 4 Apr 2017 02:40:28 -0700 (PDT)
In-Reply-To: <83CC086B-5B89-41CA-8A20-D7D688DD00AC@gmail.com>
References: <83CC086B-5B89-41CA-8A20-D7D688DD00AC@gmail.com>
From: Dmitry Khovratovich <khovratovich@gmail.com>
Date: Tue, 4 Apr 2017 11:40:28 +0200
Message-ID: <CALW8-7LZGbw2UcRpFVBnX-C5au81zxb-8+o91ROoXQTtRh62kQ@mail.gmail.com>
To: Oleg Andreev <oleganza@gmail.com>
Cc: cfrg@irtf.org
Content-Type: multipart/alternative; boundary=001a113ea146d92ba0054c54113a
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/E9IAFK5Mt6njKucAxkTIb1XpO8A>
Subject: Re: [Cfrg] Questions regarding BIP32-Ed25519 (was: Interest in an "Ed25519-HD" standard?)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Apr 2017 09:41:00 -0000

Hi Oleg,

thank you for the questions!

On Fri, Mar 31, 2017 at 8:06 PM, Oleg Andreev <oleganza@gmail.com> wrote:

> Dmitry,
>
> Thanks for your with Jason paper on adopting BIP32 to Ed25519 and critique
> of ChainKD, very appreciated. I have a few questions about it:
>
> 1. Why do you impose requirements on the master secret to yield 3rd high
> bit to be zero, while you can simply set it to zero along with other 5
> bits. In two places you mention that you reject non-compliant master
> secret, but in Security section (F) you say "we set 6 bits", which is what
> seems to be the intention all along.
>

Our idea was to reject as few master secrets as possible, so we decided to
clear only one extra bit, thus rejecting half of master keys. By setting 6
bits I mean that we set three highest and three lowest bits.


>
> 2. You choose 2^20 as a max depth level therefore leaving 2^230 bits for
> the derived key. In your paper you round this down to whole number of bytes
> (28 bytes -> 2^224) while it's actually possible to slightly increase
> collision-resistance by taking 29 bytes instead and clearing top 2 bits.
> Have you considered that, and if yes, is there any issues with that?
>

Apart from clearing one more bit, the idea to take 28 bytes instead of 29
is to cut a 32-bit word, which could simplify some implementations. I agree
it is a minor issue.


>
> 3. What was the rationale for 2^20 as a depth limit? I myself don't have a
> good framework to decide which limit is the best, so I'm wondering if you
> have? :)
>

The use cases we have seen did not require hierarchy deeper than a few
dozen levels. I think 2^20 is a safe bound as long as every new level has
some real-world meaning (extra wallet, extra connection, etc.), and thus it
seems unlikely that this set will be ever exhausted by any user.


>
> 4. You effectively make xprv to be 96-byte string (32 bytes for the
> scalar, 32 bytes for the "prefix" used in nonce generation and 32 byte
> chain code), and use two HMAC calls to derive new chain code separately
> from the privkey. Have you considered expanding the 64-byte privkey (as
> defined by NaCl library) from the scalar itself? In my recent tweak to
> ChainKD scheme [1] I'm doing that and to stay fully compatible with EdDSA
> requirement that prefix originally has 256 bits of entropy, add only one
> secret byte ("pepper") that eats 8 bits from the chain code (which we call
> "salt"). This allows us to keep both xprv and xpub 64 bytes long and avoid
> double-HMAC when deriving public keys - single hash call produces a key
> component and another salt value.
>

We just tried to mimic the original BIP32 key derivation as much as
possible. I am not sure I entirely understands the rationale behind your
manipulation with bytes of private key after you add up the hash output.
Also, could you elaborate on the notions of EdDSA public and private keys,
which seem to complement public and private keys you derive in the scheme?

Best regards,
Dmitry



>
> Thank you!
>
> [1] Updated ChainKD: https://github.com/chain/chain/blob/chainkd-dh/docs/
> protocol/specifications/chainkd.md
>
>
>
> > Being a co-author of [5], I am ready to contribute to such a document. I
> > will present our own proposal at
> > http://prosecco.gforge.inria.fr/ieee-blockchain2016/ in Paris  just
> before
> > the CFRG meeting at the same place next day. It would be great if we come
> > up with some proposal to discuss it already there.
> >
> > The most recent version is
> > https://drive.google.com/open?id=0ByMtMw2hul0EMFJuNnZORDR2NDA It has
> some
> > critique of [6], hopefully not too offensive:)
> >
> > Our motivation in [5] was to generate private keys satisfying the
> > Curve25519 requirements too so that the code can be reused, even if in
> the
> > signature setting some attacks would not apply. But it would be great to
> > have comments from the community as well.
> >
> > Best regards,
> > Dmitry
> >
> > On Wed, Mar 22, 2017 at 5:00 AM, Phillip Hallam-Baker <
> phill@hallambaker.com
> > > wrote:
> >
> > > You can do hierarchical key derivation in Montgomery without the need
> for
> > > an add.
> > >
> > > Say your master key is x. To generate a key for site 'example.com' we
> > > take
> > >
> > > xs = (x + H('example.com')) mod q
> > >
> > > Where q is the sub group order.
> > >
> > > In fact that isn't really using any EC relevant operation at all.
> Perhaps
> > > I am not understanding the full requirements for the scheme.
> > >
> > >
> > > I don't follow the argument about small subgroups in the referenced
> post.
> > > With Curve25519 and Ed25519 we have chosen the curve cofactor and the
> > > generator point. So there is only one group that our point can
> possibly be
> > > in regardless of whether our private key is (x mod q) or (x mod q +
> nq). We
> > > are going to arrive at the same set of points regardless.
> > >
> > >
> > > I do very much prefer the Edwards curves though because we can combine
> two
> > > keypairs by simply adding the corresponding public and private keys.
> That
> > > allows us to do the co-generation trick I showed a while back.
> > >
> > > We can also split the key, give one part to a recryption service and
> > > encrypt the other half under the public key of the recipient. This
> allows
> > > us to support group messaging through proxy re-encryption.
> > >
> > > Some applications of that are encumbered (possibly) under a soon to
> expire
> > > patent.
> > >
> > >
> > >
> > > On Tue, Mar 21, 2017 at 8:34 PM, Phillip Hallam-Baker <
> > > phill@hallambaker.com> wrote:
> > >
> > >> I have just implemented Proxy Re-Encryption under Ed-25519 and Ed448.
> I
> > >> think EdCurve Crypto is a good plan.
> > >>
> > >> Or we could do it on the Montgomery Curves and give the algorithm for
> > >> point addition.
> > >>
> > >> On Tue, Mar 21, 2017 at 3:42 PM, Tony Arcieri <bascule@gmail.com>
> wrote:
> > >>
> > >>> Hierarchical key derivation (also sometimes described as "semiprivate
> > >>> keys" or "key blinding") is an increasingly popular technique for
> > >>> generating unlinkable child keys from master public and private keys.
> > >>>
> > >>> The Tor Project has been exploring such an approach as the basis for
> > >>> their next-generation hidden services design for several years
> now[1],
> > >>> during which time it has received security proofs[2]. Their latest
> > >>> design[3] allegedly includes feedback from Dan Bernstein.
> > >>>
> > >>> Application of hierarchical key derivation is perhaps most notable in
> > >>> the cryptocurrency space, where Bitcoin's BIP32[4] provided a means
> for
> > >>> unlinkable single-use signature keys for the secp256k1 elliptic
> curve.
> > >>> There are several designs for applying the ideas from BIP32 to
> Ed25519,
> > >>> including ones from Evernym[5] and Chain[6] (where I am an employee).
> > >>>
> > >>> The designs in [3], [5], and [6] are all highly similar and
> accomplish
> > >>> the same goals. Personally I would love to see a single standard
> design for
> > >>> producing Ed25519 signatures from hierarchically derived keys,
> notably one
> > >>> which produces signatures that can be verified by any off-the-shelf
> RFC
> > >>> 8032-compatible Ed25519 implementation.
> > >>>
> > >>> There's already been some discussion of this on the moderncrypto.org
> > >>> curves list:
> > >>>
> > >>> https://moderncrypto.org/mail-archive/curves/2017/000858.html
> > >>>
> > >>> I'd be curious to know if anyone else would be interested in
> > >>> collaborating on a draft for such a standard, which can be a
> synthesis of
> > >>> the existing work in this space.
> > >>>
> > >>> [1]: https://lists.torproject.org/pipermail/tor-dev/2012-Sep
> > >>> tember/004026.html
> > >>> [2]: https://www-users.cs.umn.edu/~hopper/basic-proof.pdf
> > >>> [3]: https://gitweb.torproject.org/torspec.git/tree/proposal
> > >>> s/224-rend-spec-ng.txt#n1979
> > >>> [4]: https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki
> > >>> [5]: https://github.com/WebOfTrustInfo/rebooting-the-web-of-
> > >>> trust-fall2016/blob/master/topics-and-advance-readings/HDKey
> > >>> s-Ed25519.pdf
> > >>> [6]: https://chain.com/docs/protocol/specifications/chainkd
> > >>>
> > >>> --
> > >>> Tony Arcieri
> > >>>
> > >>> _______________________________________________
> > >>> Cfrg mailing list
> > >>> Cfrg@irtf.org
> > >>> https://www.irtf.org/mailman/listinfo/cfrg
> > >>>
> > >>>
> > >>
> > >
> > > _______________________________________________
> > > Cfrg mailing list
> > > Cfrg@irtf.org
> > > https://www.irtf.org/mailman/listinfo/cfrg
> > >
> > >
> >
> >
> > --
> > Best regards,
> > Dmitry Khovratovich
>



-- 
Best regards,
Dmitry Khovratovich