Re: [Cfrg] Interest in an "Ed25519-HD" standard?

Tony Arcieri <bascule@gmail.com> Thu, 23 March 2017 04:59 UTC

Return-Path: <bascule@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AF49129446 for <cfrg@ietfa.amsl.com>; Wed, 22 Mar 2017 21:59:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ubn2Cu1Aj9XK for <cfrg@ietfa.amsl.com>; Wed, 22 Mar 2017 21:59:40 -0700 (PDT)
Received: from mail-pf0-x236.google.com (mail-pf0-x236.google.com [IPv6:2607:f8b0:400e:c00::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FA3212943A for <cfrg@irtf.org>; Wed, 22 Mar 2017 21:59:40 -0700 (PDT)
Received: by mail-pf0-x236.google.com with SMTP id o126so100419942pfb.3 for <cfrg@irtf.org>; Wed, 22 Mar 2017 21:59:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=WSk3okk/tJhHSpD6BPf5qiCOfRsoN53QhxL93xP7dkI=; b=aVn+oVsxLVmP2a6WfwWSDL3n9gGhTXK4llfY6W+Tjyij3h5YDXQZJtRc78bmJl7X3G I9uXY0wP3KeQMzsGeEwxfIMJbSfadwK9pYXmIvi3ZEWJsWB3fx2fiUtJCyntHRiP8J4X IViSNqeVxOOhIaFoXaPlq+h4QD97JHgm7bPH0wVpkBIMQl3/27KK+fPvAS2KSPxWZU8j 4a9HwgoFf/N3B2qPKcnKrZP/FegPwPLS1Jq8TBFNbaqvfz2caJvX+0UFSaE5I+12gtVZ yMc5gwP2/ko7/gxquMH4rUJ//0yZbtVKnaxgpTS9dl5EsipWnf32BYCHKpMPb2uC1veD W1Og==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=WSk3okk/tJhHSpD6BPf5qiCOfRsoN53QhxL93xP7dkI=; b=PQWj0P052OxjZ5PM/KSk7ILi8icBZULo1dEqTxqykFif10C3KDno0O8N07PtEwWpXq Plc8whIuwUxPThl706QRQl37D8ImT2KtajDlD7sX5uYQhPl1biDZRp4oXNVTZxT/L8xv Vx16CbI0cIhqma+vK77dKci0RTdN1YAT3eU8hoSoT1fTdAyS8exoCeVI5scrWI73cb1H Klc9brMHRXo3dK2tIObPVcxsCiLSF6zLZyL6eroD2PIrYB7obaiz3ZFmWszyYjxNU3gi 1BkWQ064/eyos6MV0CCb5gXhIehTbBvM4Q+JpXxE2PzUudO3F+nD5RhvHjZb/hFWTWJA FFBQ==
X-Gm-Message-State: AFeK/H0LkayPy1MrqAS1pl1NUNnORauNjydWNKIbW88sVSo083IZIu2cCBQ46pPRo0AdULu7OBBmeez+6T1dvA==
X-Received: by 10.98.23.202 with SMTP id 193mr709209pfx.141.1490245179665; Wed, 22 Mar 2017 21:59:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.178.234 with HTTP; Wed, 22 Mar 2017 21:59:19 -0700 (PDT)
In-Reply-To: <CAMm+LwjeZdR=ZGX0topN2w6P12jEmR-TQ8M9+anyETj43nbiqg@mail.gmail.com>
References: <CAHOTMVKHA-yJR1oCyPtUp4-aJVc3dTdyxQHNo4xqnJt0hU6jVQ@mail.gmail.com> <CAMm+Lwgm8XzTBarZ1eFePTZGORorBJAeF7brDkhWGQKQVT0LPQ@mail.gmail.com> <CAMm+LwggT_AVv=KjzM1r=6UnkeK+g8zkticXFBDQ0cUXs_PP0A@mail.gmail.com> <CAHOTMVLHPFyi2VWpv85hrZ1MoXqeHYUv52wkMxjj3xp5B4V1cw@mail.gmail.com> <CAMm+Lwgfk1=yEJSbZbaZLvF5k5k66VVSx6MzKLM+DbUV7Ls6Xw@mail.gmail.com> <CAHOTMVK1gYrFiwd8f8zf2zPXYyCorp+jixkcY5FLhfHfv0NkWw@mail.gmail.com> <CAMm+LwjeZdR=ZGX0topN2w6P12jEmR-TQ8M9+anyETj43nbiqg@mail.gmail.com>
From: Tony Arcieri <bascule@gmail.com>
Date: Wed, 22 Mar 2017 21:59:19 -0700
Message-ID: <CAHOTMVL2e2UjVX6VKgHUbOHrb-gsU8kn_cxY1FdNrnj29cki9g@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary=94eb2c03d0628ff6a3054b5ebe50
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/i9MGEeIh-Ii6rZMILwEFyxPI5Uo>
Subject: Re: [Cfrg] Interest in an "Ed25519-HD" standard?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2017 04:59:42 -0000

On Wed, Mar 22, 2017 at 6:30 PM, Phillip Hallam-Baker <phill@hallambaker.com
> wrote:

> However, g​oing back to
>
> xs = x + ( MAC('example.com', k)) mod q
>
> You could play some interesting games with this. You could have quasi
> linkability so that the identifiers are unlikable unless you choose to
> claim them be revealing the difference between two of the keys.
>

In an Ed25519-HD scheme, you can demonstrate two keys are linked by
revealing any public key in the hierarchy that links them together.

Since the scheme is hierarchical, you can e.g. create sets of keys you wish
to demonstrate are linked at any level in the hierarchy that you want
without revealing a master/root public key. Instead you can demonstrate
some set of keys at some level of the hierarchy are linked.

-- 
Tony Arcieri