Re: [Cfrg] Interest in an "Ed25519-HD" standard?

[Phillip Hallam-Baker <phill@hallambaker.com>]

You can do hierarchical key derivation in Montgomery without the need for
an add.

Say your master key is x. To generate a key for site 'example.com' we take

xs = (x + H('example.com')) mod q

Where q is the sub group order.

In fact that isn't really using any EC relevant operation at all. Perhaps I
am not understanding the full requirements for the scheme.


I don't follow the argument about small subgroups in the referenced post.
With Curve25519 and Ed25519 we have chosen the curve cofactor and the
generator point. So there is only one group that our point can possibly be
in regardless of whether our private key is (x mod q) or (x mod q + nq). We
are going to arrive at the same set of points regardless.


I do very much prefer the Edwards curves though because we can combine two
keypairs by simply adding the corresponding public and private keys. That
allows us to do the co-generation trick I showed a while back.

We can also split the key, give one part to a recryption service and
encrypt the other half under the public key of the recipient. This allows
us to support group messaging through proxy re-encryption.

Some applications of that are encumbered (possibly) under a soon to expire
patent.



On Tue, Mar 21, 2017 at 8:34 PM, Phillip Hallam-Baker <phill@hallambaker.com
> wrote:

> I have just implemented Proxy Re-Encryption under Ed-25519 and Ed448. I
> think EdCurve Crypto is a good plan.
>
> Or we could do it on the Montgomery Curves and give the algorithm for
> point addition.
>
> On Tue, Mar 21, 2017 at 3:42 PM, Tony Arcieri <bascule@gmail.com> wrote:
>
>> Hierarchical key derivation (also sometimes described as "semiprivate
>> keys" or "key blinding") is an increasingly popular technique for
>> generating unlinkable child keys from master public and private keys.
>>
>> The Tor Project has been exploring such an approach as the basis for
>> their next-generation hidden services design for several years now[1],
>> during which time it has received security proofs[2]. Their latest
>> design[3] allegedly includes feedback from Dan Bernstein.
>>
>> Application of hierarchical key derivation is perhaps most notable in the
>> cryptocurrency space, where Bitcoin's BIP32[4] provided a means for
>> unlinkable single-use signature keys for the secp256k1 elliptic curve.
>> There are several designs for applying the ideas from BIP32 to Ed25519,
>> including ones from Evernym[5] and Chain[6] (where I am an employee).
>>
>> The designs in [3], [5], and [6] are all highly similar and accomplish
>> the same goals. Personally I would love to see a single standard design for
>> producing Ed25519 signatures from hierarchically derived keys, notably one
>> which produces signatures that can be verified by any off-the-shelf RFC
>> 8032-compatible Ed25519 implementation.
>>
>> There's already been some discussion of this on the moderncrypto.org
>> curves list:
>>
>> https://moderncrypto.org/mail-archive/curves/2017/000858.html
>>
>> I'd be curious to know if anyone else would be interested in
>> collaborating on a draft for such a standard, which can be a synthesis of
>> the existing work in this space.
>>
>> [1]: https://lists.torproject.org/pipermail/tor-dev/2012-Sep
>> tember/004026.html
>> [2]: https://www-users.cs.umn.edu/~hopper/basic-proof.pdf
>> [3]: https://gitweb.torproject.org/torspec.git/tree/
>> proposals/224-rend-spec-ng.txt#n1979
>> [4]: https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki
>> [5]: https://github.com/WebOfTrustInfo/rebooting-the-web-of-
>> trust-fall2016/blob/master/topics-and-advance-readings/HDKeys-Ed25519.pdf
>> [6]: https://chain.com/docs/protocol/specifications/chainkd
>>
>> --
>> Tony Arcieri
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>>
>>
>