Re: [Cfrg] Interest in an "Ed25519-HD" standard?
Tony Arcieri <bascule@gmail.com> Wed, 22 March 2017 20:47 UTC
Return-Path: <bascule@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC20812778D for <cfrg@ietfa.amsl.com>; Wed, 22 Mar 2017 13:47:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CAuOy3ibhjGx for <cfrg@ietfa.amsl.com>; Wed, 22 Mar 2017 13:47:54 -0700 (PDT)
Received: from mail-pg0-x233.google.com (mail-pg0-x233.google.com [IPv6:2607:f8b0:400e:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31AB6128BBB for <cfrg@irtf.org>; Wed, 22 Mar 2017 13:47:54 -0700 (PDT)
Received: by mail-pg0-x233.google.com with SMTP id g2so112151134pge.3 for <cfrg@irtf.org>; Wed, 22 Mar 2017 13:47:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=OnDY52H5VCWQL1vF0HLjux/fC3bwnGSyyh0Fse5T1wI=; b=mnLU7/fj5bF4vHjkMaO808OKmnABsdVgrc1nXFGvRfjuXMDNuvqv36VHTUUELn96NE W3TF4nRJjGhosfI9tn7dfiOIfZz8OYwGybNb+1E2xnEnyxPPFvHbnAskoGAAmN75aQZj RFyny+eOYdfh2UPnHmTkwUfZ+ajmJEuCEml+hbg8kl1+eERVtEFUiiMUsmLmwz2X6lqS AmzJ7k1OTpm/VA7ZiQG0RCxAs4zjBaKX7BsbmAO8diq4+FWHKO/ihSuuoqv7MqF0JF1r hbtgKAnGQr02xpzBkmHYDXkyNi0v9VdC8HKI6EeOyeH6nfhwxYejqry0GaaBcO4Jbgd1 TOlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=OnDY52H5VCWQL1vF0HLjux/fC3bwnGSyyh0Fse5T1wI=; b=JeGcSbsNkrsuh6M+4HyUm2sJsuHh1VbmhiXKOABWeO0ChDfuHl+0gjOGN03GHv5t9Z Ige/QKx9l4DMHlncSmevo44JiIMIkGPItfngwJp3TpCvLthdSKiOWXVwMnND8SgHhohF JYAui5pKQYl8xaAIFwWxlKKyDCMx5gSI02CZ5cASEipPIGAPHcW7gxcH73hWwo+Juija yOUYCIzkd2XA3pPcl/qc/WXFbYABf9NjxFucU/C9EaENKxVcO/jJ43XU9sawptbx6RpF EEWM3xQlJfJ70fFD/mBMADcNGjjmPpIoG9aY/ncYBvLqpFb1bi/Rm/uC51BzXs9cXToW 9xpQ==
X-Gm-Message-State: AFeK/H1s6wTQY6cNEf0uEw9ihl5geaPIa804AvyCaMxIkpzPlz4odLeS94S1M0apljIK+cs/1rAPUoX+PV2NDg==
X-Received: by 10.99.247.83 with SMTP id f19mr12789152pgk.158.1490215673808; Wed, 22 Mar 2017 13:47:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.178.234 with HTTP; Wed, 22 Mar 2017 13:47:33 -0700 (PDT)
In-Reply-To: <CAMm+LwggT_AVv=KjzM1r=6UnkeK+g8zkticXFBDQ0cUXs_PP0A@mail.gmail.com>
References: <CAHOTMVKHA-yJR1oCyPtUp4-aJVc3dTdyxQHNo4xqnJt0hU6jVQ@mail.gmail.com> <CAMm+Lwgm8XzTBarZ1eFePTZGORorBJAeF7brDkhWGQKQVT0LPQ@mail.gmail.com> <CAMm+LwggT_AVv=KjzM1r=6UnkeK+g8zkticXFBDQ0cUXs_PP0A@mail.gmail.com>
From: Tony Arcieri <bascule@gmail.com>
Date: Wed, 22 Mar 2017 13:47:33 -0700
Message-ID: <CAHOTMVLHPFyi2VWpv85hrZ1MoXqeHYUv52wkMxjj3xp5B4V1cw@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="001a114c325ce04dec054b57df9a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/vUVh-QXVozNrEgWzd6XeZTqrTBY>
Subject: Re: [Cfrg] Interest in an "Ed25519-HD" standard?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2017 20:47:56 -0000
On Tue, Mar 21, 2017 at 9:00 PM, Phillip Hallam-Baker <phill@hallambaker.com > wrote: > You can do hierarchical key derivation in Montgomery without the need for > an add. > > Say your master key is x. To generate a key for site 'example.com' we > take > > xs = (x + H('example.com')) mod q > > Where q is the sub group order. > > In fact that isn't really using any EC relevant operation at all. Perhaps > I am not understanding the full requirements for the scheme. > One of the goals of the scheme is unlinkability: given a set of candidate keys, some of which are children of the same parent key, and others randomly generated, an attacker should not be able to do better than chance in determining which keys in the candidate set have the same parents. For example, Tor hidden services will be identified by constantly rotating "epoch keys". To find the "epoch key" for a given hidden service, a user in possession of the parent public key derives a child key offline from the parent key. However, it'd be undesirable for someone not in possession of the parent key to be able to link the child epoch keys together and enumerate hidden services without knowledge of their parent public keys. In your scheme, given z=H("example.com"), and a parent key xG, the derived child key would be (x+z)G. To recover the original parent public key, you can simply subtract out zG and recover xG. To prevent this from happening we need to use an operation which is not easily reversible, hence multiplication -- Tony Arcieri
- [Cfrg] Interest in an "Ed25519-HD" standard? Tony Arcieri
- Re: [Cfrg] Interest in an "Ed25519-HD" standard? Aaron Zauner
- Re: [Cfrg] Interest in an "Ed25519-HD" standard? Phillip Hallam-Baker
- Re: [Cfrg] Interest in an "Ed25519-HD" standard? Phillip Hallam-Baker
- Re: [Cfrg] Interest in an "Ed25519-HD" standard? Dmitry Khovratovich
- Re: [Cfrg] Interest in an "Ed25519-HD" standard? Phillip Hallam-Baker
- Re: [Cfrg] Interest in an "Ed25519-HD" standard? Tony Arcieri
- Re: [Cfrg] Interest in an "Ed25519-HD" standard? Nadim Kobeissi
- Re: [Cfrg] Interest in an "Ed25519-HD" standard? Tony Arcieri
- Re: [Cfrg] Interest in an "Ed25519-HD" standard? Taylor R Campbell
- Re: [Cfrg] Interest in an "Ed25519-HD" standard? Phillip Hallam-Baker
- Re: [Cfrg] Interest in an "Ed25519-HD" standard? Tony Arcieri
- Re: [Cfrg] Interest in an "Ed25519-HD" standard? Phillip Hallam-Baker
- Re: [Cfrg] Interest in an "Ed25519-HD" standard? Tony Arcieri
- [Cfrg] A note on how to (pre-)compute a ladder Francisco Rodriguez- Henriquez
- Re: [Cfrg] A note on how to (pre-)compute a ladder Peter Dettman
- Re: [Cfrg] A note on how to (pre-)compute a ladder Peter Dettman
- Re: [Cfrg] A note on how to (pre-)compute a ladder Francisco Rodriguez- Henriquez
- Re: [Cfrg] A note on how to (pre-)compute a ladder Francisco Rodriguez- Henriquez
- [Cfrg] How to (pre-)compute a ladder [revised ver… Francisco Rodriguez- Henriquez
- Re: [Cfrg] How to (pre-)compute a ladder [revised… Mike Hamburg
- Re: [Cfrg] How to (pre-)compute a ladder [revised… Peter Dettman
- Re: [Cfrg] How to (pre-)compute a ladder [revised… Antonio Sanso
- Re: [Cfrg] How to (pre-)compute a ladder [full C … Francisco Rodriguez- Henriquez
- Re: [Cfrg] How to (pre-)compute a ladder [revised… Francisco Rodriguez- Henriquez
- Re: [Cfrg] How to (pre-)compute a ladder [revised… Francisco Rodriguez- Henriquez