Re: [Cfrg] Interest in an "Ed25519-HD" standard?

Tony Arcieri <bascule@gmail.com> Wed, 22 March 2017 21:46 UTC

Return-Path: <bascule@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68CFF129468 for <cfrg@ietfa.amsl.com>; Wed, 22 Mar 2017 14:46:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 65NdJv4kYJ-a for <cfrg@ietfa.amsl.com>; Wed, 22 Mar 2017 14:46:40 -0700 (PDT)
Received: from mail-pf0-x230.google.com (mail-pf0-x230.google.com [IPv6:2607:f8b0:400e:c00::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E54D3126C0F for <cfrg@irtf.org>; Wed, 22 Mar 2017 14:46:39 -0700 (PDT)
Received: by mail-pf0-x230.google.com with SMTP id 20so48931949pfk.2 for <cfrg@irtf.org>; Wed, 22 Mar 2017 14:46:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=S88PH2FXHDVmvGZZ3o0uIYY2VXaPx11M8aJ4Daiy/OA=; b=Fnt/2iNbIyEZAhSgQ7eJUaJMgfKHP2ZaV8BLYyoGY4w+3Red8ahjyczi5NyidvFz9Z AqXqiSVLFyeULBeRKgz4mVB5BVvaMm2CvVIhRKtHVfKmBlO6ZePc4aSffWSwTHBCkyyZ +6lu5jgTO1ShiKNnu15A+h65GGUNHtc1sZ9cALiiji9JhIgsvc43rrYZNHQxKDn6UGIw i06p4/+2MfSTVng65Y9fsaCerNO0t/Flc12hoX5aQmVbUUfmjZewtNloVd2wzmi6jyg7 uqOFBakcbgn4EWIf6veMKetu7PqmuChaPHA+BDKe2YpKkThmQYMjIe6JM7fj0wBSImdQ jsJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=S88PH2FXHDVmvGZZ3o0uIYY2VXaPx11M8aJ4Daiy/OA=; b=eLt1mqFpjIoy2BcpeyRgqa1+j0XGFKszZynkWu2oXCLtm6tFv+x24UQ11x0So2+ypO BV42YJthHlEVLgWSnY2NZCUckQKEkipCQYNUgpAdR1KgjUyn4bVbhLY9fvxI6LI0inOY WNPh8pbujd3fN5zoZ9NYmsrwcpHxQBMtyxmCWFCMtlm3NnIEXxG/Gd39LYP7RG8aAZTZ yTyJwIEOqQ7SgW4ojIFGoHR+aq4+H1oO9h52+fPB++ScAUeqqnExomEIkDMGIFPADu8P dS95nx6KIJq8KnEGFzW2ljEimRuwKWOq0QgGTZJodqkAf7kkCufweWJhhNtTR51WIT3W bkgQ==
X-Gm-Message-State: AFeK/H15u4p8bA2LWPrk9B0HweuvoitP9fiEBI+PUii1ENNNxQn3+dGm1vWPFYtjBbS1lRUK2jpCV5ael+8Hww==
X-Received: by 10.99.227.69 with SMTP id o5mr4770090pgj.133.1490219199539; Wed, 22 Mar 2017 14:46:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.178.234 with HTTP; Wed, 22 Mar 2017 14:46:19 -0700 (PDT)
In-Reply-To: <BD3A22C9-1E2F-45E4-9180-6DE52E7CF990@nadim.computer>
References: <CAHOTMVKHA-yJR1oCyPtUp4-aJVc3dTdyxQHNo4xqnJt0hU6jVQ@mail.gmail.com> <CAMm+Lwgm8XzTBarZ1eFePTZGORorBJAeF7brDkhWGQKQVT0LPQ@mail.gmail.com> <CAMm+LwggT_AVv=KjzM1r=6UnkeK+g8zkticXFBDQ0cUXs_PP0A@mail.gmail.com> <CAHOTMVLHPFyi2VWpv85hrZ1MoXqeHYUv52wkMxjj3xp5B4V1cw@mail.gmail.com> <BD3A22C9-1E2F-45E4-9180-6DE52E7CF990@nadim.computer>
From: Tony Arcieri <bascule@gmail.com>
Date: Wed, 22 Mar 2017 14:46:19 -0700
Message-ID: <CAHOTMV+M1fZYk1eLrNAFHyZtNSMstdiYY8eVBHMqT0NMdgK+Kg@mail.gmail.com>
To: Nadim Kobeissi <nadim@nadim.computer>
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary=001a114ade6a06b0f3054b58b2d7
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/vjHvsoSJjAmu0PZo9eHTDnV684o>
Subject: Re: [Cfrg] Interest in an "Ed25519-HD" standard?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2017 21:46:41 -0000

On Wed, Mar 22, 2017 at 2:40 PM, Nadim Kobeissi <nadim@nadim.computer>
wrote:

> From a potentially naïve reading of this thread, it sounds like the HKDF
> construction (the one proposed by Hugo Krawczyk and used by Signal and TLS
> 1.3, among others) satisfies all of the properties requested by
> “hierarchical key derivation” systems. Is this right or am I missing
> something?


HKDF is a symmetric construction. This scheme provides hierarchical /
blinded keys for the Ed25519 digital signature algorithm.

Someone holding the master public key for e.g. a Tor hidden service should
be able to calculate the child public keys for each epic from the parent
public key, but should not be able to produce digital signatures under any
key (because they do not know any of the associated scalar values).

-- 
Tony Arcieri