Skip to content

w3f/hd-ed25519

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Hierachical key derivation on ed255190-dalek

Almost all hierachical key derivation schemes for ed25519 have vulnerabilities due to the "bit clamping" used in ed25519. Instead of hierachical key derivation on ed255190, we recommend using either a curve of cofactor 1 like secp256k1 or else a cofactor avoiding representation of Ed25519 like ristretto instead. That said..

BIP32-Ed25519 avoids the clamping by deriving new keys using only 224 bit scalars. There are straightforward full key recovery attack if one permits long key derivation paths along with either clamping by an Ed25519 library or does addition mod another besides 8*l. Addition implementaitons are normally either mod l or mod 256.

In this crate, we implement addition mod 8*l of numbers congruent to 0 mod 8 using the method indicated by Mike Hamburg in https://moderncrypto.org/mail-archive/curves/2017/000869.html

We divide the secret scalars by the cofactor 8 as integers, add them mod l, and multiply them by 8 again as integers. We observe that this will not yield scalars whose high bit set to 1, and thus is not compatable with most Ed25519 libraries.
It works with ed25519-dalek because the underlying implementation is constant-time and set the high bit when creating expanded secrety keys.

An alternative appraopch is detailed in https://moderncrypto.org/mail-archive/curves/2017/000866.html and https://github.com/hdevalence/curve25519-dalek/commit/2ae0bdb6df26a74ef46d4332b635c9f6290126c7

About

Hierarchical derivations on Ed25519

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages