[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Post-quantum secure hierachical deterministic key derivation

From: Jeff Burdges
Subject: Re: Post-quantum secure hierachical deterministic key derivation
Date: Wed, 23 Dec 2020 09:25:32 +0100

> On 23 Dec 2020, at 05:00, Martin Schanzenbach <> wrote:
> thanks for the input!
> I am pretty much out of my depth but what I stumbeld over is in section
> 1.2 where the authors say that they specifically solve the problem for
> hot/cold wallets where the problem is that you need to be able to
> rerandomize a new sk''/pk'' from a previously generated sk'/pk' which
> at some point in the past was derived from the now "cold" master sk/pk.

I read 1.2 as saying they’re doing the usual Schnorr thing, but the word 
rerandomize seemingly explains their confusion.  I’ve no looked into this part 

> This property is actually (currently) not really important for GNS as
> we do not need to rerandomize keys and we do not have "cold" keys.
> (Although this feature would be good to have I guess).

These soft derivations never address key compromise because sk_rho = H(rho) sk, 
but here one worried that publishing many pk_rho and using many sk_rho reveals 
information about sk somehow.  I’ve largely forgotten GNS but I think an 
adversarial zone would try many of their own public keys until they found one 
that deformed your public key in a way they could expect to reveal more.

I think linkability is a concern for Tor, maybe not GNS not sure.  Also enough 
blockchain folk believe in unlinkability that being linkable arguably makes 
things worse, not sure really though.  I’d expect linkability to be harder.


Attachment: signature.asc
Description: Message signed with OpenPGP

reply via email to

[Prev in Thread] Current Thread [Next in Thread]