[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Post-quantum secure hierachical deterministic key derivation

From: Jeff Burdges
Subject: Re: Post-quantum secure hierachical deterministic key derivation
Date: Wed, 23 Dec 2020 14:20:39 +0100

> On 23 Dec 2020, at 12:30, Martin Schanzenbach <> wrote:
>> You only need the commutative diagram of compatible public and
>> private derivation paths if you give someone else the power to derive
>> your new public key for you, and then you later derive its secret
>> key.  This means the randomness cannot be trusted, well unless you
>> use fancy zk proofs like MuSig-DN does.
> But they do. See also 4.3 last paragraph for more details on how a
> counter could be used for hot wallets.

There are no known nice lattice-based VRFs, much less “verifiably produce a 
secret scalar" like what MuSig-DN does.  All elliptic curve protocols like 
MuSig-DN need general purpose NIZKs with thousands of constraints, so all 
require pairing-based SNARK with a trusted setup, or very large proofs 

I have not looked closely at 4.2 but it seemingly talks about the usual lattice 
based distribution issues.  This is not remotely the same problem.  The 
adversary can sample according to any rules they like but do so repeatedly 
until they find something they like.

As I said, they assume honest randomness, but soft key derivations have no 
honest randomness.


Attachment: signature.asc
Description: Message signed with OpenPGP

reply via email to

[Prev in Thread] Current Thread [Next in Thread]