[curves] ECC with semiprivate keys

Tony Arcieri bascule at gmail.com
Thu Feb 13 14:18:34 PST 2014


I've been curious about semiprivate keys for awhile. The concept is a bit
hard to describe, so I'll refer to section 6.1 of the Tahoe paper (as I
believe they were originally Zooko's idea):

http://eprint.iacr.org/2012/524.pdf

Here's a description by Hal Finney:

https://tahoe-lafs.org/pipermail/tahoe-dev/2009-July/002371.html

At the heart of this concept is a key derivation mechanism which has the
following roles:

- Private: Master ECC private scalar -> Semiprivate ECC curve point
- Semiprivate: Semiprivate ECC curve point -> [ECC public point, symmetric
secret]
- Public: ECC public point

Here's a writeup I did for the purposes of an Ed25519-based digital
signature system with semiprivate keys where either the holder of the
private key or the semiprivate key can also derive a symmetric key:

https://gist.github.com/tarcieri/4760215

The goal of this is to replace the typical symmetric MACing mechanism with
one that gives the holders of various keys different capabilities:

Verifier: Holds only the Public key. Can authenticate ciphertexts via
digital signature, but can't decrypt them
Reader: Holds the Semiprivate key. Can both authenticate and decrypt
ciphertexts, but can't sign new ones
Writer: Holds the Private key. Can authenticate and decrypt ciphertexts in
addition to signing new ones.

Of course this is possible if you just use a separate symmetric key and a
digital signature key, but the nice thing about semiprivate keys is it
allows you to derive both digital signature keys and symmetric encryption
keys from a single 256-bit seed.

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20140213/338da76d/attachment.html>


More information about the Curves mailing list