[curves] ECC with semiprivate keys

Tony Arcieri bascule at gmail.com
Thu Feb 13 14:18:34 PST 2014

I've been curious about semiprivate keys for awhile. The concept is a bit
hard to describe, so I'll refer to section 6.1 of the Tahoe paper (as I
believe they were originally Zooko's idea):


Here's a description by Hal Finney:


At the heart of this concept is a key derivation mechanism which has the
following roles:

- Private: Master ECC private scalar -> Semiprivate ECC curve point
- Semiprivate: Semiprivate ECC curve point -> [ECC public point, symmetric
- Public: ECC public point

Here's a writeup I did for the purposes of an Ed25519-based digital
signature system with semiprivate keys where either the holder of the
private key or the semiprivate key can also derive a symmetric key:


The goal of this is to replace the typical symmetric MACing mechanism with
one that gives the holders of various keys different capabilities:

Verifier: Holds only the Public key. Can authenticate ciphertexts via
digital signature, but can't decrypt them
Reader: Holds the Semiprivate key. Can both authenticate and decrypt
ciphertexts, but can't sign new ones
Writer: Holds the Private key. Can authenticate and decrypt ciphertexts in
addition to signing new ones.

Of course this is possible if you just use a separate symmetric key and a
digital signature key, but the nice thing about semiprivate keys is it
allows you to derive both digital signature keys and symmetric encryption
keys from a single 256-bit seed.

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20140213/338da76d/attachment.html>

More information about the Curves mailing list