[curves] Ed25519 "clamping" and its effect on hierarchical key derivation

Tony Arcieri bascule at gmail.com
Thu Mar 9 10:54:49 PST 2017


Thanks for the insights Gregory and Mike!

That said, I'd be curious what you think about a paper describing an
adaptation of BIP32 to Ed25519 I've recently been pointed at (shortly after
posting this thread):

https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-fall2016/blob/master/topics-and-advance-readings/HDKeys-Ed25519.pdf

They perform the typical clamping procedure on the root scalar, but also
ensure that the *third* highest bit is zero.

When deriving a child key, they use only the first 28-bytes / 224-bits of
the hash as the child scalar.

According to the rationale in section 4.6, this ensures the same clamping
invariants discussed earlier in this thread apply to child keys.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20170309/a6d211bb/attachment.html>


More information about the Curves mailing list