<div dir="ltr"><div>I've been curious about semiprivate keys for awhile. The concept is a bit hard to describe, so I'll refer to section 6.1 of the Tahoe paper (as I believe they were originally Zooko's idea):</div>
<div><br></div><div><a href="http://eprint.iacr.org/2012/524.pdf" target="_blank">http://eprint.iacr.org/2012/524.pdf</a><br></div><div><br></div><div>Here's a description by Hal Finney:</div><div><br></div><div><a href="https://tahoe-lafs.org/pipermail/tahoe-dev/2009-July/002371.html" target="_blank">https://tahoe-lafs.org/pipermail/tahoe-dev/2009-July/002371.html</a><br>
</div><div><br></div><div>At the heart of this concept is a key derivation mechanism which has the following roles:</div><div><br></div><div>- Private: Master ECC private scalar -> Semiprivate ECC curve point</div><div>
- Semiprivate: Semiprivate ECC curve point -> [ECC public point, symmetric secret]</div><div>- Public: ECC public point</div><div><br></div><div>Here's a writeup I did for the purposes of an Ed25519-based digital signature system with semiprivate keys where either the holder of the private key or the semiprivate key can also derive a symmetric key:</div>
<div><br></div><div><a href="https://gist.github.com/tarcieri/4760215">https://gist.github.com/tarcieri/4760215</a><br></div><div><br></div><div>The goal of this is to replace the typical symmetric MACing mechanism with one that gives the holders of various keys different capabilities:</div>
<div><br></div><div>Verifier: Holds only the Public key. Can authenticate ciphertexts via digital signature, but can't decrypt them</div><div>Reader: Holds the Semiprivate key. Can both authenticate and decrypt ciphertexts, but can't sign new ones</div>
<div>Writer: Holds the Private key. Can authenticate and decrypt ciphertexts in addition to signing new ones.</div><div><br></div><div>Of course this is possible if you just use a separate symmetric key and a digital signature key, but the nice thing about semiprivate keys is it allows you to derive both digital signature keys and symmetric encryption keys from a single 256-bit seed.</div>
<div><br></div>-- <br>Tony Arcieri<br>
</div>