<div dir="ltr"><div class="gmail_extra"><div class="gmail_signature">Thanks for the insights Gregory and Mike!</div><div class="gmail_signature"><br></div><div class="gmail_signature">That said, I'd be curious what you think about a paper describing an adaptation of BIP32 to Ed25519 I've recently been pointed at (shortly after posting this thread):</div><div class="gmail_signature"><br></div><div class="gmail_signature"><a href="https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-fall2016/blob/master/topics-and-advance-readings/HDKeys-Ed25519.pdf">https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-fall2016/blob/master/topics-and-advance-readings/HDKeys-Ed25519.pdf</a><br></div><div class="gmail_signature"><br></div><div class="gmail_signature">They perform the typical clamping procedure on the root scalar, but also ensure that the *third* highest bit is zero.<br></div><div class="gmail_signature"><br></div><div class="gmail_signature">When deriving a child key, they use only the first 28-bytes / 224-bits of the hash as the child scalar.</div><div class="gmail_signature"><br></div><div class="gmail_signature">According to the rationale in section 4.6, this ensures the same clamping invariants discussed earlier in this thread apply to child keys.<br></div>
</div></div>