[curves] ECC with semiprivate keys
Tony Arcieri
bascule at gmail.com
Thu Feb 13 14:18:34 PST 2014
I've been curious about semiprivate keys for awhile. The concept is a bit
hard to describe, so I'll refer to section 6.1 of the Tahoe paper (as I
believe they were originally Zooko's idea):
http://eprint.iacr.org/2012/524.pdf
Here's a description by Hal Finney:
https://tahoe-lafs.org/pipermail/tahoe-dev/2009-July/002371.html
At the heart of this concept is a key derivation mechanism which has the
following roles:
- Private: Master ECC private scalar -> Semiprivate ECC curve point
- Semiprivate: Semiprivate ECC curve point -> [ECC public point, symmetric
secret]
- Public: ECC public point
Here's a writeup I did for the purposes of an Ed25519-based digital
signature system with semiprivate keys where either the holder of the
private key or the semiprivate key can also derive a symmetric key:
https://gist.github.com/tarcieri/4760215
The goal of this is to replace the typical symmetric MACing mechanism with
one that gives the holders of various keys different capabilities:
Verifier: Holds only the Public key. Can authenticate ciphertexts via
digital signature, but can't decrypt them
Reader: Holds the Semiprivate key. Can both authenticate and decrypt
ciphertexts, but can't sign new ones
Writer: Holds the Private key. Can authenticate and decrypt ciphertexts in
addition to signing new ones.
Of course this is possible if you just use a separate symmetric key and a
digital signature key, but the nice thing about semiprivate keys is it
allows you to derive both digital signature keys and symmetric encryption
keys from a single 256-bit seed.
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20140213/338da76d/attachment.html>
More information about the Curves
mailing list