From 514ca927ad1fa6433b9b0da41bfd409f9f7175eb Mon Sep 17 00:00:00 2001 From: Carl Beekhuizen Date: Thu, 18 Jun 2020 15:20:37 +0200 Subject: [PATCH 1/6] Clarify indexing --- EIPS/eip-2333.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/EIPS/eip-2333.md b/EIPS/eip-2333.md index d74fc3c6bcb6e3..e4a0aa9f28590e 100644 --- a/EIPS/eip-2333.md +++ b/EIPS/eip-2333.md @@ -115,14 +115,16 @@ Every key generated via the key derivation process derives a child key via a set 3. not_IKM = flip_bits(IKM) 4. lamport_1 = IKM_to_lamport_SK(not_IKM, salt) 5. lamport_PK = "" -6. for i = 0 to 255 +6. for i in 1, .., 255 lamport_PK = lamport_PK | SHA256(lamport_0[i]) -7. for i = 0 to 255 +7. for i in 1, .., 255 lamport_PK = lamport_PK | SHA256(lamport_1[i]) 8. compressed_lamport_PK = SHA256(lamport_PK) 9. return compressed_lamport_PK ``` +**Note:** The indexing, `i`, in the above procedure iterates from 1 to 255 (inclusive). This is due to the limit to which HKDF can stretch the input bytes (255 times the length of the input bytes). The result of this is that the security of the lamport-backup signature is \*only\* 127.5 bit. + #### `HKDF_mod_r` `hkdf_mod_r()` is used to hash 32 random bytes into the subgroup of the BLS12-381 private keys. @@ -139,7 +141,7 @@ Every key generated via the key derivation process derives a child key via a set * `HKDF-Extract` is as defined in RFC5869, instantiated with hash H. * `HKDF-Expand` is as defined in RFC5869, instantiated with hash H. -* `L` is the integer given by ceil((1.5 * ceil(log2(r))) / 8). +* `L` is the integer given by `ceil((3 * ceil(log2(r))) / 16)`.(`L=48`) * `"BLS-SIG-KEYGEN-SALT-"` is an ASCII string comprising 20 octets. * `""` is the empty string. * `OS2IP` is as defined in [RFC3447](https://ietf.org/rfc/rfc3447.txt) (Big endian encoding) From 635042380699fccedae57b1bbcfb82e70019da62 Mon Sep 17 00:00:00 2001 From: Carl Beekhuizen Date: Fri, 19 Jun 2020 14:09:46 +0200 Subject: [PATCH 2/6] Increase minimum seed length requirements to match BLS spec --- EIPS/eip-2333.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/EIPS/eip-2333.md b/EIPS/eip-2333.md index e4a0aa9f28590e..0f1f9dc5047a25 100644 --- a/EIPS/eip-2333.md +++ b/EIPS/eip-2333.md @@ -158,7 +158,6 @@ Every key generated via the key derivation process derives a child key via a set ### `derive_child_SK` -The child key derivation function takes in the parent's private key and the index of the child and returns the child private key. ##### Inputs @@ -179,9 +178,11 @@ The child key derivation function takes in the parent's private key and the inde ### `derive_master_SK` +The child key derivation function takes in the parent's private key and the index of the child and returns the child private key. The seed should ideally be derived from a mnemonic, with the intention being that [BIP39 mnemonics](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki), with the associated [mnemonic_to_seed method](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#from-mnemonic-to-seed) be used. + ##### Inputs -* `seed`, the source entropy for the entire tree, a octet string >= 128 bits +* `seed`, the source entropy for the entire tree, a octet string >= 256 bits in length and containing at least 128 bits of entropy ##### Outputs @@ -233,6 +234,13 @@ child_index = 0 child_SK = 7419543105316279183937430842449358701327973165530407166294956473095303972104 ``` +This test case can be extended to test the entire mnemonic-to -child_SK` stack, assuming [BIP39](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki) is used as the mnemonic generation mechanism. Using the following parameters, the above seed can be calculated: + +```test +mnemonic = "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about" +passphrase = "TREZOR" +``` + ### Test Case 1 ```text From d2602d96c685bae839461507770205ce4b678daf Mon Sep 17 00:00:00 2001 From: Carl Beekhuizen Date: Fri, 19 Jun 2020 14:13:20 +0200 Subject: [PATCH 3/6] remove entropy limit --- EIPS/eip-2333.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EIPS/eip-2333.md b/EIPS/eip-2333.md index 0f1f9dc5047a25..aa3bae2684deee 100644 --- a/EIPS/eip-2333.md +++ b/EIPS/eip-2333.md @@ -182,7 +182,7 @@ The child key derivation function takes in the parent's private key and the inde ##### Inputs -* `seed`, the source entropy for the entire tree, a octet string >= 256 bits in length and containing at least 128 bits of entropy +* `seed`, the source entropy for the entire tree, a octet string >= 256 bits in length ##### Outputs From c41efedffcfe762dd82edd03906065363bbce7fc Mon Sep 17 00:00:00 2001 From: Carl Beekhuizen Date: Fri, 19 Jun 2020 14:15:34 +0200 Subject: [PATCH 4/6] remove accidentally deleted sentance --- EIPS/eip-2333.md | 1 + 1 file changed, 1 insertion(+) diff --git a/EIPS/eip-2333.md b/EIPS/eip-2333.md index aa3bae2684deee..a643c204501289 100644 --- a/EIPS/eip-2333.md +++ b/EIPS/eip-2333.md @@ -158,6 +158,7 @@ Every key generated via the key derivation process derives a child key via a set ### `derive_child_SK` +The child key derivation function takes in the parent's private key and the index of the child and returns the child private key. ##### Inputs From aa88e83a1f6845d626e5d7ef1c7898bb0e2c3892 Mon Sep 17 00:00:00 2001 From: Carl Beekhuizen Date: Fri, 19 Jun 2020 14:20:31 +0200 Subject: [PATCH 5/6] place lower bound on `hkdf_mod_r` `IKM` length --- EIPS/eip-2333.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EIPS/eip-2333.md b/EIPS/eip-2333.md index a643c204501289..b7fe7568048621 100644 --- a/EIPS/eip-2333.md +++ b/EIPS/eip-2333.md @@ -131,7 +131,7 @@ Every key generated via the key derivation process derives a child key via a set ##### Inputs -* `IKM`, a secret octet string. +* `IKM`, a secret octet string >= 256 bits in length ##### Outputs From 8a358103743e06441d2f256bed89608835d256e0 Mon Sep 17 00:00:00 2001 From: Carl Beekhuizen Date: Wed, 24 Jun 2020 21:36:00 +0200 Subject: [PATCH 6/6] Fix typos --- EIPS/eip-2333.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/EIPS/eip-2333.md b/EIPS/eip-2333.md index b7fe7568048621..0cee6da90bcce1 100644 --- a/EIPS/eip-2333.md +++ b/EIPS/eip-2333.md @@ -235,9 +235,9 @@ child_index = 0 child_SK = 7419543105316279183937430842449358701327973165530407166294956473095303972104 ``` -This test case can be extended to test the entire mnemonic-to -child_SK` stack, assuming [BIP39](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki) is used as the mnemonic generation mechanism. Using the following parameters, the above seed can be calculated: +This test case can be extended to test the entire `mnemonic-to -child_SK` stack, assuming [BIP39](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki) is used as the mnemonic generation mechanism. Using the following parameters, the above seed can be calculated: -```test +```text mnemonic = "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about" passphrase = "TREZOR" ```