SLIP-0010: Add BIP32-ED25519 Curve

[ilap]

The ed25519 curve lacks of the public child key generation which is required, for example, for developing a monitoring only (watch-only) wallet. See, a dart code example below.

However, there is a BIP32 compliant version of the ed25519 (BIP32-ED25519), which is backward compatible /w the original ed25519 (all the signing and verifying procedures remain the same), that produces all its extended private keys that lie in some affine space and therefore it can have a public child key generation function that comply /w the BIP32 specification, and therefore should be added to the list of the supported curves.

var mStr =    'xprv9s21ZrQH143K3gks4d1bQXQ3RUJ8B2DtJepewENRru1GeQR1Dzwn4wwTZSGP22aSyyuMKVWjQyMQMmSHeeHS69rjcDySQyJLVAw2XFv4xXi';
var m = Chain.import(mStr);

var xprv = m.forPath("m/44'/0'/0'");
var xpub = xprv.publicKey();
var address = m.forPath("m/44'/0'/0'/0/0");

var watchOnly = Chain.import(xpub.toString());
var watchAddress = watchOnly.forPath("M/0/0");

print("======= Addressess are the same =======");
print("address (m/44'/0'/0'/0/0): ${address.publicKey().toString()}");
print("watchAddress (M/0/0):      ${watchAddress.toString()}");

[andrewkozlik]

As you have already noticed, I created SLIP-0023 for this purpose. I had three reasons to create a separate spec for this:

1. The "Ed25519-BIP32" scheme is similar, but not compatible with SLIP-0010 or BIP-0032. For one thing, it uses a different child key derivation method.

2. There is a lot of confusion about the derivation of the master node in "Ed25519-BIP32". There is one method which is described in the original paper, but which is not implemented anywhere. Then I found that there are three methods which are implemented, two of which are used in practice (Daedalus and Icarus), but none of these is documented anywhere. All four methods are mutually incompatible and none them uses HMAC-SHA512 of the seed with the curve name as is done in BIP-0032 and SLIP-0010. This is important to ensure proper domain separation between different elliptic curves or different types of key hierarchies. I would rather not bring all this confusion and malpractice into SLIP-0010.

3. SLIP-0010 already defines a derivation scheme for Ed25519, which is incompatible with "Ed25519-BIP32". SLIP-0010 has been in existence for over three years now. There is a lot of code and documentation stating that they use Ed25519 key derivation as specified in SLIP-0010. If we add a new Ed25519 scheme to the specification, even if we call it something like version 2, then we will be introducing confusion about which method they are referring to.

[ilap]

Thx for the explanation.