Author: Michael Gronager 2013-05-27 09:41:04
Published on: 2013-05-27T09:41:04+00:00
In an email to Pieter, Michael discusses his concerns about BIP0032 and the equations used for private and public derivation. He notes that there can only be one HMAC function used for both types of derivation. Following the formulas for private derivation, he finds that they result in K_i = k_i*G = I_L*G + k_par(mod n)*G. However, the formula for public derivation results in K_i = (I_L+k_par)*G = I_L*G + K_par, which is not the same as the previous formula. By changing the private child key derivation, Michael suggests using CDK((k_par, c_par), i) -> (k_i, c_i), where I = HMACSHA512(c_par, X(k_par*G)||i), and splitting I into I_L and I_R (256 bits each). This results in k_i = k_par + I_L and c_i = I_R. For pure public derivation, where the private key is not known, Michael suggests using CDK'((K_par, c_par), i) -> (K_i, c_i), where I = HMACSHA512(c_par, X(K_par)||i), I is split into I_L and I_R, and K_i = K_par + I_L*G (= k_par*G + I_L*G = (k_par+I_L)*G = k_i*G), and c_i = I_R. These changes result in the right properties and equal c_i values for both types of derivation.
Updated on: 2023-06-06T18:04:49.363102+00:00