Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1Tg5JH-0003iY-5G for bitcoin-development@lists.sourceforge.net; Wed, 05 Dec 2012 03:06:07 +0000 Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of coinlab.com designates 209.85.214.175 as permitted sender) client-ip=209.85.214.175; envelope-from=mike@coinlab.com; helo=mail-ob0-f175.google.com; Received: from mail-ob0-f175.google.com ([209.85.214.175]) by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1Tg5JG-0005sw-68 for bitcoin-development@lists.sourceforge.net; Wed, 05 Dec 2012 03:06:07 +0000 Received: by mail-ob0-f175.google.com with SMTP id vb8so4802790obc.34 for ; Tue, 04 Dec 2012 19:06:00 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :x-gm-message-state; bh=4pSPZlzknpiSnuFLaUk7LfWpFz8DwvoIP0ofNdSRiZ0=; b=pbJS4jcM8rX4TV8r2PhWwGpCoJwzoU2xvYgQQYvAW2iBJ0omwiKf7gB0Q8m6CvUlHw RtUgziSkD4uYugyPROiAUCGEQD4iDYAh84wQeqPiKKczJSWO+u8ecj+yhMUbP+9l8MIp VhYKrJrhUviZyO5xIZfZVY+XF/85ZN6eITsDzbQfPhzIgzJrXWiukKM8OoUEWK1dyMul tothlyRhARDwyDX3duBRdoHKnT+d7yY2br6l6Jixq4WSVhpqbj5B+ocX3rGwB4gPgaTU lxsproOjdFW6xSQ3qCWZY6DgS3LSCZ+o0lsPR7UOdAtSW5iGXiZDQilYKTz/lq+rASnA rnyA== MIME-Version: 1.0 Received: by 10.182.157.44 with SMTP id wj12mr9496449obb.41.1354676760762; Tue, 04 Dec 2012 19:06:00 -0800 (PST) Received: by 10.76.33.130 with HTTP; Tue, 4 Dec 2012 19:06:00 -0800 (PST) Date: Tue, 4 Dec 2012 19:06:00 -0800 Message-ID: From: Mike Koss To: "bitcoin-development@lists.sourceforge.net" Content-Type: multipart/alternative; boundary=f46d044282101c58ac04d01243aa X-Gm-Message-State: ALoCoQnF1YeXQUE2kgYVOxnzOC8rGy/E0Z+pTjwEnFKo+1vBxKwDbvfuo141dPO+LtYNo0UtI5Qe X-Spam-Score: -0.5 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message X-Headers-End: 1Tg5JG-0005sw-68 Subject: [Bitcoin-development] String-based Hierarchical Deterministic Keys - Alternative to BIP 32 X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Dec 2012 03:06:07 -0000 --f46d044282101c58ac04d01243aa Content-Type: text/plain; charset=ISO-8859-1 I've implemented an alternative to the BIP 32 proposal. I wanted a system based on a hierarchical string representation (rather than hierarchy of integers as BIP 32 proposes). For example I name keys like this: [hd1.75491111].store.1. 1D7GM5dkUtxvGeWgn7SYtanBuyj1MD1EZy [hd1.75491111].store.2. 1QAqDbzpNKViGSjVe1XmnGbmZtvz5hM7t1 [hd1.75491111].store.3. 14XkSN92QLGeorYPpoVbG87DQhowEx3mFn [hd1.75491111].store.4. 1JLcGdod6Wm33rMZuZZUmAEE6osLhM4QMn First draft of proposal: https://gist.github.com/4211704 I envision using this in services, so I've not done any work to recommend how the keys would be represented directly in the client (I just map from a seed value and a hierarchy string in order to deterministic ally derive ECDSA public and private keys). I'm happy to release my source code for this (Python). But I'd first like to get feedback about any security concerns with my scheme (I note that I don't introduce the enlarged key space that BIP 32 does with its "chain code" - I'm wondering if that represents a weakness of my scheme vs. BIP 32). On Mon, Dec 3, 2012 at 12:44 PM, Pieter Wuille wrote: > On Mon, Dec 03, 2012 at 06:48:34AM -0800, Amir Taaki wrote: > > ok, also what is the reasoning behind serialising points using a > compressed > > format before going into the hash function? I'm looking at the > sec1-v2.pdf > > and the compression format is a little confusing. > > I don't think there is a compelling reason to encourage uncompressed public > keys anymore on the network. They take more space in the block chain for no > additional value whatsoever. Software may of course continue supporting > uncompressed keys if they wish to provide compatibility, but for a new > standard, I think it makes sense to standardize on just compressed keys. > And since that software thus needs to support the compressed encoding, > there is no reason to use a different encoding inside the derivation scheme > itself. > > Regarding the encoding itself, it is not hard: just 0x02 or 0x03 (depending > on whether Y is even or odd) followed by the 32-byte encoding of X. > Decoding > is harder, but is never needed in the derivation. Software internally can > use > any representation (and it will), which in almost all circumstances stores > both X and Y (and even more). Decoding compressed public keys is somewhat > harder, as Y must be reconstructed (but the algorithm isn't hard) - this is > only necessary when someone wants to import an extended public key though > for > watch-only wallets. > > -- > Pieter > > > ------------------------------------------------------------------------------ > Keep yourself connected to Go Parallel: > BUILD Helping you discover the best ways to construct your parallel > projects. > http://goparallel.sourceforge.net > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > -- Mike Koss CTO, CoinLab (425) 246-7701 (m) A Bitcoin Primer - What you need to know about Bitcoins. --f46d044282101c58ac04d01243aa Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable I've implemented an alternative to the BIP 32 proposal. =A0I wanted a s= ystem based on a=A0hierarchical=A0string representation (rather than=A0hier= archy=A0of integers as BIP 32 proposes). =A0For example I name keys like th= is:

=
[hd1.75491111].store.1. 1D7= GM5dkUtxvGeWgn7SYtanBuyj1MD1EZy
[hd1.75491111].store.2. 1QAqDbzpNKViGSjVe= 1XmnGbmZtvz5hM7t1
[hd1.75491= 111].store.3. 14XkSN92QLGeorYPpoVbG87DQhowEx3mFn
[hd1.75491111].store.4. = 1JLcGdod6Wm33rMZuZZUmAEE6osLhM4QMn

First draft of proposal:


I envision = using this in services, so I've not done any work to recommend how the = keys would be represented directly in the client (I just map from a seed va= lue and
a=A0hierarchy=A0string in order to=A0deterministic ally=A0derive ECDSA= public and private keys).

I'm happy to releas= e my source code for this (Python). =A0But I'd first like to get feedba= ck about any security concerns with my scheme (I note that I don't intr= oduce the enlarged
key space that BIP 32 does with its "chain code" - I'm w= ondering if that represents a weakness of my scheme vs. BIP 32).

On Mon, Dec 3, 2012 at 12:44 PM, Pieter Wuille <pieter.wuille@gmail.com> wrote:
On Mon, Dec 03, 2012 at 06= :48:34AM -0800, Amir Taaki wrote:
> ok, also what is the reasoning behind serialising points using a compr= essed
> format before going into the hash function? I'm looking at the sec= 1-v2.pdf
> and the compression format is a little confusing.

I don't think there is a compelling reason to encourage uncompres= sed public
keys anymore on the network. They take more space in the block chain for no=
additional value whatsoever. Software may of course continue supporting
uncompressed keys if they wish to provide compatibility, but for a new
standard, I think it makes sense to standardize on just compressed keys. And since that software thus needs to support the compressed encoding,
there is no reason to use a different encoding inside the derivation scheme=
itself.

Regarding the encoding itself, it is not hard: just 0x02 or 0x03 (depending=
on whether Y is even or odd) followed by the 32-byte encoding of X. Decodin= g
is harder, but is never needed in the derivation. Software internally can u= se
any representation (and it will), which in almost all circumstances stores<= br> both X and Y (and even more). Decoding compressed public keys is somewhat harder, as Y must be reconstructed (but the algorithm isn't hard) - thi= s is
only necessary when someone wants to import an extended public key though f= or
watch-only wallets.

--
Pieter

---------------------------------------------------------------------------= ---
Keep yourself connected to Go Parallel:
BUILD Helping you discover the best ways to construct your parallel project= s.
http://gopa= rallel.sourceforge.net
_______________________________________________
Bitcoin-development mailing list
Bitcoin-develo= pment@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-de= velopment



--
= Mike Koss
CTO, CoinLab
(425) 246-7701 (m)

A Bitcoin Primer=A0- What you need to know about Bitcoins.

--f46d044282101c58ac04d01243aa--