1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191]
helo=mx.sourceforge.net)
by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <gronager@ceptacle.com>) id 1UgtvX-0004cY-Q3
for bitcoin-development@lists.sourceforge.net;
Mon, 27 May 2013 09:41:15 +0000
X-ACL-Warn:
Received: from 2508ds5-oebr.1.fullrate.dk ([90.184.5.129]
helo=mail.ceptacle.com)
by sog-mx-1.v43.ch3.sourceforge.com with esmtp (Exim 4.76)
id 1UgtvU-00050z-AG for bitcoin-development@lists.sourceforge.net;
Mon, 27 May 2013 09:41:15 +0000
Received: from localhost (localhost [127.0.0.1])
by mail.ceptacle.com (Postfix) with ESMTP id 310FD2F450AD
for <bitcoin-development@lists.sourceforge.net>;
Mon, 27 May 2013 11:41:06 +0200 (CEST)
X-Virus-Scanned: amavisd-new at ceptacle.com
Received: from mail.ceptacle.com ([127.0.0.1])
by localhost (server.ceptacle.private [127.0.0.1]) (amavisd-new,
port 10024) with ESMTP id JqxhXEvbY64T
for <bitcoin-development@lists.sourceforge.net>;
Mon, 27 May 2013 11:41:05 +0200 (CEST)
Received: from MacGronager.local (cpe.xe-3-1-0-415.bynqe10.dk.customer.tdc.net
[188.180.67.254])
by mail.ceptacle.com (Postfix) with ESMTPSA id 57C422F4509B
for <bitcoin-development@lists.sourceforge.net>;
Mon, 27 May 2013 11:41:05 +0200 (CEST)
Message-ID: <51A32A30.8040504@ceptacle.com>
Date: Mon, 27 May 2013 11:41:04 +0200
From: Michael Gronager <gronager@ceptacle.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8;
rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: bitcoin-development@lists.sourceforge.net
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
X-Headers-End: 1UgtvU-00050z-AG
Subject: [Bitcoin-development] BIP0032
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Mon, 27 May 2013 09:41:16 -0000
Pieter,
I was re-reading BIP0032, and checking some of the equations... It seems
to me that there is something wrong (or I have missed something).
As I see it there can only be one HMAC function, used for both private
and public derivation - I assume that:
[1] CKD((k_par, c_par), i) -> (k_i, c_i)
[2] CKD'((K_par, c_par), i) -> (K_i, c_i)
Where K_par = k_par*G, will result in K_i = k_i*G (and identical c_i's
in both expressions).
Now following your formulas for [1]:
k_i = I_L + k_par (mod n)
where I_L = {HMACSHA512(c_par, 0x00||k_par||i)}_L (denoting left
256bits). Further c_i = I_R.
This gives a K_i = k_i*G = I_L*G + k_par(mod n)*G
Now follow the formula for [2]:
K_i = (I_L+k_par)*G = I_L*G + K_par
This is not the same as above, however, if we remove the (mod n) we are
getting closer, but still the value of I_L are different in the two
equations as: HMACSHA512(c_par, 0x00||k_par||i) <> HMAXSHA512(c_par,
X(k_par*G)||i).
We can, however, fix things if we change private child key derivation to:
To define CDK((k_par, c_par), i) -> (k_i, c_i):
* (no difference in deriving public or private):
I = HMACSHA512(c_par, X(k_par*G)||i)
* Split I into I_L, I_R (256bits each)
* k_i = k_par + I_L
* c_i = I_R
* and, if using public derivation, we use K_i = (k_par + I_L)*G
Now for pure public derivation (i.e. we don't know the private key):
To define CDK'((K_par, c_par), i) -> (K_i, c_i):
* I = HMACSHA512(c_par, X(K_par)||i)
* Split I into I_L and I_R
* K_i = K_par + I_L*G (= k_par*G + I_L*G = (k_par+I_L)*G = k_i*G)
* c_i = I_R
Now we have the right properties, but it required quite some changes,
also note that c_i are now equal in both private and public derivation.
Comments ?
Sincerely,
Michael
|
