Oleg Andreev

2017-04-07 22:08:15 UTC

Hey there,

HKD stands for Hierarchical Key Derivation, e.g. BIP32 [1] or ChainKD [2].

Alternatively known as "blinded keys" per Tor's draft [3].

All these schemes generate a scalar to be mixed with the parent public key P using an index or nonce i:

h(i) := Hash(P || i || stuff)

The first two schemes add a derivation factor (multiplied by the base point)

to the parent pubkey, while the Tor's approach is to multiply the parent pubkey by the factor:

Child(i) := P + h(i)*G // BIP32, ChainKD

Child(i) := h(i)*P // Tor

Last time I asked Pieter Wuille (BIP32's author) a couple years ago about their choice,

his reply (if I recall correctly) was that scalar multiplication for a base point

is more efficient than for an arbitrary point.

I wonder if there's a difference in functionality if we add the factor (a-la BIP32) or multiply (a-la Tor).

Maybe some weird ZK schemes benefit from blinding/derivation via multiplication instead of addition?

[1] https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki

[2] https://chain.com/docs/protocol/specifications/chainkd

[3] https://gitweb.torproject.org/torspec.git/tree/proposals/224-rend-spec-ng.txt#n1979

HKD stands for Hierarchical Key Derivation, e.g. BIP32 [1] or ChainKD [2].

Alternatively known as "blinded keys" per Tor's draft [3].

All these schemes generate a scalar to be mixed with the parent public key P using an index or nonce i:

h(i) := Hash(P || i || stuff)

The first two schemes add a derivation factor (multiplied by the base point)

to the parent pubkey, while the Tor's approach is to multiply the parent pubkey by the factor:

Child(i) := P + h(i)*G // BIP32, ChainKD

Child(i) := h(i)*P // Tor

Last time I asked Pieter Wuille (BIP32's author) a couple years ago about their choice,

his reply (if I recall correctly) was that scalar multiplication for a base point

is more efficient than for an arbitrary point.

I wonder if there's a difference in functionality if we add the factor (a-la BIP32) or multiply (a-la Tor).

Maybe some weird ZK schemes benefit from blinding/derivation via multiplication instead of addition?

[1] https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki

[2] https://chain.com/docs/protocol/specifications/chainkd

[3] https://gitweb.torproject.org/torspec.git/tree/proposals/224-rend-spec-ng.txt#n1979