2017-04-07 22:08:15 UTC
HKD stands for Hierarchical Key Derivation, e.g. BIP32  or ChainKD .
Alternatively known as "blinded keys" per Tor's draft .
All these schemes generate a scalar to be mixed with the parent public key P using an index or nonce i:
h(i) := Hash(P || i || stuff)
The first two schemes add a derivation factor (multiplied by the base point)
to the parent pubkey, while the Tor's approach is to multiply the parent pubkey by the factor:
Child(i) := P + h(i)*G // BIP32, ChainKD
Child(i) := h(i)*P // Tor
Last time I asked Pieter Wuille (BIP32's author) a couple years ago about their choice,
his reply (if I recall correctly) was that scalar multiplication for a base point
is more efficient than for an arbitrary point.
I wonder if there's a difference in functionality if we add the factor (a-la BIP32) or multiply (a-la Tor).
Maybe some weird ZK schemes benefit from blinding/derivation via multiplication instead of addition?