Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SLIP-0023 : Modification Proposal #827

Open
ilap opened this issue Nov 26, 2019 · 1 comment

Comments

@ilap
Copy link

@ilap ilap commented Nov 26, 2019

The BIP-Ed25519 specification allows only ED25519 EdDSA
compatible master secret by discarding those generated extended root private keys which
do not have the 3rd highest bit of the last byte is cleared.

In other hand, SLIP-0023 allows any master secrets by explicity clearing the bit
mentioned above. This modification causes that SLIP-0023 is not fully backward compatible with
the BIP32-Ed25519 specification and therefore about 50% of the master secrets are not ED25519 compatible private keys.

The modification proposed by this document allows the master secret to become fully Ed25519 compatible privatkey meanings by that the public key derived from an exported master secret would be the same as the public key generated from any other tools that use ED25519 specification.

The rationale of this modification is to allow determistically derive an ED25519 keypair from a seed, which can be used in some other tools; that use ED25519; by importing the exported master secret or I.

  1. Let S be a seed byte sequence such as the master secret from SLIP-0039.
  2. Calculate I := HMAC-SHA512(Key = "ed25519 cardano seed", Data = S).
  3. Split I into two 32-byte sequences, IL := I[0:32] and IR := I[32:64].
  4. Let ~k (master secret) := IL
  5. Let k (root extended privatekey) = SHA-512(~k).
  6. If k[31] & 0x20 != 0, then
  • S := k
  • goto 2.
  1. Modify k by assigning k[0] := k[0] & 0xf8 and k[31] := (k[31] & 0x3f) | 0x40.
  2. Interpret k[0:32] as a 256-bit integer kL in little-endian byte order.
    Let kR := k[32:64] and use (kL, kR) as the root extended private key and c := IR as the root chain code.

Or changing the key instead of the seed, as it was implemented in Daedalus' key generation.

  1. Let S be a seed byte sequence such as the master secret from SLIP-0039.
  2. Let i := 0
  3. Calculate I := HMAC-SHA512(Key = "ed25519 cardano seed $i", Data = S).
  4. Split I into two 32-byte sequences, IL := I[0:32] and IR := I[32:64].
  5. Let ~k (master secret) := IL
  6. Let k (root extended privatekey) = SHA-512(~k).
  7. If k[31] & 0x20 != 0, then
    • i := i + 1
    • goto 3.
  8. Modify k by assigning k[0] := k[0] & 0xf8 and k[31] := (k[31] & 0x3f) | 0x40.
  9. Interpret k[0:32] as a 256-bit integer kL in little-endian byte order.
    Let kR := k[32:64] and use (kL, kR) as the root extended private key and c := IR as the root chain code.
@prusnak

This comment has been minimized.

Copy link
Member

@prusnak prusnak commented Nov 27, 2019

I am not sure if it makes sense to try to unify the methods as approach to the passphrase is very different in both.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.