[][src]Module schnorrkel::derive

Implementation of "hierarchical deterministic key derivation" (HDKD) for Schnorr signatures on Ristretto

Warning We warn that our VRF construction in vrf.rs supports malleable VRF outputs via the Malleable type, which becomes insecure when used in conjunction with our hierarchical key derivation methods here. Attackers could translate malleable VRF outputs from one soft subkey to another soft subkey, gaining early knowledge of the VRF output. We think most VRF applicaitons for which HDKH sounds suitable benefit from using implicit certificates insead of HDKD anyways, which should also be secure in combination with HDKH. We always use non-malleable VRF inputs in our convenience methods. We suggest using implicit certificates instead of HDKD when using VRFs.

Structs

ChainCode

We cannot assume the original public key is secret and additional inputs might have low entropy, like i in BIP32. As in BIP32, chain codes fill this gap by being a high entropy secret shared between public and private key holders. These are produced by key derivations and can be incorporated into subsequence key derivations. See https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#extended-keys

ExtendedKey

A convenience wraper that combines derivable key and a chain code.

Constants

CHAIN_CODE_LENGTH

Length in bytes of our chain codes.

Traits

Derivation

Key types that support "hierarchical deterministic" key derivation