[−][src]Module schnorrkel::derive
Implementation of "hierarchical deterministic key derivation" (HDKD) for Schnorr signatures on Ristretto
Warning We warn that our VRF construction in vrf.rs supports
malleable VRF outputs via the Malleable
type, which becomes
insecure when used in conjunction with our hierarchical key
derivation methods here.
Attackers could translate malleable VRF outputs from one soft subkey
to another soft subkey, gaining early knowledge of the VRF output.
We think most VRF applicaitons for which HDKH sounds suitable
benefit from using implicit certificates insead of HDKD anyways,
which should also be secure in combination with HDKH.
We always use non-malleable VRF inputs in our convenience methods.
We suggest using implicit certificates instead of HDKD when
using VRFs.
Structs
ChainCode | We cannot assume the original public key is secret and additional
inputs might have low entropy, like |
ExtendedKey | A convenience wraper that combines derivable key and a chain code. |
Constants
CHAIN_CODE_LENGTH | Length in bytes of our chain codes. |
Traits
Derivation | Key types that support "hierarchical deterministic" key derivation |