Rust implementation of [BIP32] - a key derivation algorithm useful for deterministically generating a hierarchy of elliptic curve private or public keys (i.e. key blinding).
This implementation is generic over prime order groups and supports both [secp256k1] and [Ristretto].
The [BIP32] construction was originally specified for the [secp256k1] elliptic curve used by Bitcoin for ECDSA signatures.
This crate experimentally generalizes BIP32 to operate over any prime order group and then additionally implements BIP32 using [Ristretto] groups. Ristretto is a construction which leverages the same field arithmetic as the [Ed25519] digital signature system, but provides a prime order group with similar properties to prime order curves like secp256k1.
This approach avoids the sharp edges and complexity which arise from attempting to adapt BIP32 to the Ed25519 signature system, which occur because the underlying "edwards25519" elliptic curve is cofactor-8 (i.e. "edwards25519" does not have prime order). This results in potentially unexpected properties when attempting to adapt protocols originally intended for prime order groups, which in practice lead to "small subgroup attacks" owing to the properties of low order groups arising from the cofactor.
While these attacks can be "mitigated" by performing an appropriate check in situations where subgroups are not intended to be valid and ensuring all scalar values are either "clamped" to be within the appropriate range or multiplied by the cofactor, in practice this approach has proven to be quite brittle, resulting in a double spending attack on CryptoNote (ring signature scheme used by Monero), forgery attacks on Monero Bulletproofs, and a key recovery attack on BIP32-Ed25519.
Ristretto strategically avoids these pitfalls, while also enabling protocol implementations which are generic over secp256k1 (or any other group of prime order).
Copyright (c) 2018 Ristretto Developers.
Distributed under the BSD (3-clause) License. See [LICENSE] for more information.