secret-tree
allows deriving multiple secrets from a single seed value in a secure and forward-compatible way.
The derivation procedure is hierarchical: a seed can be used to derive child seeds, which have the same functionality
as the original.
Add this to your Crate.toml
:
toml
[dependencies]
secret-tree = "0.3.0"
See crate documentation for more details how to use the crate.
Blake2b is used to derive secrets in a similar (and mostly compatible) way it is used for key derivation in [libsodium]. Derived CSPRNGs are based on the [ChaCha cipher], which has been extensively studied and has much smaller state size that alternatives (~160 bytes vs several kilobytes), limiting the threat of state leakage.
Crate documentation provides more implementation details.