|
May 20, 2016, 12:00:17 PM |
|
I'm developing an authentication scheme using bitcoin cryptography, and for best privacy I want to derive a unique key pair for each domain. It would be nice to have derivation paths like
m/44'/0'/0'/0/bitcointalk.org
However BIP32 spec allows only integer indexes in the derivation path. I could map domain names to 32-bit integers (e.g. take sha256 of domain name and then use only the first 32 bits) but then it would be too easy to find collisions. Another option I thought of is taking sha256 hash, splitting it into eight 32-bit integers, and then building a long derivation path like m/44'/0'/0'/0/int1/int2/int3/int4/int5/int6/int7/int8. I don't like it either because such a long path would require too many group operations.
How about using a string as derivation index? In BIP32, a 32-bit serialization of the integer index ser32(i) is used as input to HMAC, and as far as I can see there is nothing in the spec that depends on the index being exactly 32 bits. That makes me think that the derivation functions will still work if we feed into them all the bits of a string instead. For example, non-hardened derivation would look like this (in BIP32 notation):
I = HMAC-SHA512(Key = cpar, Data = serP(point(kpar)) || "bitcointalk.org")
The keys are still recoverable because they will be regenerated on demand when user tries to access the domain.
Are there any problems with this derivation?
|