Open real-or-random opened 4 months ago
jonasnick
commented
4 months ago def hostseckey(seed: bytes) -> bytes:
return prf(seed, "chilldkg hostseckey")seems a bit unnecessary indeed. I thought for a moment that this has the advantage that we can in principle have multiple hostpubkeys for a single seed, but that's actually just unnecessary complexity.
I'm not sure what you mean by "this fits BIP32 better". Isn't the host key pair just (seed, int(seed)*G), no BIP 32 required?
real-or-random
commented
4 months ago I'm not sure what you mean by "this fits BIP32 better". Isn't the host key pair just
(seed, int(seed)*G), no BIP 32 required?
I can imagine that it fits the current model of multisigs in (hardware) wallets better, where each participant derives the key pair for the multisig using some BIP32 derivation path (see, e.g. some of the descriptor examples with explicit BIP32 derivation paths in https://github.com/bitcoin/bips/blob/master/bip-0383.mediawiki).
If wallets want to use the same method for DKG, they could derive a secret key using BIP32 and use it as DKG "seed". And then it's a bit more natural that the corresponding derived pubkey is actually the host pubkey.
real-or-random
commented
1 month ago Now that I think about this again, my conclusion is that this is more of a naming question for the API than a derivation question
What's currently caller-facing is a secret "seed" and a "host public key". That's a bit unnatural. If we call one thing "a public key", then there should be a corresponding secret key in the API. If we want to fix this (and I think we want to), then we have the following options:
Currently, we derive everything from the seed, including the hostseckey. We could instead let the user pass the hostseckey and then, if we need randomness for the VSS, derive it from the hostseckey.
Advantages:
Disadvantage: