Closed UppaJung closed 4 years ago
nickray
commented
4 years ago Yes, we need to specify whether we interpret as little vs big endian, whether we do modular reduction also if seed > prime or rejection sampling in that case to avoid bias (and how to iterate if so, e. g. hmac again or what).
Perhaps ideally we supply a Python routine and some test vectors to lock down seed->private key transformation?
UppaJung
commented
4 years ago @nicray Proposed AFAIK there is no "generally shared" map: 32 bytes (privateKeySeed) -> P256 private key. If there is some RFC, let's use that, if not, we have to specify one. One procedure I could think of ("rejection sampling with iterated hashing", but this we should ask a cryptographer about) is:
interpret the 32 bytes as little-endian integer S between 0 and 2^256 - 1 if 1 <= S < order of the P256 group, use S to set private key = S * canonical generator (multiplication as Z-module) if not, set S = SHA256(S), and goto 1.
nickray
commented
4 years ago UppaJung
commented
4 years ago nickray
commented
4 years ago UppaJung
commented
4 years ago Good find. Are you proposing we use that over NIST?
On Sun, Sep 20, 2020 at 11:00 AM Nicolas Stalder notifications@github.com wrote:
https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/dicekeys/fido-key-derivation/issues/4#issuecomment-695488569, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB7AOZ4R5GSXCUFUBS5LUCDSGVO4BANCNFSM4REIS52A .
UppaJung
commented
4 years ago Joe said stick with NIST
@nickray
Do we need a modular reduction operation as part of the derivation of the secret key?