sander
commented
1 month ago The ARKG spec version 2024-05-24 § 2.2.1 describes deterministic key generation, where pk_kem may be derived by both issuer and wallet from pk_bl. This would solve the problem if BL and KEM are based on the same scheme, e.g. ECDH.
If they are based on different schemes, it will be difficult to implement on general-purpose WSCDs: they will typically not allow for a sk_bl created for e.g. ECDSA to be reused as sk_kem for ECDH.
In the protocol examples I've illustrated how the ARKG key handles and KEM key pairs could become part of the hierarchy. At first I was going for a single KEM key pair, but this would introduce linkability across attestation providers. So now I have a KEM key pair per attestation. Perhaps we can reduce size by deriving the KEM key pair from attestation data instead. What do you think, does the example in the text resonate?