sander
commented
6 days ago
Outputs sk', a blinded private key Scalar based on ARKG private seed
This is the first time "Scalar" is referenced, and I don't think the extra qualification is necessary - just "blinded private key" should be enough. Especially since the abstraction is not yet limited to just EC instantiations at this point.
Agreed.
3.1. Using elliptic curves
In
key, it seems safer to me to usehash_to_field(RFC 9380) than just plain modulo reduction. See for example how it's used in ARKG to implement blinding on elliptic curves.
This would introduce additional hashing operations, after deriving the already uniformly expand output, which is computed using an expand_message from RFC 9380 indeed.
(_, sk') = key(okm[0:Nk]) pk' = EC-Add(pk_device, EC-Scalar-Base-Mult(sk')))
I think this is equivalent to:
(pk'', _) = key(okm[0:Nk]) pk' = EC-Add(pk_device, pk''))
(should probably use a better name than pk'' though)
Agreed this is cleaner. Thanks.
This is the first time "Scalar" is referenced, and I don't think the extra qualification is necessary - just "blinded private key" should be enough. Especially since the abstraction is not yet limited to just EC instantiations at this point.
In
key, it seems safer to me to usehash_to_field(RFC 9380) than just plain modulo reduction. See for example how it's used in ARKG to implement blinding on elliptic curves.I think this is equivalent to:
(should probably use a better name than pk'' though)