From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1UgtvX-0004cY-Q3 for bitcoin-development@lists.sourceforge.net; Mon, 27 May 2013 09:41:15 +0000 X-ACL-Warn: Received: from 2508ds5-oebr.1.fullrate.dk ([90.184.5.129] helo=mail.ceptacle.com) by sog-mx-1.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1UgtvU-00050z-AG for bitcoin-development@lists.sourceforge.net; Mon, 27 May 2013 09:41:15 +0000 Received: from localhost (localhost [127.0.0.1]) by mail.ceptacle.com (Postfix) with ESMTP id 310FD2F450AD for ; Mon, 27 May 2013 11:41:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at ceptacle.com Received: from mail.ceptacle.com ([127.0.0.1]) by localhost (server.ceptacle.private [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JqxhXEvbY64T for ; Mon, 27 May 2013 11:41:05 +0200 (CEST) Received: from MacGronager.local (cpe.xe-3-1-0-415.bynqe10.dk.customer.tdc.net [188.180.67.254]) by mail.ceptacle.com (Postfix) with ESMTPSA id 57C422F4509B for ; Mon, 27 May 2013 11:41:05 +0200 (CEST) Message-ID: <51A32A30.8040504@ceptacle.com> Date: Mon, 27 May 2013 11:41:04 +0200 From: Michael Gronager User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130509 Thunderbird/17.0.6 MIME-Version: 1.0 To: bitcoin-development@lists.sourceforge.net X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Score: 0.0 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. X-Headers-End: 1UgtvU-00050z-AG Subject: [Bitcoin-development] BIP0032 X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 May 2013 09:41:16 -0000 Pieter, I was re-reading BIP0032, and checking some of the equations... It seems to me that there is something wrong (or I have missed something). As I see it there can only be one HMAC function, used for both private and public derivation - I assume that: [1] CKD((k_par, c_par), i) -> (k_i, c_i) [2] CKD'((K_par, c_par), i) -> (K_i, c_i) Where K_par = k_par*G, will result in K_i = k_i*G (and identical c_i's in both expressions). Now following your formulas for [1]: k_i = I_L + k_par (mod n) where I_L = {HMACSHA512(c_par, 0x00||k_par||i)}_L (denoting left 256bits). Further c_i = I_R. This gives a K_i = k_i*G = I_L*G + k_par(mod n)*G Now follow the formula for [2]: K_i = (I_L+k_par)*G = I_L*G + K_par This is not the same as above, however, if we remove the (mod n) we are getting closer, but still the value of I_L are different in the two equations as: HMACSHA512(c_par, 0x00||k_par||i) <> HMAXSHA512(c_par, X(k_par*G)||i). We can, however, fix things if we change private child key derivation to: To define CDK((k_par, c_par), i) -> (k_i, c_i): * (no difference in deriving public or private): I = HMACSHA512(c_par, X(k_par*G)||i) * Split I into I_L, I_R (256bits each) * k_i = k_par + I_L * c_i = I_R * and, if using public derivation, we use K_i = (k_par + I_L)*G Now for pure public derivation (i.e. we don't know the private key): To define CDK'((K_par, c_par), i) -> (K_i, c_i): * I = HMACSHA512(c_par, X(K_par)||i) * Split I into I_L and I_R * K_i = K_par + I_L*G (= k_par*G + I_L*G = (k_par+I_L)*G = k_i*G) * c_i = I_R Now we have the right properties, but it required quite some changes, also note that c_i are now equal in both private and public derivation. Comments ? Sincerely, Michael