Is it possible to derive a public key from another public key without knowing a private key (Ed25519)?

6

$begingroup$

I have a following use case:

User has his master public (sk) - private (pk) key pair (Ed25519).
In DB we store a public key.
Is there any derivation mechanism D, where when knowing a derivation parameter x we can use it derive a new private key sk2 = D(sk, x) and public key (knowing only public key in DB): pk2 = Dx(pk, x) such that we can verify signature done by sk2 using pkd2 ?

In other words, I would like to have a derivation mechanism I can use on the user side and server side, where server doesn't know private key.
Best if it works with Ed25519 keys.

public-key elliptic-curves key-derivation ed25519

share|improve this question

asked Jan 26 at 12:17

Robert ZarembaRobert Zaremba

1586

$endgroup$

add a comment | 

6

$begingroup$

I have a following use case:

User has his master public (sk) - private (pk) key pair (Ed25519).
In DB we store a public key.
Is there any derivation mechanism D, where when knowing a derivation parameter x we can use it derive a new private key sk2 = D(sk, x) and public key (knowing only public key in DB): pk2 = Dx(pk, x) such that we can verify signature done by sk2 using pkd2 ?

In other words, I would like to have a derivation mechanism I can use on the user side and server side, where server doesn't know private key.
Best if it works with Ed25519 keys.

public-key elliptic-curves key-derivation ed25519

share|improve this question

asked Jan 26 at 12:17

Robert ZarembaRobert Zaremba

1586

$endgroup$

add a comment | 

6

6

6

7

$begingroup$

I have a following use case:

User has his master public (sk) - private (pk) key pair (Ed25519).
In DB we store a public key.
Is there any derivation mechanism D, where when knowing a derivation parameter x we can use it derive a new private key sk2 = D(sk, x) and public key (knowing only public key in DB): pk2 = Dx(pk, x) such that we can verify signature done by sk2 using pkd2 ?

In other words, I would like to have a derivation mechanism I can use on the user side and server side, where server doesn't know private key.
Best if it works with Ed25519 keys.

public-key elliptic-curves key-derivation ed25519

share|improve this question

asked Jan 26 at 12:17

Robert ZarembaRobert Zaremba

1586

$endgroup$

I have a following use case:

User has his master public (sk) - private (pk) key pair (Ed25519).
In DB we store a public key.
Is there any derivation mechanism D, where when knowing a derivation parameter x we can use it derive a new private key sk2 = D(sk, x) and public key (knowing only public key in DB): pk2 = Dx(pk, x) such that we can verify signature done by sk2 using pkd2 ?

In other words, I would like to have a derivation mechanism I can use on the user side and server side, where server doesn't know private key.
Best if it works with Ed25519 keys.

public-key elliptic-curves key-derivation ed25519

public-key elliptic-curves key-derivation ed25519

share|improve this question

asked Jan 26 at 12:17

Robert ZarembaRobert Zaremba

1586

share|improve this question

asked Jan 26 at 12:17

Robert ZarembaRobert Zaremba

1586

share|improve this question

share|improve this question

asked Jan 26 at 12:17

Robert ZarembaRobert Zaremba

1586

asked Jan 26 at 12:17

Robert ZarembaRobert Zaremba

1586

asked Jan 26 at 12:17

Robert ZarembaRobert Zaremba

1586

1586

add a comment | 

add a comment | 

2 Answers
2

active

oldest

votes

8

$begingroup$

Yes! You can use the ephemeral key derivation mechanism that is for example used in Monero (they call it stealth keys there).

Consider public key $A=aG$, with private key $a$. Then, a derived key can be generated, parametrised by the random scalar $r$:

$$A'=H_s(rA)G+A$$

and the party that knows $a$ can use the public parameter $R=rG$ to compute their ephemeral private key $a'=H_s(aR)+a$. You can for example store $R$ with your signature.

---

Note 1: We add $A$ resp. $a$ to the public resp. private key to ensure that the party that derives a key cannot compute the private key.

Note 2: This derivation is basically a Diffie-Hellman key exchange with a random ephemeral key $R$.

Note 3: $R$ can also be used to "check" whether the user has access to this specific key. He just needs to check whether $A'=H_s(aR)+A$ holds.

share|improve this answer

answered Jan 26 at 12:50

Ruben De SmetRuben De Smet

1,090216

$endgroup$

add a comment | 

7

$begingroup$

Yes, this is possible using Hierarchical Deterministic (HD) Keys. There are 2 variations for key generation, hardened and non-hardened. In hardened, generating child keys (both public and private) requires knowledge of parent private key but in non-hardened, child public key can be generated using parent public key. You need non-hardened key generation. The cryptocurrency Cardano does this for ed25519 keys, here is their doc with more explanation. It is based on this paper.

share|improve this answer

edited Feb 15 at 12:29

answered Jan 26 at 12:55

loveshlovesh

34719

$endgroup$

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

Thanks for contributing an answer to Cryptography Stack Exchange!

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

Use MathJax to format equations. MathJax reference.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66793%2fis-it-possible-to-derive-a-public-key-from-another-public-key-without-knowing-a%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

active

oldest

votes

active

oldest

votes

8

$begingroup$

Yes! You can use the ephemeral key derivation mechanism that is for example used in Monero (they call it stealth keys there).

Consider public key $A=aG$, with private key $a$. Then, a derived key can be generated, parametrised by the random scalar $r$:

$$A'=H_s(rA)G+A$$

and the party that knows $a$ can use the public parameter $R=rG$ to compute their ephemeral private key $a'=H_s(aR)+a$. You can for example store $R$ with your signature.

---

Note 1: We add $A$ resp. $a$ to the public resp. private key to ensure that the party that derives a key cannot compute the private key.

Note 2: This derivation is basically a Diffie-Hellman key exchange with a random ephemeral key $R$.

Note 3: $R$ can also be used to "check" whether the user has access to this specific key. He just needs to check whether $A'=H_s(aR)+A$ holds.

share|improve this answer

answered Jan 26 at 12:50

Ruben De SmetRuben De Smet

1,090216

$endgroup$

add a comment | 

8

$begingroup$

Yes! You can use the ephemeral key derivation mechanism that is for example used in Monero (they call it stealth keys there).

Consider public key $A=aG$, with private key $a$. Then, a derived key can be generated, parametrised by the random scalar $r$:

$$A'=H_s(rA)G+A$$

and the party that knows $a$ can use the public parameter $R=rG$ to compute their ephemeral private key $a'=H_s(aR)+a$. You can for example store $R$ with your signature.

---

Note 1: We add $A$ resp. $a$ to the public resp. private key to ensure that the party that derives a key cannot compute the private key.

Note 2: This derivation is basically a Diffie-Hellman key exchange with a random ephemeral key $R$.

Note 3: $R$ can also be used to "check" whether the user has access to this specific key. He just needs to check whether $A'=H_s(aR)+A$ holds.

share|improve this answer

answered Jan 26 at 12:50

Ruben De SmetRuben De Smet

1,090216

$endgroup$

add a comment | 

8

8

8

$begingroup$

Yes! You can use the ephemeral key derivation mechanism that is for example used in Monero (they call it stealth keys there).

Consider public key $A=aG$, with private key $a$. Then, a derived key can be generated, parametrised by the random scalar $r$:

$$A'=H_s(rA)G+A$$

and the party that knows $a$ can use the public parameter $R=rG$ to compute their ephemeral private key $a'=H_s(aR)+a$. You can for example store $R$ with your signature.

---

Note 1: We add $A$ resp. $a$ to the public resp. private key to ensure that the party that derives a key cannot compute the private key.

Note 2: This derivation is basically a Diffie-Hellman key exchange with a random ephemeral key $R$.

Note 3: $R$ can also be used to "check" whether the user has access to this specific key. He just needs to check whether $A'=H_s(aR)+A$ holds.

share|improve this answer

answered Jan 26 at 12:50

Ruben De SmetRuben De Smet

1,090216

$endgroup$

Yes! You can use the ephemeral key derivation mechanism that is for example used in Monero (they call it stealth keys there).

Consider public key $A=aG$, with private key $a$. Then, a derived key can be generated, parametrised by the random scalar $r$:

$$A'=H_s(rA)G+A$$

and the party that knows $a$ can use the public parameter $R=rG$ to compute their ephemeral private key $a'=H_s(aR)+a$. You can for example store $R$ with your signature.

---

Note 1: We add $A$ resp. $a$ to the public resp. private key to ensure that the party that derives a key cannot compute the private key.

Note 2: This derivation is basically a Diffie-Hellman key exchange with a random ephemeral key $R$.

Note 3: $R$ can also be used to "check" whether the user has access to this specific key. He just needs to check whether $A'=H_s(aR)+A$ holds.

share|improve this answer

answered Jan 26 at 12:50

Ruben De SmetRuben De Smet

1,090216

share|improve this answer

share|improve this answer

answered Jan 26 at 12:50

Ruben De SmetRuben De Smet

1,090216

answered Jan 26 at 12:50

Ruben De SmetRuben De Smet

1,090216

answered Jan 26 at 12:50

Ruben De SmetRuben De Smet

1,090216

1,090216

add a comment | 

add a comment | 

7

$begingroup$

Yes, this is possible using Hierarchical Deterministic (HD) Keys. There are 2 variations for key generation, hardened and non-hardened. In hardened, generating child keys (both public and private) requires knowledge of parent private key but in non-hardened, child public key can be generated using parent public key. You need non-hardened key generation. The cryptocurrency Cardano does this for ed25519 keys, here is their doc with more explanation. It is based on this paper.

share|improve this answer

edited Feb 15 at 12:29

answered Jan 26 at 12:55

loveshlovesh

34719

$endgroup$

add a comment | 

7

$begingroup$

Yes, this is possible using Hierarchical Deterministic (HD) Keys. There are 2 variations for key generation, hardened and non-hardened. In hardened, generating child keys (both public and private) requires knowledge of parent private key but in non-hardened, child public key can be generated using parent public key. You need non-hardened key generation. The cryptocurrency Cardano does this for ed25519 keys, here is their doc with more explanation. It is based on this paper.

share|improve this answer

edited Feb 15 at 12:29

answered Jan 26 at 12:55

loveshlovesh

34719

$endgroup$

add a comment | 

7

7

7

$begingroup$

Yes, this is possible using Hierarchical Deterministic (HD) Keys. There are 2 variations for key generation, hardened and non-hardened. In hardened, generating child keys (both public and private) requires knowledge of parent private key but in non-hardened, child public key can be generated using parent public key. You need non-hardened key generation. The cryptocurrency Cardano does this for ed25519 keys, here is their doc with more explanation. It is based on this paper.

share|improve this answer

edited Feb 15 at 12:29

answered Jan 26 at 12:55

loveshlovesh

34719

$endgroup$

Yes, this is possible using Hierarchical Deterministic (HD) Keys. There are 2 variations for key generation, hardened and non-hardened. In hardened, generating child keys (both public and private) requires knowledge of parent private key but in non-hardened, child public key can be generated using parent public key. You need non-hardened key generation. The cryptocurrency Cardano does this for ed25519 keys, here is their doc with more explanation. It is based on this paper.

share|improve this answer

edited Feb 15 at 12:29

answered Jan 26 at 12:55

loveshlovesh

34719

share|improve this answer

share|improve this answer

edited Feb 15 at 12:29

edited Feb 15 at 12:29

edited Feb 15 at 12:29

answered Jan 26 at 12:55

loveshlovesh

34719

answered Jan 26 at 12:55

loveshlovesh

34719

answered Jan 26 at 12:55

loveshlovesh

34719

34719

add a comment | 

add a comment | 

Thanks for contributing an answer to Cryptography Stack Exchange!

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

Use MathJax to format equations. MathJax reference.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Thanks for contributing an answer to Cryptography Stack Exchange!

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

Use MathJax to format equations. MathJax reference.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66793%2fis-it-possible-to-derive-a-public-key-from-another-public-key-without-knowing-a%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

Name

Name

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

Name

Name

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

This page is only for reference, If you need detailed information, please check here