I've been curious about semiprivate keys for awhile. The concept is a bit hard to describe, so I'll refer to section 6.1 of the Tahoe paper (as I believe they were originally Zooko's idea):
http://eprint.iacr.org/2012/524.pdf Here's a description by Hal Finney: https://tahoe-lafs.org/pipermail/tahoe-dev/2009-July/002371.html At the heart of this concept is a key derivation mechanism which has the following roles: - Private: Master ECC private scalar -> Semiprivate ECC curve point - Semiprivate: Semiprivate ECC curve point -> [ECC public point, symmetric secret] - Public: ECC public point Here's a writeup I did for the purposes of an Ed25519-based digital signature system with semiprivate keys where either the holder of the private key or the semiprivate key can also derive a symmetric key: https://gist.github.com/tarcieri/4760215 The goal of this is to replace the typical symmetric MACing mechanism with one that gives the holders of various keys different capabilities: Verifier: Holds only the Public key. Can authenticate ciphertexts via digital signature, but can't decrypt them Reader: Holds the Semiprivate key. Can both authenticate and decrypt ciphertexts, but can't sign new ones Writer: Holds the Private key. Can authenticate and decrypt ciphertexts in addition to signing new ones. Of course this is possible if you just use a separate symmetric key and a digital signature key, but the nice thing about semiprivate keys is it allows you to derive both digital signature keys and symmetric encryption keys from a single 256-bit seed. -- Tony Arcieri
_______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
