Pavol Rusnak [ARCHIVE] on Nostr: đ
Original date posted:2014-08-08 đ Original message:Hi all! I would like to ...
đ
Original date posted:2014-08-08
đ Original message:Hi all!
I would like to discuss invalidation of nodes in BIP32. Currently the
document says:
a) Public CKD
In case I_L >= n or ki = 0, the resulting key is invalid, and one should
proceed with the next value for i.
b) Private CKD
In case I_L >= n or Ki is the point at infinity, the resulting key is
invalid, and one should proceed with the next value for i.
c) Master Key Generation
In case IL is 0 or I_L >= n, the master key is invalid.
(All these cases have probability lower than 1 in 2^127.)
What do you think about the following change for all 3 cases:
In case I_L >= n assign I_L := I_L mod n.
Rationale:
It's easy to say "mark as invalid and proceed with next", but actually
most of the implementations don't do the checking at all, because tjen
it's rather hard at application level to implement skipping logic. OTOH
it's quite straightforward to perform modulo if needed, so we probably
see more implementations doing the checking.
We would still need to deal with cases when I_L = 0 or ki = 0 or ki =
inf, but these have probability around 1 in 2^255.
Does anyone see any concerns when it comes to security of the proposed
change?
--
Best Regards / S pozdravom,
Pavol Rusnak <stick at gk2.sk>
Published at
2023-06-07 15:25:07Event JSON
{
"id": "e6107998174bcd724d16b0881e2fb1ffeb385c54f6540bdef54789ee792ba5b0",
"pubkey": "7631397e469f47f3535567311f5f7c17129e0ff2cb253df015e3d92ddfd92c63",
"created_at": 1686151507,
"kind": 1,
"tags": [
[
"e",
"3ca0963e89cd1107e635c5e4bc693c845dc6452cc3c59b304c35ad8ade1f5307",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "đ
Original date posted:2014-08-08\nđ Original message:Hi all!\n\nI would like to discuss invalidation of nodes in BIP32. Currently the\ndocument says:\n\na) Public CKD\n\nIn case I_L \u003e= n or ki = 0, the resulting key is invalid, and one should\nproceed with the next value for i.\n\nb) Private CKD\n\nIn case I_L \u003e= n or Ki is the point at infinity, the resulting key is\ninvalid, and one should proceed with the next value for i.\n\nc) Master Key Generation\n\nIn case IL is 0 or I_L \u003e= n, the master key is invalid.\n\n(All these cases have probability lower than 1 in 2^127.)\n\nWhat do you think about the following change for all 3 cases:\n\nIn case I_L \u003e= n assign I_L := I_L mod n.\n\nRationale:\n\nIt's easy to say \"mark as invalid and proceed with next\", but actually\nmost of the implementations don't do the checking at all, because tjen\nit's rather hard at application level to implement skipping logic. OTOH\nit's quite straightforward to perform modulo if needed, so we probably\nsee more implementations doing the checking.\n\nWe would still need to deal with cases when I_L = 0 or ki = 0 or ki =\ninf, but these have probability around 1 in 2^255.\n\nDoes anyone see any concerns when it comes to security of the proposed\nchange?\n\n-- \nBest Regards / S pozdravom,\n\nPavol Rusnak \u003cstick at gk2.sk\u003e",
"sig": "0130eb0869c6010207f55901046e7348a56e302bfa25f8d7d448585422e65222418b92839fc3d9d7dc875bfa0949a9b354ff82f18376afb136cc8a96092c911a"
}