Ed25519 BIP32 #6301
Comments
|
cc: #5246 |
|
@t-nelson Is this task really a QA issue, or is it simply a new feature? Perhaps we should have a separate QA issue tracking its testing? How time sensitive is this issue? |
|
Just acknowledging the "Ed25519's non-prime cofactor" concern is time sensitive. The implementation can fall under another ticket. |
|
So is there an action item that needs to be completed for this task, if no implementation? Do we need to more publicly acknowledge the non-prime cofactor issue? |
|
Yeah, an HD wallet decision that's known to be not vulnerable to that attack. Maybe QA isn't the right place for this, but if we do this right, there's QA work we don't have to do. |
|
I'd say this is a feature request with a potential QA action item depending on implementation. Agreed with Greg. If we can find a BIP32 crate that supports Ed25519 and has sufficient test coverage for the non-prime cofactor quirks, that'd be ideal. |
|
cc/ @rob-solana |
|
Is this another starting point? |
|
Potentially. The code is MIA though 🤕 |
|
My personal recommendation would be to use Ristretto to key new systems if possible (or failing that, just stick with secp256k1 or another prime order curve). I say this as someone playing around with Ed25519 hierarchical derivation schemes around the same time BIP32 was being formulated (please don't use the linked scheme, it's broken due to repeated "clamping"). If you really want to use Ed25519, there are a number of different incompatible schemes for hierarchical key derivation, none of which I can confidently recommend and all of which I find quite messy. The main ones I'm aware of are Tor's Next Generation Hidden Service Keys, SLIP-0010, and Dmitry Khovratovich's "BIP32-Ed25519". I'd suggest reading Jeff Burdges' writeup on them as they all have issues. I'd still like to write the |
|
@tarcieri Thanks so much for taking the time out to reply here! It looks like I have some evening reading to do |
|
Thanks for the recommendations @tarcieri, they are very much appreciated! |
|
After quite a bit of reading, I'm still unable to give a solid proposition on how to move forward here but would like to share what I've learned. As @t-nelson pointed out, Ed25519 is not compatible with BIP32 due to its small cofactor and also due to its "bit clamping" (used to prevent attacks: 1, 2) as discussed in these threads: A number of work arounds have been implemented to enable BIP 32 for Ed25519. But they are not compatible with each other as mentioned by @tarcieri. This has certainly caused a fair bit of confusion in the monero project for example. If Solana chooses a work-around, we should be clear on one implementation to prevent UX issues. The 2 most common work arounds are:
Rust implementationsI have not been able to find Rust implementations of either of the above most common implementations. Here's what I have been able to find:
Other approaches we could take for BIP32
ConcernsChanging a HKD scheme after choosing one is likely to be a really big pain. So we should be thoughtful about our decision here. |
Nailed it |
|
Remove this from SLP2 Security? |
|
✅ |
|
@CriesofCarrots, fyi |
|
it's not supported yet? unbelievable. |
|
We still have some ideas about ways to take this further for file-system wallets, but since the current implementation covers most use-cases, closing this. |
|
This issue has been automatically locked since there has not been any activity in past 7 days after it was closed. Please open a new issue for related bugs. |
We need a BIP32esque deterministic key derivation mechanism. This is tricky due to Ed25519's non-prime cofactor.
Notes on Ed25519 BIP32 quirks:
Potential starting point for a Rust implementation. Seems woefully light on tests
The text was updated successfully, but these errors were encountered: