pallas-crypto: Key derivation API and open questions

[NicolasDP]

once #27 is merged I will start working on adding the Ed25519 Key derivation which is going to be needed for people who wants to have HDWallets or otherwise.

Most wallet libraries hide the ChainCode needed to do the key derivation. They embed it in the data structure for their SecretKeyBip32 and their PublicKeyBip32. As a result it is often misunderstood that the ChainCode is merely a guide for key derivation and it is not needed to do the normal cryptographic operation (EdDSA). One of the consequence is that one may leak the ChainCode. While the security implication for this is rather low it is not something that should be done lightly.

Instead I'd like to propose we only provide SecretKeyExtended and we add a new structure ChainCode and use free functions to do the derivation process.

use pallas_crypto::{key::ed25519::SecretKeyExtended, derivation::{ChainCode, Index, self}};

let secret_key: SecretKeyExtended = todo!();
let chain_code: ChainCode = todo!();

let (child_secret_key, child_chain_code) = derivation::bip32(
    &secret_key,
    &chain_code,
    Index::soft(0),
);

The alternative is to use a new data structure to keep the objects tied together. However I do not feel this is the responsibility of this crate.

[siegfried]

Hi, does Ed25519Bip32 of this crate provided something this crate did not? Just curious.

[NicolasDP]

There is no key derivation in pallas yet, BIP32 or otherwise. The only thing pallas provides right now is EdDSA with Ed25519 and Ed25519Extended. I believe here I was making the point that key derivation was orthogonal to key cryptographic signature schemes.