BSV Key Derivation Scheme (BKDS)
Ty Everett (ty@projectbabbage.com)
Abstract
This technical standard proposes a key derivation method that allows two parties to derive multiple keys for each other in an open-ended manner. The method employs invoice numbers as a simple way for multiple keys to be derived. A sender can derive a public key for a recipient without knowing the recipient's corresponding private key, and the recipient can later use the sender's public key and the same invoice number to derive a corresponding private key. The proposed method removes the limit of 4 billion keys per child that is present in BIP321, improves the privacy of the involved parties by employing ECDH shared secrets, and enables an open-ended invoice numbering scheme for key derivation that can be further standardized for specific use-cases. The method can be used for private invoicing, digital signatures, symmetric cryptography, and other applications in Bitcoin and CBDC ecosystems.
Motivation
This technical standard is proposed to address the need for a standard method for key derivation between parties that enables greater ecosystem interoperability. While BIP321 provided a naive approach, it enabled only one key derivation universe per master public key. Conversely, this specification enables new key universes for every combination of two parties who interact, because the shared secret between their keys is employed. This also protects the privacy of the parties involved from outsiders who do not know the shared secret.
The proposed key derivation method offers several benefits. It enables two parties to derive many different keys for one another in an open-ended way, thereby providing greater flexibility. The use of invoice numbers as a simple way for multiple keys to be derived makes the method easy to use and enables further standardization. The method also employs ECDH shared secrets to improve privacy, and can be auditable by revealing shared secrets between specific counterparties to tax agencies for an audit to prove transactions. Additionally, higher-order protocol identifiers, key universes, and security levels within Bitcoin wallet and application architectures have been defined for this method.
Overall, this proposed key derivation method offers an improved approach to key derivation that can be used in various applications. It removes the limitations of existing key derivation methods such as BIP321 and provides greater flexibility, privacy, and auditability.
Specification
The key derivation is specified as follows:
Identity Keys
Each party has a master private key and a master public key that are derived from the secp256k1 elliptic curve.
Key Derivation
The sender computes the shared secret by multiplying his master private key with the recipient's master public key using elliptic curve point multiplication.
The sender uses the shared secret as the key to generate an HMAC over the invoice number.
The HMAC is then converted into a scalar using big-endian encoding.
The generator point G is multiplied by the scalar to generate a new point on the elliptic curve.
The resulting point is added to the recipient's master public key point to produce a new point on the curve.
The resulting point is then used to generate a new child public key.
To derive the corresponding private key, the recipient computes the shared secret by multiplying his master private key with the sender's master public key using elliptic curve point multiplication.
The recipient then generates the HMAC over the invoice number using the shared secret and computes the scalar in the same way as the sender.
The scalar is then added to the recipient's master private key to generate the corresponding child private key.
Invoice Number
The invoice number is treated as a string and is converted into a buffer using UTF-8 encoding.
Steps for the Sender
The sender generates a shared secret by multiplying his master private key with the recipient's master public key using elliptic curve point multiplication.
The sender generates an HMAC over the invoice number using the shared secret as the key.
The HMAC is converted into a scalar using big-endian encoding.
The generator point G is multiplied by the scalar to generate a new point on the elliptic curve.
The resulting point is added to the recipient's master public key point to produce a new point on the curve.
The resulting point is then used to generate a new child public key for the given invoice number.
Steps for the Recipient
The recipient generates the shared secret by multiplying his master private key with the sender's master public key using elliptic curve point multiplication.
The recipient generates the HMAC over the invoice number using the shared secret as the key.
The HMAC is converted into a scalar using big-endian encoding.
The scalar is added to the recipient's master private key (mod N) to generate the corresponding child private key for the given invoice number.
Security Considerations
The security of this key derivation method relies on keeping the master private keys secure and the shared secret confidential. Any party with access to the shared secret could potentially derive the child keys as well, so it is important to keep the shared secret confidential. Private keys derived using this method should be treated with the same level of security as any other private key.
Conclusion
This specification provides a method for key derivation that enables two parties to derive many different keys for one another in an open-ended way. This method employs invoice numbers as a simple way for multiple keys to be derived and uses the secp256k1 elliptic curve for key derivation. The method is designed to be flexible and auditable, with potential applications including private invoicing,
Implementations
This specification has been implemented into both the BSV TypeScript and Go libraries.
Test Vectors
Test vectors for this standard are provided:
For Testing Private Key Derivation
For Testing Public Key Derivation
Acknowledgments
Credit is given to the people who have worked on making these ideas into reality. In particular, we thank Xiaohui Liu for creating the first known implementation of private addresses using this scheme, and Dr. Craig Wright for first describing it.
References
Last updated