HKDF mod r

hkdf_mod_r() is used to hash 32 random bytes into the subgroup of the BLS12-381 private keys.

Inputs

IKM, a secret octet string >= 256 bits in length key_info, an optional octet string (default="", the empty string)

Outputs

SK, the corresponding secret key, an integer 0 <= SK < r.

Definitions

HKDF-Extract is as defined in RFC5869, instantiated with hash H. HKDF-Expand is as defined in RFC5869, instantiated with hash H. L is the integer given by ceil((3 * ceil(log2(r))) / 16).(L=48) "BLS-SIG-KEYGEN-SALT-" is an ASCII string comprising 20 octets. OS2IP is as defined in RFC3447 (Big endian encoding) I2OSP is as defined in RFC3447 (Big endian decoding) r is the order of the BLS 12-381 curve defined in the v4 draft IETF BLS signature scheme standard r=52435875175126190479447740508185965837690552500527637822603658699938581184513

Procedure

salt = "BLS-SIG-KEYGEN-SALT-"
SK = 0
while SK == 0:
salt = H(salt)
PRK = HKDF-Extract(salt, IKM || I2OSP(0, 1))
OKM = HKDF-Expand(PRK, key_info || I2OSP(L, 2), L)
SK = OS2IP(OKM) mod r
return SK

Previousparent SK to lamport PK Nextderive child SK

Last updated 1 year ago