hkdf_mod_r() is used to hash 32 random bytes into the subgroup of the BLS12-381 private keys.

Inputs

IKM, a secret octet string >= 256 bits in length key_info, an optional octet string (default="", the empty string)

Outputs

SK, the corresponding secret key, an integer 0 <= SK < r.

Definitions

HKDF-Extract is as defined in RFC5869, instantiated with hash H. HKDF-Expand is as defined in RFC5869, instantiated with hash H. L is the integer given by ceil((3 * ceil(log2(r))) / 16).(L=48) "BLS-SIG-KEYGEN-SALT-" is an ASCII string comprising 20 octets. OS2IP is as defined in RFC3447 (Big endian encoding) I2OSP is as defined in RFC3447 (Big endian decoding) r is the order of the BLS 12-381 curve defined in the v4 draft IETF BLS signature scheme standard r=52435875175126190479447740508185965837690552500527637822603658699938581184513

Procedure

1. salt = "BLS-SIG-KEYGEN-SALT-"

2. SK = 0

3. while SK == 0:

4. salt = H(salt)

5. PRK = HKDF-Extract(salt, IKM || I2OSP(0, 1))

6. OKM = HKDF-Expand(PRK, key_info || I2OSP(L, 2), L)

7. SK = OS2IP(OKM) mod r

8. return SK