I'm working on a program that requires multiple key pairs from multiple algorithms to be derived from a single 128-byte master seed. However, I couldn't find an implementation for Falcon512 that allows generating key pairs directly from the seed. Would it be safe if I passed the master seed through an XOF and extended it to the length of the Falcon512 secret key (which is 1281 bytes) and use that to recover the public key from?
Asked
Active
Viewed 119 times
1 Answers
1
A KDF usually has stronger security requirements than a XOF. I've sometimes called a hash a "poor man's KDF" - it is probably secure but it hasn't been explicitly designed to be secure as a KDF, and it doesn't have a well defined input structure for additional input parameters (such as a label or a salt).
There have been some explorations to use SHAKE as a KDF, such as using KMAC("KDF", k, X) and cSHAKE. None of those have been standardized or studied well though, and using HKDF seems more logical in most circumstances.
As for your use case using the seed to derive the public key is only useful if you don't want to store the public key next to the private key for later (secure) distribution of said public key. The use case is limited.
I've heard a lot about storing the seed instead of private keys or key pairs for PQC. That's all fine, but it would be a good idea to then standardize the way of deriving the key pair from those - even though private keys do not have the same compatibility requirements as public keys. But there are certainly use cases where this might become an issue, e.g. when switching programming environment.
Maarten Bodewes
- 96,351
- 14
- 169
- 323