Thanks for the insights Gregory and Mike! That said, I'd be curious what you think about a paper describing an adaptation of BIP32 to Ed25519 I've recently been pointed at (shortly after posting this thread):
https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-fall2016/blob/master/topics-and-advance-readings/HDKeys-Ed25519.pdf They perform the typical clamping procedure on the root scalar, but also ensure that the *third* highest bit is zero. When deriving a child key, they use only the first 28-bytes / 224-bits of the hash as the child scalar. According to the rationale in section 4.6, this ensures the same clamping invariants discussed earlier in this thread apply to child keys.
_______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves