What is key derivation and why would we need it?
Public Key Cryptography refresh
It is assumed that the reader is somehow familiar with Asymmetric Key Cryptography: that is, the body of knowledge that deals with encryption algorithms that use pairs of values (called asymmetric keys) to encrypt and decrypt content. For a refresh on the subject, please check [i]
In any case, let us start with a quick reminder: Bitcoin and its blockchain has got is technical foundations rooted – amongst other mathematical principles and techniques – in cryptography, the art of hiding information from unauthorized disclosure using mathematical algorithms and small pieces of information that we call keys. The combination of the algorithm and the key is what protects the confidential data by making it unusable in its transformed form, by encrypting it.
More specifically, in asymmetric key cryptography we work with pairs of two different keys that are related to each other and that work together. Keys are generated in pairs and are specific to each other. What one key does encrypt using one algorithm, only the other key is able to decrypt using the same algorithm. And vice versa. Then we proceed to keep one of the keys secret – we call it the private key – while the other we make it available publicly – the public key -.
After this quick refresh, what usage do we give in bitcoin to asymmetric cryptography? In Bitcoin world, we use our public key to receive bitcoins. They are – sort of – the destination address where the bitcoins are sent. We use our private key to prove that we are the owners of the public key were the bitcoins were sent.
Our bitcoin wallets contain the most important piece of information when it comes to our cryptocurrency: the private keys that can unlock the UTXOs that were encumbered to the corresponding public keys and public key hashes. In other (maybe simpler) words, when we receive bitcoins, a transaction gets recorded on the blockchain indicating that these bitcoins were assigned to our public key. Only our corresponding private key can unblock these bitcoins and have them sent to a different public key (for example, when we sell them, or when we exchange them for some other good) by generating a new transaction where:
- We need to prove that we are the “owners” of the public key where the bitcoins were assigned
- We assign these bitcoins to a new owner (to a new public key)
In a few words, our private keys are the proof of ownership of our bitcoins, and only through them we can transfer them. Or as we say at privatekeys.org “Your (private) keys, then your bitcoins. Not your (private) keys, then I’m sorry pal, but not your bitcoins”.
First of all, for those not in the know, let us remember that GDPR is an acronym for General Data Protection Regulation, and that the word “Regulation” here means something very specific in EU legislation. A European Union (EU) Regulation “is legal act of the EU that becomes immediately enforceable as law in all member states simultaneously”[i]. As opposed to a EU Directive, that needs to be transposed into specific legislation into each of the Union members, a European Union Regulation does not require any translation into the legislation of the member states. It applies to them (and its citizens and the companies that operate on the Union) as soon as it becomes into force, and in fact it overrides all national laws dealing with the same subject matter. Member States may incorporate elements of the Regulation into their national law. They may also expand the scope of the Regulation by clarifying aspects not covered in it. In fact, we do usually see state members to pass legislation in that sense. But the Member states cannot legislate to limit the scope or in contradiction with the Regulation.