Can we have multiple public keys with a single private key for OpenSSL ECC?

Question

I'm using php OpenSSL in my project. How can I create multiple public keys using a single private key?

In RSA we can't do such things. But how about ECC?

Answer 1

By definition, for each private scalar (private key) in general elliptic curve crypto-systems, there is a single point on the curve (public key) generated by [k]G where G is the curves generator point and k is the private scalar.

FYI, in a somewhat unusual quirk of birationally equivalent curves, you can actually map a Montgomery curve X25519 public key to two twisted Edwards curve Ed25519 public keys, as the Montgomery curve point does not carry a v coordinate, however, this will not help with your use-case.

Generally if we want to define multiple key pairs (not just public keys) from a single seed (source), one may do so using key derivation from a master key.

However, then you must take care of multiple private keys.

You seem to suggest the private key will live on the server, so I don't think you actually need multiple public keys. I suggest you use a single key pair and EdDSA or ECDSA to sign multiple key pairs for use on client devices. Signature can be used to link their source to a single identity.

Pls provide more context and I will help further.

Answer 2

In ECC there is a method and called diversified key. It exists in Apples' CommonCrypto the below from CommonECCryptor.h

@function   CCECCryptorTwinDiversifyKey

@abstract   Diversifies a given EC key by deriving two scalars u,v from the
            given entropy.

@discussion entropyLen must be a multiple of two, greater or equal to two
            times the bitsize of the order of the chosen curve plus eight
            bytes, e.g. 2 * (32 + 8) = 80 bytes for NIST P-256.

            Use CCECCryptorTwinDiversifyEntropySize() to determine the
            minimum entropy length that needs to be generated and passed.

            entropy must be chosen from a uniform distribution, e.g.
            random bytes, the output of a DRBG, or the output of a KDF.

            u,v are computed by splitting the entropy into two parts of
            equal size. For each part t (interpreted as a big-endian number),
            a scalar s on the chosen curve will be computed via
            s = (t mod (q-1)) + 1, where q is the order of curve's
            generator G.

            For a public key, this will compute u.P + v.G,
            with G being the generator of the chosen curve.

            For a private key, this will compute d' = (d * u + v) and
            P = d' * G; G being the generator of the chosen curve.

Like in your case, it is also may need for CryptoCurrencies. With diversification, one can achieve some level of anonymity. If one always uses the same public key, then they are linked with this public key, all the time. If one can diversify their public key with their private/public key, then they are able to use the diversified new identity. With a diversified identity, one cannot be easily linked with their original identity.

In the above scheme, the new public key that is diversified with u and v will be [u]P + [v]G and the diversified private key will be

d' = (d \cdot u + v)

and verificatiom the diversified public key

P' = [d']G = [d \cdot u + v]G = [d \cdot u]G + [v]G = [u]P + [v]G

In short, you have a new identity, but behind the curtain, it is still you.