add support for deriving SKs from mnemonics (experimental)

alinush · alinush · commit bcbfb709908a · 2025-12-11T11:42:34.000-06:00
diff --git a/src/account/SingleKeyAccount.ts b/src/account/SingleKeyAccount.ts
@@ -151,9 +151,7 @@ export class SingleKeyAccount implements Account, SingleKeySigner {
         privateKey = Secp256k1PrivateKey.generate();
         break;
       case SigningSchemeInput.SlhDsaSha2128s:
-        // For SLH-DSA, we need to generate a key pair since public key cannot be derived from private key
-        const keyPair = SlhDsaSha2128sKeyPair.generate();
-        privateKey = keyPair.privateKey;
+        privateKey = SlhDsaSha2128sPrivateKey.generate();
         break;
       default:
         throw new Error(`Unsupported signature scheme ${scheme}`);
@@ -185,7 +183,8 @@ export class SingleKeyAccount implements Account, SingleKeySigner {
         privateKey = Secp256k1PrivateKey.fromDerivationPath(path, mnemonic);
         break;
       case SigningSchemeInput.SlhDsaSha2128s:
-        throw new Error("SLH-DSA-SHA2-128s does not support derivation from mnemonic path");
+        privateKey = SlhDsaSha2128sPrivateKey.fromDerivationPath(path, mnemonic);
+        break;
       default:
         throw new Error(`Unsupported signature scheme ${scheme}`);
     }
diff --git a/src/core/crypto/slhDsaSha2128s.ts b/src/core/crypto/slhDsaSha2128s.ts
@@ -10,6 +10,7 @@ import { PublicKey } from "./publicKey";
 import { Signature } from "./signature";
 import { convertSigningMessage } from "./utils";
 import { AptosConfig } from "../../api";
+import { CKDPriv, deriveKey, HARDENED_OFFSET, isValidHardenedPath, mnemonicToSeed, splitPath } from "./hdKey";
 
 /**
  * Represents a SLH-DSA-SHA2-128s public key.
@@ -193,6 +194,17 @@ export class SlhDsaSha2128sPrivateKey extends Serializable implements PrivateKey
    */
   static readonly LENGTH: number = 48;
 
+  /**
+   * The SLH-DSA-SHA2-128s key seed to use for BIP-32 compatibility
+   * See more {@link https://github.com/satoshilabs/slips/blob/master/slip-0010.md}
+   * 
+   * TODO: This is not standardized... AFAIK.
+   * 
+   * @group Implementation
+   * @category Serialization
+   */
+  static readonly SLIP_0010_SEED = "SLH-DSA-SHA2-128s seed";
+
   /**
    * The 48-byte three seeds (SK seed + PRF seed + PK seed) used for serialization
    * @private
@@ -274,6 +286,61 @@ export class SlhDsaSha2128sPrivateKey extends Serializable implements PrivateKey
     return new SlhDsaSha2128sSignature(signatureBytes);
   }
 
+
+  /**
+   * Derives a private key from a mnemonic seed phrase using a specified BIP44 path.
+   * To derive multiple keys from the same phrase, change the path
+   *
+   * IMPORTANT: SLH-DSA-SHA2-128s supports hardened derivation only, as it lacks a key homomorphism, making non-hardened derivation impossible.
+   *
+   * @param path - The BIP44 path used for key derivation.
+   * @param mnemonics - The mnemonic seed phrase from which the key will be derived.
+   * @throws Error if the provided path is not a valid hardened path.
+   * @group Implementation
+   * @category Serialization
+   */
+  static fromDerivationPath(path: string, mnemonics: string): SlhDsaSha2128sPrivateKey {
+    if (!isValidHardenedPath(path)) {
+      throw new Error(`Invalid derivation path ${path}`);
+    }
+    return SlhDsaSha2128sPrivateKey.fromDerivationPathInner(path, mnemonicToSeed(mnemonics));
+  }
+
+  /**
+   * Derives a child private key from a given BIP44 path and seed.
+   * 
+   * We derive our 48-byte SLH-DSA key (three 16-byte seeds) from:
+   *  - the 32-byte, BIP-32-derived, secret key
+   *  - the first 16 bytes of the BIP-32-derived chain code
+   *
+   * @param path - The BIP44 path used for key derivation.
+   * @param seed - The seed phrase created by the mnemonics, represented as a Uint8Array.
+   * @param offset - The offset used for key derivation, defaults to HARDENED_OFFSET.
+   * @returns An instance of SlhDsaSha2128sPrivateKey derived from the specified path and seed.
+   * @group Implementation
+   * @category Serialization
+   */
+  private static fromDerivationPathInner(path: string, seed: Uint8Array, offset = HARDENED_OFFSET): SlhDsaSha2128sPrivateKey {
+    const { key, chainCode } = deriveKey(SlhDsaSha2128sPrivateKey.SLIP_0010_SEED, seed);
+
+    const segments = splitPath(path).map((el) => parseInt(el, 10));
+
+    // Derive the child key based on the path
+    const { key: privateKey, chainCode: finalChainCode } = segments.reduce((parentKeys, segment) => CKDPriv(parentKeys, segment + offset), {
+      key,
+      chainCode,
+    });
+    
+    const threeSeeds = new Uint8Array(48);
+    threeSeeds.set(privateKey, 0); // First 32 bytes from the derived secret key
+
+    // TODO: We would need to reason about the security of this.
+    // e.g., is it okay to treat the chain code as public?
+    threeSeeds.set(finalChainCode.slice(0, 16), 32); // Last 16 bytes from the derived chain code
+    
+    return new SlhDsaSha2128sPrivateKey(threeSeeds, false);
+  }
+
   /**
    * Derive the SlhDsaSha2128sPublicKey from this private key.
    * The public key is extracted from the pre-computed secret key.
diff --git a/tests/unit/hdKey.test.ts b/tests/unit/hdKey.test.ts
@@ -1,5 +1,5 @@
 import { secp256k1WalletTestObject, wallet } from "./helper";
-import { Ed25519PrivateKey, Hex, isValidBIP44Path, isValidHardenedPath, Secp256k1PrivateKey } from "../../src";
+import { Ed25519PrivateKey, Hex, isValidBIP44Path, isValidHardenedPath, Secp256k1PrivateKey, SlhDsaSha2128sPrivateKey } from "../../src";
 
 describe("Hierarchical Deterministic Key (hdkey)", () => {
   describe("hardened path", () => {
@@ -163,4 +163,49 @@ describe("Hierarchical Deterministic Key (hdkey)", () => {
       });
     });
   });
+
+  // testing HD derivation for slh-dsa-sha2-128s
+  describe("slh-dsa-sha2-128s", () => {
+    const slhDsaSha2128s = [
+      {
+        seed: Hex.fromHexInput("000102030405060708090a0b0c0d0e0f"),
+        vectors: [
+          {
+            chain: "m",
+            private: "53c14b2681fcca8600d3ac7ce3459d6ceece7abc0a3b4c0376fc845c1b6503d66c5107d9484171c02f9eb0409849fceb",
+          },
+          {
+            chain: "m/0'",
+            private: "473049c70d5414379363b94f52de6b194c9f1651cb6a11b80cfee19f6ca67975201cdbec137ff57e2e9cd434fca0680d",
+          },
+          {
+            chain: "m/0'/1'",
+            private: "b609bf21df9baae65045e2bb8c200e97fbf86201f58e4187197a60bfc827158e6ba452ffe50f57849c022b24d01ac123",
+          },
+          {
+            chain: "m/0'/1'/2'",
+            private: "60b55f07c62916f7f27a96be371a9e87adedb9acabd84d25c41e8aa5c8c326e2e64024132f8833181bc2ab008541ef2b",
+          },
+          {
+            chain: "m/0'/1'/2'/2'",
+            private: "fb7242320fc3bc620587cfdfa54c2abed7d034f6c616ade3a9ad1780a099b268ed7a5bea0297711e997ff199b24bb82b",
+          },
+          {
+            chain: "m/0'/1'/2'/2'/1000000000'",
+            private: "c72d4e3fb352a785aa375be20e0767ae20edbce1e18de90e0ea6e9d1677d17e84a410bb833bf091655dfabde17cc2011",
+          },
+        ],
+      },
+    ];
+
+    slhDsaSha2128s.forEach(({ seed, vectors }) => {
+      vectors.forEach(({ chain, private: privateKey }) => {
+        it(`should generate correct key pair for ${chain}`, () => {
+          // eslint-disable-next-line @typescript-eslint/dot-notation
+          const key = SlhDsaSha2128sPrivateKey["fromDerivationPathInner"](chain, seed.toUint8Array());
+          expect(key.toHexString()).toBe(`0x${privateKey}`);
+        });
+      });
+    });
+  });
 });
