diff options
author | David Goulet <dgoulet@torproject.org> | 2021-12-14 12:58:40 -0500 |
---|---|---|
committer | David Goulet <dgoulet@torproject.org> | 2021-12-14 12:58:40 -0500 |
commit | ab4a8d4433ba03de4189b438f8b3fb3ba3c8d985 (patch) | |
tree | 1a8351e41409cdee050879b90f31e717fefed797 | |
parent | 485abc986fca3e4c09b3f8a02cb091a4780697cd (diff) | |
parent | 57d1e7d163910781b8b08dbbaa397c1d7c06abb7 (diff) | |
download | torspec-ab4a8d4433ba03de4189b438f8b3fb3ba3c8d985.tar.gz torspec-ab4a8d4433ba03de4189b438f8b3fb3ba3c8d985.zip |
Merge branch 'tor-gitlab/mr/55'
-rw-r--r-- | dir-spec.txt | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/dir-spec.txt b/dir-spec.txt index 45b8466..98fe4be 100644 --- a/dir-spec.txt +++ b/dir-spec.txt @@ -4181,10 +4181,20 @@ C. Converting a curve25519 public key to an ed25519 public key [Recomputing the sign bit from the private key every time sounds rather strange and inefficient to me… —isis] - Alternatively, without access to the corresponding ed25519 private - key, one may use the Montgomery u-coordinate to recover the - Montgomery v-coordinate by computing the right-hand side of the - Montgomery curve equation: + Note that in addition to its coordinates, an expanded Ed25519 private key + also has a 32-byte random value, "prefix", used to compute internal `r` + values in the signature. For security, this prefix value should be + derived deterministically from the curve25519 key. The Tor + implementation derives it as SHA512(private_key | STR)[0..32], where + STR is the nul-terminated string: + + "Derive high part of ed25519 key from curve25519 key\0" + + + On the client side, where there is no access to the curve25519 private + keys, one may use the curve25519 public key's Montgomery u-coordinate to + recover the Montgomery v-coordinate by computing the right-hand side of + the Montgomery curve equation: bv^2 = u(u^2 + au +1) |