prop224: Add string constant to blinding factor calculation.

Also simplify that part of the spec sincedgoulet felt it was too obscure
and people might miss it or consider it a side note.

1 files changed, 10 insertions, 4 deletions

diff --git a/proposals/224-rend-spec-ng.txt b/proposals/224-rend-spec-ng.txt
index 2156f39..f8e131c 100644
--- a/proposals/224-rend-spec-ng.txt
+++ b/proposals/224-rend-spec-ng.txt
@@ -1995,6 +1995,8 @@ References:
 
 Appendix A. Signature scheme with key blinding [KEYBLIND]
 
+A.1. Key derivation overview
+
   As described in [IMD:DIST] and [SUBCRED] above, we require a "key
   blinding" system that works (roughly) as follows:
 
@@ -2022,6 +2024,7 @@ Appendix A. Signature scheme with key blinding [KEYBLIND]
 
         [TODO: Insert a more rigorous definition and better references.]
 
+A.2. Tor's key derivation scheme
 
   We propose the following scheme for key blinding, based on Ed25519.
 
@@ -2035,7 +2038,13 @@ Appendix A. Signature scheme with key blinding [KEYBLIND]
   key and A is the public key (A=aB)
 .
   To derive the key for a nonce N and an optional secret s, compute the
-  blinding factor h as H(A | s, B, N), and let:
+  blinding factor like this:
+
+           h = H(BLIND_STRING | A | s | B | N)
+           BLIND_STRING = "Derive temporary signing key"
+           N = "key-blind" | INT_8(period-number) | INT_8(period_length)
+
+  and then do the following:
 
       private key for the period:   a' = h a
       public key for the period:    A' = h A = (ha)B
@@ -2055,9 +2064,6 @@ Appendix A. Signature scheme with key blinding [KEYBLIND]
   possible alternatives. Also, see [KEYBLIND-PROOF] for a security
   proof of this scheme.
 
-  (To use this with Tor, set N = "key-blind" | INT_8(period-number) |
-  INT_8(period_length).)
-
 Appendix B. Selecting nodes [PICKNODES]
 
   Picking introduction points