diff options
author | George Kadianakis <desnacked@riseup.net> | 2017-04-25 17:44:50 +0300 |
---|---|---|
committer | George Kadianakis <desnacked@riseup.net> | 2017-05-25 16:08:23 +0300 |
commit | ec3802145b280bd19ae635ac567a9c24dfb874dd (patch) | |
tree | 6e7c17b6c389ae6df94ed3baa7eb0f7dff566e3f /proposals/224-rend-spec-ng.txt | |
parent | af547b7855183447e1eb194961f8914c32e47d94 (diff) | |
download | torspec-ec3802145b280bd19ae635ac567a9c24dfb874dd.tar.gz torspec-ec3802145b280bd19ae635ac567a9c24dfb874dd.zip |
prop224: Add string constant to blinding factor calculation.
Also simplify that part of the spec sincedgoulet felt it was too obscure
and people might miss it or consider it a side note.
Diffstat (limited to 'proposals/224-rend-spec-ng.txt')
-rw-r--r-- | proposals/224-rend-spec-ng.txt | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/proposals/224-rend-spec-ng.txt b/proposals/224-rend-spec-ng.txt index 2156f39..f8e131c 100644 --- a/proposals/224-rend-spec-ng.txt +++ b/proposals/224-rend-spec-ng.txt @@ -1995,6 +1995,8 @@ References: Appendix A. Signature scheme with key blinding [KEYBLIND] +A.1. Key derivation overview + As described in [IMD:DIST] and [SUBCRED] above, we require a "key blinding" system that works (roughly) as follows: @@ -2022,6 +2024,7 @@ Appendix A. Signature scheme with key blinding [KEYBLIND] [TODO: Insert a more rigorous definition and better references.] +A.2. Tor's key derivation scheme We propose the following scheme for key blinding, based on Ed25519. @@ -2035,7 +2038,13 @@ Appendix A. Signature scheme with key blinding [KEYBLIND] key and A is the public key (A=aB) . To derive the key for a nonce N and an optional secret s, compute the - blinding factor h as H(A | s, B, N), and let: + blinding factor like this: + + h = H(BLIND_STRING | A | s | B | N) + BLIND_STRING = "Derive temporary signing key" + N = "key-blind" | INT_8(period-number) | INT_8(period_length) + + and then do the following: private key for the period: a' = h a public key for the period: A' = h A = (ha)B @@ -2055,9 +2064,6 @@ Appendix A. Signature scheme with key blinding [KEYBLIND] possible alternatives. Also, see [KEYBLIND-PROOF] for a security proof of this scheme. - (To use this with Tor, set N = "key-blind" | INT_8(period-number) | - INT_8(period_length).) - Appendix B. Selecting nodes [PICKNODES] Picking introduction points |