Merge remote-tracking branch 'teor/prop224-horse'

1 files changed, 11 insertions, 2 deletions

diff --git a/proposals/224-rend-spec-ng.txt b/proposals/224-rend-spec-ng.txt
index e14c2be..3b41403 100644
--- a/proposals/224-rend-spec-ng.txt
+++ b/proposals/224-rend-spec-ng.txt
@@ -1689,6 +1689,9 @@ References:
 [SRV-TP-REFS]:
         https://lists.torproject.org/pipermail/tor-dev/2016-April/010759.html
 
+[VANITY-REFS]:
+        https://github.com/Yawning/horse25519
+
 Appendix A. Signature scheme with key blinding [KEYBLIND]
 
   As described in [IMD:DIST] and [SUBCRED] above, we require a "key
@@ -1786,11 +1789,14 @@ Appendix C. Recommendations for searching for vanity .onions [VANITY]
 
         While pk does not satisfy X:
 
-            Add the number 1 to sk
-            Add the scalar B to pk
+            Add the number 8 to sk
+            Add the scalar 8*B to pk
 
         Return sk, pk.
 
+  We add 8 and 8*B, rather than 1 and B, so that sk is always a valid
+  Curve25519 private key, with the lowest 3 bits equal to 0.
+
   This algorithm is safe [source: djb, personal communication] [TODO:
   Make sure I understood correctly!] so long as only the final (sk,pk)
   pair is used, and all previous values are discarded.
@@ -1799,6 +1805,9 @@ Appendix C. Recommendations for searching for vanity .onions [VANITY]
   generated for each independent thread, and let each search proceed
   independently.
 
+  See [VANITY-REFS] for a reference implementation of this vanity .onion
+  search scheme.
+
 Appendix D. Numeric values reserved in this document
 
   [TODO: collect all the lists of commands and values mentioned above]