diff options
author | Nick Mathewson <nickm@torproject.org> | 2018-04-02 19:12:25 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2018-04-02 19:12:25 -0400 |
commit | 10d5417f9d8c1503394c8bca0f97c772f02f808f (patch) | |
tree | d1a8a6be7ca789a1655b4e76590799b926c17d0b /rend-spec-v3.txt | |
parent | e2145ba69c082db90d7df4a2db3aa9f8b4651269 (diff) | |
parent | ab22bd1dce3b62b6120300fdead958c6924fe553 (diff) | |
download | torspec-10d5417f9d8c1503394c8bca0f97c772f02f808f.tar.gz torspec-10d5417f9d8c1503394c8bca0f97c772f02f808f.zip |
Merge remote-tracking branch 'filippo/master'
Diffstat (limited to 'rend-spec-v3.txt')
-rw-r--r-- | rend-spec-v3.txt | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/rend-spec-v3.txt b/rend-spec-v3.txt index 45766bc..019b61e 100644 --- a/rend-spec-v3.txt +++ b/rend-spec-v3.txt @@ -2161,8 +2161,9 @@ A.2. Tor's key derivation scheme blinding factor like this: h = H(BLIND_STRING | A | s | B | N) - BLIND_STRING = "Derive temporary signing key" + BLIND_STRING = "Derive temporary signing key" | INT_1(0) N = "key-blind" | INT_8(period-number) | INT_8(period_length) + B = "(1511[...]2202, 4631[...]5960)" then clamp the blinding factor 'h' according to the ed25519 spec: @@ -2172,8 +2173,15 @@ A.2. Tor's key derivation scheme and do the key derivation as follows: - private key for the period: a' = h a - public key for the period: A' = h A = (ha)B + private key for the period: + + a' = h a mod l + RH' = SHA-512(RH_BLIND_STRING | RH)[:32] + RH_BLIND_STRING = "Derive temporary signing key hash input" + + public key for the period: + + A' = h A = (ha)B Generating a signature of M: given a deterministic random-looking r (see EdDSA paper), take R=rB, S=r+hash(R,A',M)ah mod l. Send signature @@ -2186,6 +2194,8 @@ A.2. Tor's key derivation scheme = rB + (hash(R,A',M)ah)B = R + hash(R,A',M)A' ) + This boils down to regular Ed25519 with key pair (a', A'). + See [KEYBLIND-REFS] for an extensive discussion on this scheme and possible alternatives. Also, see [KEYBLIND-PROOF] for a security proof of this scheme. @@ -2223,7 +2233,7 @@ Appendix C. Recommendations for searching for vanity .onions [VANITY] While pk does not satisfy X: Add the number 8 to sk - Add the scalar 8*B to pk + Add the point 8*B to pk Return sk, pk. |