Merge remote-tracking branch 'filippo/master'

1 files changed, 14 insertions, 4 deletions

diff --git a/rend-spec-v3.txt b/rend-spec-v3.txt
index 45766bc..019b61e 100644
--- a/rend-spec-v3.txt
+++ b/rend-spec-v3.txt
@@ -2161,8 +2161,9 @@ A.2. Tor's key derivation scheme
   blinding factor like this:
 
            h = H(BLIND_STRING | A | s | B | N)
-           BLIND_STRING = "Derive temporary signing key"
+           BLIND_STRING = "Derive temporary signing key" | INT_1(0)
            N = "key-blind" | INT_8(period-number) | INT_8(period_length)
+           B = "(1511[...]2202, 4631[...]5960)"
 
   then clamp the blinding factor 'h' according to the ed25519 spec:
 
@@ -2172,8 +2173,15 @@ A.2. Tor's key derivation scheme
 
   and do the key derivation as follows:
 
-      private key for the period:   a' = h a
-      public key for the period:    A' = h A = (ha)B
+      private key for the period:
+
+           a' = h a mod l
+           RH' = SHA-512(RH_BLIND_STRING | RH)[:32]
+           RH_BLIND_STRING = "Derive temporary signing key hash input"
+
+      public key for the period:
+
+           A' = h A = (ha)B
 
   Generating a signature of M: given a deterministic random-looking r
   (see EdDSA paper), take R=rB, S=r+hash(R,A',M)ah mod l. Send signature
@@ -2186,6 +2194,8 @@ A.2. Tor's key derivation scheme
           = rB + (hash(R,A',M)ah)B
           = R + hash(R,A',M)A' )
 
+  This boils down to regular Ed25519 with key pair (a', A').
+
   See [KEYBLIND-REFS] for an extensive discussion on this scheme and
   possible alternatives. Also, see [KEYBLIND-PROOF] for a security
   proof of this scheme.
@@ -2223,7 +2233,7 @@ Appendix C. Recommendations for searching for vanity .onions [VANITY]
         While pk does not satisfy X:
 
             Add the number 8 to sk
-            Add the scalar 8*B to pk
+            Add the point 8*B to pk
 
         Return sk, pk.