aboutsummaryrefslogtreecommitdiff
path: root/rend-spec-v3.txt
diff options
context:
space:
mode:
authorFilippo Valsorda <hi@filippo.io>2017-11-17 15:19:45 -0500
committerFilippo Valsorda <hi@filippo.io>2017-11-17 15:19:45 -0500
commit42e31d525b38fd8810006d7deacc8f41ef34db8d (patch)
treea87abf3d2f14611c03de6056ca843fb304a0d252 /rend-spec-v3.txt
parent73f26437470e4b4b360a484daaa1ce94efad317f (diff)
downloadtorspec-42e31d525b38fd8810006d7deacc8f41ef34db8d.tar.gz
torspec-42e31d525b38fd8810006d7deacc8f41ef34db8d.zip
rend-spec-v3: add details to blinding implementation (A.2.)
In particular, document how to derive the second half of the private key.
Diffstat (limited to 'rend-spec-v3.txt')
-rw-r--r--rend-spec-v3.txt14
1 files changed, 12 insertions, 2 deletions
diff --git a/rend-spec-v3.txt b/rend-spec-v3.txt
index d595268..e408e8b 100644
--- a/rend-spec-v3.txt
+++ b/rend-spec-v3.txt
@@ -2162,6 +2162,7 @@ A.2. Tor's key derivation scheme
h = H(BLIND_STRING | A | s | B | N)
BLIND_STRING = "Derive temporary signing key" | INT_1(0)
N = "key-blind" | INT_8(period-number) | INT_8(period_length)
+ B = "(1511[...]2202, 4631[...]5960)"
then clamp the blinding factor 'h' according to the ed25519 spec:
@@ -2171,8 +2172,15 @@ A.2. Tor's key derivation scheme
and do the key derivation as follows:
- private key for the period: a' = h a
- public key for the period: A' = h A = (ha)B
+ private key for the period:
+
+ a' = h a mod l
+ RH' = SHA-512(RH_BLIND_STRING | RH)[:32]
+ RH_BLIND_STRING = "Derive temporary signing key hash input"
+
+ public key for the period:
+
+ A' = h A = (ha)B
Generating a signature of M: given a deterministic random-looking r
(see EdDSA paper), take R=rB, S=r+hash(R,A',M)ah mod l. Send signature
@@ -2185,6 +2193,8 @@ A.2. Tor's key derivation scheme
= rB + (hash(R,A',M)ah)B
= R + hash(R,A',M)A' )
+ This boils down to regular Ed25519 with key pair (a', A').
+
See [KEYBLIND-REFS] for an extensive discussion on this scheme and
possible alternatives. Also, see [KEYBLIND-PROOF] for a security
proof of this scheme.