From 6d0b14fea3c2cf96c625203debb4416c6b7896d7 Mon Sep 17 00:00:00 2001
From: George Kadianakis <desnacked@riseup.net>
Date: Thu, 25 May 2017 16:03:46 +0300
Subject: prop224: Specify blinding factor clamping.

---
 proposals/224-rend-spec-ng.txt | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'proposals/224-rend-spec-ng.txt')

diff --git a/proposals/224-rend-spec-ng.txt b/proposals/224-rend-spec-ng.txt
index 6f16fce..247af87 100644
--- a/proposals/224-rend-spec-ng.txt
+++ b/proposals/224-rend-spec-ng.txt
@@ -2043,7 +2043,13 @@ A.2. Tor's key derivation scheme
            BLIND_STRING = "Derive temporary signing key"
            N = "key-blind" | INT_8(period-number) | INT_8(period_length)
 
-  and then do the following:
+  then clamp the blinding factor 'h' according to the ed25519 spec:
+
+           h[0] &= 248;
+           h[31] &= 127;
+           h[31] |= 64;
+
+  and do the key derivation as follows:
 
       private key for the period:   a' = h a
       public key for the period:    A' = h A = (ha)B
-- 
cgit v1.2.3-54-g00ecf