From ec3802145b280bd19ae635ac567a9c24dfb874dd Mon Sep 17 00:00:00 2001 From: George Kadianakis Date: Tue, 25 Apr 2017 17:44:50 +0300 Subject: prop224: Add string constant to blinding factor calculation. Also simplify that part of the spec sincedgoulet felt it was too obscure and people might miss it or consider it a side note. --- proposals/224-rend-spec-ng.txt | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'proposals/224-rend-spec-ng.txt') diff --git a/proposals/224-rend-spec-ng.txt b/proposals/224-rend-spec-ng.txt index 2156f39..f8e131c 100644 --- a/proposals/224-rend-spec-ng.txt +++ b/proposals/224-rend-spec-ng.txt @@ -1995,6 +1995,8 @@ References: Appendix A. Signature scheme with key blinding [KEYBLIND] +A.1. Key derivation overview + As described in [IMD:DIST] and [SUBCRED] above, we require a "key blinding" system that works (roughly) as follows: @@ -2022,6 +2024,7 @@ Appendix A. Signature scheme with key blinding [KEYBLIND] [TODO: Insert a more rigorous definition and better references.] +A.2. Tor's key derivation scheme We propose the following scheme for key blinding, based on Ed25519. @@ -2035,7 +2038,13 @@ Appendix A. Signature scheme with key blinding [KEYBLIND] key and A is the public key (A=aB) . To derive the key for a nonce N and an optional secret s, compute the - blinding factor h as H(A | s, B, N), and let: + blinding factor like this: + + h = H(BLIND_STRING | A | s | B | N) + BLIND_STRING = "Derive temporary signing key" + N = "key-blind" | INT_8(period-number) | INT_8(period_length) + + and then do the following: private key for the period: a' = h a public key for the period: A' = h A = (ha)B @@ -2055,9 +2064,6 @@ Appendix A. Signature scheme with key blinding [KEYBLIND] possible alternatives. Also, see [KEYBLIND-PROOF] for a security proof of this scheme. - (To use this with Tor, set N = "key-blind" | INT_8(period-number) | - INT_8(period_length).) - Appendix B. Selecting nodes [PICKNODES] Picking introduction points -- cgit v1.2.3-54-g00ecf