[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [stem/master] Faster ed25519 blinding



commit a1d5d9726e3653f58035c76420582059b0c86d13
Author: Damian Johnson <atagar@xxxxxxxxxxxxxx>
Date:   Fri Nov 22 13:22:50 2019 -0800

    Faster ed25519 blinding
    
    Thanks to Paul ed25519 blinding is now fully two orders of magnitude faster!
    
      https://github.com/pyca/cryptography/issues/5068
    
    Replaced slow_ed25519.py with an optimized implementation from...
    
      https://github.com/pyca/ed25519/
    
    This changes the runtime of test_blinding as follows:
    
      Python 2.7: 2.25s => 20 ms
      Python 3.5: 1.83s => 19 ms
---
 stem/descriptor/hidden_service.py         |  44 ++---
 stem/util/ed25519.py                      | 311 ++++++++++++++++++++++++++++++
 stem/util/slow_ed25519.py                 | 171 ----------------
 stem/util/test_tools.py                   |  11 ++
 test/settings.cfg                         |   4 +-
 test/unit/descriptor/hidden_service_v3.py |   4 +-
 6 files changed, 347 insertions(+), 198 deletions(-)

diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py
index 94edeba4..ea1ae739 100644
--- a/stem/descriptor/hidden_service.py
+++ b/stem/descriptor/hidden_service.py
@@ -51,7 +51,6 @@ import stem.util.tor_tools
 
 from stem.client.datatype import CertType
 from stem.descriptor.certificate import ExtensionType, Ed25519Extension, Ed25519Certificate, Ed25519CertificateV1
-from stem.util import slow_ed25519
 
 from stem.descriptor import (
   PGP_BLOCK_END,
@@ -917,10 +916,8 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor):
     Construction through this method can supply any or none of these, with
     omitted parameters populated with randomized defaults.
 
-    `Ed25519 key blinding takes several seconds
-    <https://github.com/pyca/cryptography/issues/5068>`_, and as such is
-    disabled if a **blinding_nonce** is not provided. To blind with a random
-    nonce simply call...
+    Ed25519 key blinding adds an additional ~20 ms, and as such is disabled by
+    default. To blind with a random nonce simply call...
 
     ::
 
@@ -1302,13 +1299,16 @@ class InnerLayer(Descriptor):
 
 
 def _blinded_pubkey(identity_key, blinding_nonce):
-  mult = 2 ** (slow_ed25519.b - 2) + sum(2 ** i * slow_ed25519.bit(blinding_nonce, i) for i in range(3, slow_ed25519.b - 2))
-  P = slow_ed25519.decodepoint(stem.util._pubkey_bytes(identity_key))
-  return slow_ed25519.encodepoint(slow_ed25519.scalarmult(P, mult))
+  from stem.util import ed25519
+
+  mult = 2 ** (ed25519.b - 2) + sum(2 ** i * ed25519.bit(blinding_nonce, i) for i in range(3, ed25519.b - 2))
+  P = ed25519.decodepoint(stem.util._pubkey_bytes(identity_key))
+  return ed25519.encodepoint(ed25519.scalarmult(P, mult))
 
 
 def _blinded_sign(msg, identity_key, blinded_key, blinding_nonce):
   from cryptography.hazmat.primitives import serialization
+  from stem.util import ed25519
 
   identity_key_bytes = identity_key.private_bytes(
     encoding = serialization.Encoding.Raw,
@@ -1318,28 +1318,28 @@ def _blinded_sign(msg, identity_key, blinded_key, blinding_nonce):
 
   # pad private identity key into an ESK (encrypted secret key)
 
-  h = slow_ed25519.H(identity_key_bytes)
-  a = 2 ** (slow_ed25519.b - 2) + sum(2 ** i * slow_ed25519.bit(h, i) for i in range(3, slow_ed25519.b - 2))
-  k = b''.join([h[i:i + 1] for i in range(slow_ed25519.b // 8, slow_ed25519.b // 4)])
-  esk = slow_ed25519.encodeint(a) + k
+  h = ed25519.H(identity_key_bytes)
+  a = 2 ** (ed25519.b - 2) + sum(2 ** i * ed25519.bit(h, i) for i in range(3, ed25519.b - 2))
+  k = b''.join([h[i:i + 1] for i in range(ed25519.b // 8, ed25519.b // 4)])
+  esk = ed25519.encodeint(a) + k
 
   # blind the ESK with this nonce
 
-  mult = 2 ** (slow_ed25519.b - 2) + sum(2 ** i * slow_ed25519.bit(blinding_nonce, i) for i in range(3, slow_ed25519.b - 2))
-  s = slow_ed25519.decodeint(esk[:32])
-  s_prime = (s * mult) % slow_ed25519.l
+  mult = 2 ** (ed25519.b - 2) + sum(2 ** i * ed25519.bit(blinding_nonce, i) for i in range(3, ed25519.b - 2))
+  s = ed25519.decodeint(esk[:32])
+  s_prime = (s * mult) % ed25519.l
   k = esk[32:]
-  k_prime = slow_ed25519.H(b'Derive temporary signing key hash input' + k)[:32]
-  blinded_esk = slow_ed25519.encodeint(s_prime) + k_prime
+  k_prime = ed25519.H(b'Derive temporary signing key hash input' + k)[:32]
+  blinded_esk = ed25519.encodeint(s_prime) + k_prime
 
   # finally, sign the message
 
-  a = slow_ed25519.decodeint(blinded_esk[:32])
-  r = slow_ed25519.Hint(b''.join([blinded_esk[i:i + 1] for i in range(slow_ed25519.b // 8, slow_ed25519.b // 4)]) + msg)
-  R = slow_ed25519.scalarmult(slow_ed25519.B, r)
-  S = (r + slow_ed25519.Hint(slow_ed25519.encodepoint(R) + blinded_key + msg) * a) % slow_ed25519.l
+  a = ed25519.decodeint(blinded_esk[:32])
+  r = ed25519.Hint(b''.join([blinded_esk[i:i + 1] for i in range(ed25519.b // 8, ed25519.b // 4)]) + msg)
+  R = ed25519.scalarmult(ed25519.B, r)
+  S = (r + ed25519.Hint(ed25519.encodepoint(R) + blinded_key + msg) * a) % ed25519.l
 
-  return slow_ed25519.encodepoint(R) + slow_ed25519.encodeint(S)
+  return ed25519.encodepoint(R) + ed25519.encodeint(S)
 
 
 # TODO: drop this alias in stem 2.x
diff --git a/stem/util/ed25519.py b/stem/util/ed25519.py
new file mode 100644
index 00000000..67b2db3c
--- /dev/null
+++ b/stem/util/ed25519.py
@@ -0,0 +1,311 @@
+# The following is copied from...
+#
+#   https://github.com/pyca/ed25519
+#
+# This is under the CC0 license. For more information please see...
+#
+#   https://github.com/pyca/cryptography/issues/5068
+
+
+# ed25519.py - Optimized version of the reference implementation of Ed25519
+#
+# Written in 2011? by Daniel J. Bernstein <djb@xxxxxxxx>
+#            2013 by Donald Stufft <donald@xxxxxxxxx>
+#            2013 by Alex Gaynor <alex.gaynor@xxxxxxxxx>
+#            2013 by Greg Price <price@xxxxxxx>
+#
+# To the extent possible under law, the author(s) have dedicated all copyright
+# and related and neighboring rights to this software to the public domain
+# worldwide. This software is distributed without any warranty.
+#
+# You should have received a copy of the CC0 Public Domain Dedication along
+# with this software. If not, see
+# <http://creativecommons.org/publicdomain/zero/1.0/>.
+
+"""
+NB: This code is not safe for use with secret keys or secret data.
+The only safe use of this code is for verifying signatures on public messages.
+
+Functions for computing the public key of a secret key and for signing
+a message are included, namely publickey_unsafe and signature_unsafe,
+for testing purposes only.
+
+The root of the problem is that Python's long-integer arithmetic is
+not designed for use in cryptography.  Specifically, it may take more
+or less time to execute an operation depending on the values of the
+inputs, and its memory access patterns may also depend on the inputs.
+This opens it to timing and cache side-channel attacks which can
+disclose data to an attacker.  We rely on Python's long-integer
+arithmetic, so we cannot handle secrets without risking their disclosure.
+"""
+
+import hashlib
+import operator
+import sys
+
+
+__version__ = "1.0.dev0"
+
+
+# Useful for very coarse version differentiation.
+PY3 = sys.version_info[0] == 3
+
+if PY3:
+    indexbytes = operator.getitem
+    intlist2bytes = bytes
+    int2byte = operator.methodcaller("to_bytes", 1, "big")
+else:
+    int2byte = chr
+    range = xrange
+
+    def indexbytes(buf, i):
+        return ord(buf[i])
+
+    def intlist2bytes(l):
+        return b"".join(chr(c) for c in l)
+
+
+b = 256
+q = 2 ** 255 - 19
+l = 2 ** 252 + 27742317777372353535851937790883648493
+
+
+def H(m):
+    return hashlib.sha512(m).digest()
+
+
+def pow2(x, p):
+    """== pow(x, 2**p, q)"""
+    while p > 0:
+        x = x * x % q
+        p -= 1
+    return x
+
+
+def inv(z):
+    """$= z^{-1} \mod q$, for z != 0"""
+    # Adapted from curve25519_athlon.c in djb's Curve25519.
+    z2 = z * z % q                                # 2
+    z9 = pow2(z2, 2) * z % q                      # 9
+    z11 = z9 * z2 % q                             # 11
+    z2_5_0 = (z11 * z11) % q * z9 % q             # 31 == 2^5 - 2^0
+    z2_10_0 = pow2(z2_5_0, 5) * z2_5_0 % q        # 2^10 - 2^0
+    z2_20_0 = pow2(z2_10_0, 10) * z2_10_0 % q     # ...
+    z2_40_0 = pow2(z2_20_0, 20) * z2_20_0 % q
+    z2_50_0 = pow2(z2_40_0, 10) * z2_10_0 % q
+    z2_100_0 = pow2(z2_50_0, 50) * z2_50_0 % q
+    z2_200_0 = pow2(z2_100_0, 100) * z2_100_0 % q
+    z2_250_0 = pow2(z2_200_0, 50) * z2_50_0 % q   # 2^250 - 2^0
+    return pow2(z2_250_0, 5) * z11 % q            # 2^255 - 2^5 + 11 = q - 2
+
+
+d = -121665 * inv(121666) % q
+I = pow(2, (q - 1) // 4, q)
+
+
+def xrecover(y):
+    xx = (y * y - 1) * inv(d * y * y + 1)
+    x = pow(xx, (q + 3) // 8, q)
+
+    if (x * x - xx) % q != 0:
+        x = (x * I) % q
+
+    if x % 2 != 0:
+        x = q-x
+
+    return x
+
+
+By = 4 * inv(5)
+Bx = xrecover(By)
+B = (Bx % q, By % q, 1, (Bx * By) % q)
+ident = (0, 1, 1, 0)
+
+
+def edwards_add(P, Q):
+    # This is formula sequence 'addition-add-2008-hwcd-3' from
+    # http://www.hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html
+    (x1, y1, z1, t1) = P
+    (x2, y2, z2, t2) = Q
+
+    a = (y1-x1)*(y2-x2) % q
+    b = (y1+x1)*(y2+x2) % q
+    c = t1*2*d*t2 % q
+    dd = z1*2*z2 % q
+    e = b - a
+    f = dd - c
+    g = dd + c
+    h = b + a
+    x3 = e*f
+    y3 = g*h
+    t3 = e*h
+    z3 = f*g
+
+    return (x3 % q, y3 % q, z3 % q, t3 % q)
+
+
+def edwards_double(P):
+    # This is formula sequence 'dbl-2008-hwcd' from
+    # http://www.hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html
+    (x1, y1, z1, t1) = P
+
+    a = x1*x1 % q
+    b = y1*y1 % q
+    c = 2*z1*z1 % q
+    # dd = -a
+    e = ((x1+y1)*(x1+y1) - a - b) % q
+    g = -a + b  # dd + b
+    f = g - c
+    h = -a - b  # dd - b
+    x3 = e*f
+    y3 = g*h
+    t3 = e*h
+    z3 = f*g
+
+    return (x3 % q, y3 % q, z3 % q, t3 % q)
+
+
+def scalarmult(P, e):
+    if e == 0:
+        return ident
+    Q = scalarmult(P, e // 2)
+    Q = edwards_double(Q)
+    if e & 1:
+        Q = edwards_add(Q, P)
+    return Q
+
+
+# Bpow[i] == scalarmult(B, 2**i)
+Bpow = []
+
+
+def make_Bpow():
+    P = B
+    for i in range(253):
+        Bpow.append(P)
+        P = edwards_double(P)
+make_Bpow()
+
+
+def scalarmult_B(e):
+    """
+    Implements scalarmult(B, e) more efficiently.
+    """
+    # scalarmult(B, l) is the identity
+    e = e % l
+    P = ident
+    for i in range(253):
+        if e & 1:
+            P = edwards_add(P, Bpow[i])
+        e = e // 2
+    assert e == 0, e
+    return P
+
+
+def encodeint(y):
+    bits = [(y >> i) & 1 for i in range(b)]
+    return b''.join([
+        int2byte(sum([bits[i * 8 + j] << j for j in range(8)]))
+        for i in range(b//8)
+    ])
+
+
+def encodepoint(P):
+    (x, y, z, t) = P
+    zi = inv(z)
+    x = (x * zi) % q
+    y = (y * zi) % q
+    bits = [(y >> i) & 1 for i in range(b - 1)] + [x & 1]
+    return b''.join([
+        int2byte(sum([bits[i * 8 + j] << j for j in range(8)]))
+        for i in range(b // 8)
+    ])
+
+
+def bit(h, i):
+    return (indexbytes(h, i // 8) >> (i % 8)) & 1
+
+
+def publickey_unsafe(sk):
+    """
+    Not safe to use with secret keys or secret data.
+
+    See module docstring.  This function should be used for testing only.
+    """
+    h = H(sk)
+    a = 2 ** (b - 2) + sum(2 ** i * bit(h, i) for i in range(3, b - 2))
+    A = scalarmult_B(a)
+    return encodepoint(A)
+
+
+def Hint(m):
+    h = H(m)
+    return sum(2 ** i * bit(h, i) for i in range(2 * b))
+
+
+def signature_unsafe(m, sk, pk):
+    """
+    Not safe to use with secret keys or secret data.
+
+    See module docstring.  This function should be used for testing only.
+    """
+    h = H(sk)
+    a = 2 ** (b - 2) + sum(2 ** i * bit(h, i) for i in range(3, b - 2))
+    r = Hint(
+        intlist2bytes([indexbytes(h, j) for j in range(b // 8, b // 4)]) + m
+    )
+    R = scalarmult_B(r)
+    S = (r + Hint(encodepoint(R) + pk + m) * a) % l
+    return encodepoint(R) + encodeint(S)
+
+
+def isoncurve(P):
+    (x, y, z, t) = P
+    return (z % q != 0 and
+            x*y % q == z*t % q and
+            (y*y - x*x - z*z - d*t*t) % q == 0)
+
+
+def decodeint(s):
+    return sum(2 ** i * bit(s, i) for i in range(0, b))
+
+
+def decodepoint(s):
+    y = sum(2 ** i * bit(s, i) for i in range(0, b - 1))
+    x = xrecover(y)
+    if x & 1 != bit(s, b-1):
+        x = q - x
+    P = (x, y, 1, (x*y) % q)
+    if not isoncurve(P):
+        raise ValueError("decoding point that is not on curve")
+    return P
+
+
+class SignatureMismatch(Exception):
+    pass
+
+
+def checkvalid(s, m, pk):
+    """
+    Not safe to use when any argument is secret.
+
+    See module docstring.  This function should be used only for
+    verifying public signatures of public messages.
+    """
+    if len(s) != b // 4:
+        raise ValueError("signature length is wrong")
+
+    if len(pk) != b // 8:
+        raise ValueError("public-key length is wrong")
+
+    R = decodepoint(s[:b // 8])
+    A = decodepoint(pk)
+    S = decodeint(s[b // 8:b // 4])
+    h = Hint(encodepoint(R) + pk + m)
+
+    (x1, y1, z1, t1) = P = scalarmult_B(S)
+    (x2, y2, z2, t2) = Q = edwards_add(R, scalarmult(A, h))
+
+    if (not isoncurve(P) or not isoncurve(Q) or
+       (x1*z2 - x2*z1) % q != 0 or (y1*z2 - y2*z1) % q != 0):
+        raise SignatureMismatch("signature does not pass verification")
diff --git a/stem/util/slow_ed25519.py b/stem/util/slow_ed25519.py
deleted file mode 100644
index b23bf57c..00000000
--- a/stem/util/slow_ed25519.py
+++ /dev/null
@@ -1,171 +0,0 @@
-# Public domain ed25519 implementation from...
-#
-#   http://ed25519.cr.yp.to/python/ed25519.py
-#
-# It isn't constant-time.  Don't use it except for testing.  Also, see
-# warnings about how very slow it is.  Only use this for generating
-# test vectors, I'd suggest.
-#
-# Cryptography replacement of this is pending...
-#
-#   https://github.com/pyca/cryptography/issues/5068
-
-import hashlib
-import stem.prereq
-
-b = 256
-q = 2 ** 255 - 19
-l = 2 ** 252 + 27742317777372353535851937790883648493
-
-
-def int_to_byte(val):
-  """
-  Convert an integer to its byte value in an interpreter agnostic way.
-  """
-
-  return bytes([val]) if stem.prereq.is_python_3() else chr(val)
-
-
-def H(m):
-  return hashlib.sha512(m).digest()
-
-
-def expmod(b, e, m):
-  if e == 0:
-    return 1
-
-  t = expmod(b, e // 2, m) ** 2 % m
-
-  if e & 1:
-    t = (t * b) % m
-
-  return t
-
-
-def inv(x):
-  return expmod(x, q - 2, q)
-
-
-d = -121665 * inv(121666)
-I = expmod(2, (q - 1) // 4, q)
-
-
-def xrecover(y):
-  xx = (y * y - 1) * inv(d * y * y + 1)
-  x = expmod(xx, (q + 3) // 8, q)
-
-  if (x * x - xx) % q != 0:
-    x = (x * I) % q
-
-  if x % 2 != 0:
-    x = q - x
-
-  return x
-
-
-By = 4 * inv(5)
-Bx = xrecover(By)
-B = [Bx % q, By % q]
-
-
-def edwards(P, Q):
-  x1 = P[0]
-  y1 = P[1]
-  x2 = Q[0]
-  y2 = Q[1]
-  x3 = (x1 * y2 + x2 * y1) * inv(1 + d * x1 * x2 * y1 * y2)
-  y3 = (y1 * y2 + x1 * x2) * inv(1 - d * x1 * x2 * y1 * y2)
-  return [x3 % q, y3 % q]
-
-
-def scalarmult(P, e):
-  if e == 0:
-    return [0, 1]
-
-  Q = scalarmult(P, e // 2)
-  Q = edwards(Q, Q)
-
-  if e & 1:
-    Q = edwards(Q, P)
-
-  return Q
-
-
-def encodeint(y):
-  bits = [(y >> i) & 1 for i in range(b)]
-  return b''.join([int_to_byte(sum([bits[i * 8 + j] << j for j in range(8)])) for i in range(b // 8)])
-
-
-def encodepoint(P):
-  x = P[0]
-  y = P[1]
-  bits = [(y >> i) & 1 for i in range(b - 1)] + [x & 1]
-
-  return b''.join([int_to_byte(sum([bits[i * 8 + j] << j for j in range(8)])) for i in range(b // 8)])
-
-
-def bit(h, i):
-  return (ord(h[i // 8:i // 8 + 1]) >> (i % 8)) & 1
-
-
-def publickey(sk):
-  h = H(sk)
-  a = 2 ** (b - 2) + sum(2 ** i * bit(h, i) for i in range(3, b - 2))
-  A = scalarmult(B, a)
-
-  return encodepoint(A)
-
-
-def Hint(m):
-  h = H(m)
-  return sum(2 ** i * bit(h, i) for i in range(2 * b))
-
-
-def signature(m, sk, pk):
-  h = H(sk)
-  a = 2 ** (b - 2) + sum(2 ** i * bit(h, i) for i in range(3, b - 2))
-  r = Hint(b''.join([h[i:i + 1] for i in range(b // 8, b // 4)]) + m)
-  R = scalarmult(B, r)
-  S = (r + Hint(encodepoint(R) + pk + m) * a) % l
-  return encodepoint(R) + encodeint(S)
-
-
-def isoncurve(P):
-  x = P[0]
-  y = P[1]
-  return (-x * x + y * y - 1 - d * x * x * y * y) % q == 0
-
-
-def decodeint(s):
-  return sum(2 ** i * bit(s, i) for i in range(0, b))
-
-
-def decodepoint(s):
-  y = sum(2 ** i * bit(s, i) for i in range(0, b - 1))
-  x = xrecover(y)
-
-  if x & 1 != bit(s, b - 1):
-    x = q - x
-
-  P = [x, y]
-
-  if not isoncurve(P):
-    raise Exception('decoding point that is not on curve')
-
-  return P
-
-
-def checkvalid(s, m, pk):
-  if len(s) != b // 4:
-    raise Exception('signature length is wrong')
-
-  if len(pk) != b // 8:
-    raise Exception('public-key length is wrong')
-
-  R = decodepoint(s[0:b // 8])
-  A = decodepoint(pk)
-  S = decodeint(s[b // 8:b // 4])
-  h = Hint(encodepoint(R) + pk + m)
-
-  if scalarmult(B, S) != edwards(R, scalarmult(A, h)):
-    raise Exception('signature does not pass verification')
diff --git a/stem/util/test_tools.py b/stem/util/test_tools.py
index 03741d98..36c88f6a 100644
--- a/stem/util/test_tools.py
+++ b/stem/util/test_tools.py
@@ -455,6 +455,7 @@ def stylistic_issues(paths, check_newlines = False, check_exception_keyword = Fa
 
   ignore_rules = []
   ignore_for_file = []
+  ignore_all_for_files = []
 
   for rule in CONFIG['pycodestyle.ignore'] + CONFIG['pep8.ignore']:
     if '=>' in rule:
@@ -463,6 +464,8 @@ def stylistic_issues(paths, check_newlines = False, check_exception_keyword = Fa
       if ':' in rule_entry:
         rule, code = rule_entry.split(':', 1)
         ignore_for_file.append((path.strip(), rule.strip(), code.strip()))
+      elif rule_entry.strip() == '*':
+        ignore_all_for_files.append(path.strip())
     else:
       ignore_rules.append(rule)
 
@@ -471,6 +474,10 @@ def stylistic_issues(paths, check_newlines = False, check_exception_keyword = Fa
       if path.endswith(ignored_path) and ignored_rule == rule and code.strip().startswith(ignored_code):
         return True
 
+    for ignored_path in ignore_all_for_files:
+      if path.endswith(ignored_path):
+        return True
+
     return False
 
   if is_pycodestyle_available():
@@ -488,6 +495,10 @@ def stylistic_issues(paths, check_newlines = False, check_exception_keyword = Fa
 
         is_block_comment = False
 
+        for ignored_path in ignore_all_for_files:
+          if filename.endswith(ignored_path):
+            return
+
         for index, line in enumerate(lines):
           content = line.split('#', 1)[0].strip()
 
diff --git a/test/settings.cfg b/test/settings.cfg
index 5443df41..2e7b7a80 100644
--- a/test/settings.cfg
+++ b/test/settings.cfg
@@ -169,6 +169,8 @@ pycodestyle.ignore E127
 pycodestyle.ignore E131
 pycodestyle.ignore E722
 
+pycodestyle.ignore stem/util/ed25519.py => *
+
 pycodestyle.ignore stem/__init__.py => E402: import stem.util.connection
 pycodestyle.ignore stem/descriptor/__init__.py => E402: import stem.descriptor.bandwidth_file
 pycodestyle.ignore stem/descriptor/__init__.py => E402: import stem.descriptor.extrainfo_descriptor
@@ -177,8 +179,6 @@ pycodestyle.ignore stem/descriptor/__init__.py => E402: import stem.descriptor.m
 pycodestyle.ignore stem/descriptor/__init__.py => E402: import stem.descriptor.networkstatus
 pycodestyle.ignore stem/descriptor/__init__.py => E402: import stem.descriptor.server_descriptor
 pycodestyle.ignore stem/descriptor/__init__.py => E402: import stem.descriptor.tordnsel
-pycodestyle.ignore stem/util/slow_ed25519.py => E741: l = 2 ** 252 + 27742317777372353535851937790883648493
-pycodestyle.ignore stem/util/slow_ed25519.py => E741: I = expmod(2, (q - 1) // 4, q)
 pycodestyle.ignore test/unit/util/connection.py => W291: _tor     tor        15843   10 pipe 0x0 state:
 pycodestyle.ignore test/unit/util/connection.py => W291: _tor     tor        15843   11 pipe 0x0 state:
 
diff --git a/test/unit/descriptor/hidden_service_v3.py b/test/unit/descriptor/hidden_service_v3.py
index 715a2b65..cb1e9c68 100644
--- a/test/unit/descriptor/hidden_service_v3.py
+++ b/test/unit/descriptor/hidden_service_v3.py
@@ -463,9 +463,7 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase):
   @test.require.ed25519_support
   def test_blinding(self):
     """
-    Create a descriptor with key blinding. `This takes a while
-    <https://github.com/pyca/cryptography/issues/5068>`_, so we should not do
-    this more than once.
+    Create a descriptor with key blinding.
     """
 
     from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey

_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits