[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [torspec/master] Specify the ED25519-V3 private key format, and explain why it is so.



commit 3c34000c9c28b6a55e2c4333a5ad0ccf99bd4026
Author: Taylor R Campbell <campbell+tor@xxxxxxxxxx>
Date:   Fri Oct 19 17:43:17 2018 +0000

    Specify the ED25519-V3 private key format, and explain why it is so.
---
 control-spec.txt | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/control-spec.txt b/control-spec.txt
index 6f0a543..6a04b65 100644
--- a/control-spec.txt
+++ b/control-spec.txt
@@ -1671,8 +1671,18 @@
 
   (The KeyBlob format is left intentionally opaque, however for "RSA1024"
   keys it is currently the Base64 encoded DER representation of a PKCS#1
-  RSAPrivateKey, with all newlines removed. For a "ED25519-V3" key is a Base64
-  encoded ed25519 private key.)
+  RSAPrivateKey, with all newlines removed. For a "ED25519-V3" key is
+  the Base64 encoding of the concatenation of the 32-byte ed25519 secret
+  scalar in little-endian and the 32-byte ed25519 PRF secret.)
+
+  [Note: The ED25519-V3 format is not the same as, e.g., SUPERCOP
+  ed25519/ref, which stores the concatenation of the 32-byte ed25519
+  hash seed concatenated with the 32-byte public key, and which derives
+  the secret scalar and PRF secret by expanding the hash seed with
+  SHA-512.  Our key blinding scheme is incompatible with storing
+  private keys as seeds, so we store the secret scalar alongside the
+  PRF secret, and just pay the cost of recomputing the public key when
+  importing an ED25519-V3 key.]
 
   (The "NEW:BEST" option obeys the HiddenServiceVersion torrc option default
   value. Currently it is 2.)

_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits