Re: [tor-bugs] #12980 [Tor]: Implement ed25519 primitives for proposals 220, 224, 228

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#12980: Implement ed25519 primitives for proposals 220, 224, 228
------------------------+-----------------------------------------------
     Reporter:  nickm   |      Owner:
         Type:  defect  |     Status:  needs_review
     Priority:  major   |  Milestone:  Tor: 0.2.6.x-final
    Component:  Tor     |    Version:
   Resolution:          |   Keywords:  tor-relay prop220 prop224 prop228
Actual Points:          |  Parent ID:
       Points:          |
------------------------+-----------------------------------------------

Comment (by nickm):

 The key blinding part of this will IMO be the trickiest part of the design
 to review.  For reference, I tried to follow https://www-
 users.cs.umn.edu/~hopper/basic-proof.pdf , but with these changes:

 In Nick Hopper's writeup, he changes the formula for ''r'' in blinded
 signatures from ''H(k,m)'' to ''H(k,t,m)''.  To simplify the logic, I went
 with ''H(H(k,s_t), m)'' -- this allows me to derive secret keys
 ''(a',k')'' as ''a'=s_t * a'', ''k' = H(k,s_t)''. Does this also work?

 I'm using 's_t' in place of 't' nearly everywhere.

 AFAICT, Nick's document doesn't mention exactly ''how'' to multiply ''a''
 by ''s_t''.  I'm doing it modulo the group order ''l'' -- I think that's
 right.  I'm also applying the regular secret-key bit-manipulations to
 's_t' before I multiply by it.  It appears to be necessary to clear the
 high bits -- is it safe to leave the low bits uncleared?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12980#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs