[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [torspec/master] rend-spec-v3: add details to blinding implementation (A.2.)

To: tor-commits@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-commits] [torspec/master] rend-spec-v3: add details to blinding implementation (A.2.)
From: nickm@xxxxxxxxxxxxxx
Date: Mon, 2 Apr 2018 23:12:29 +0000 (UTC)
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 02 Apr 2018 19:12:45 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-commits/>
List-help: <mailto:tor-commits-request@lists.torproject.org?subject=help>
List-id: "auto: code repository commits" <tor-commits.lists.torproject.org>
List-post: <mailto:tor-commits@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=unsubscribe>
Patch-author: Filippo Valsorda <hi@xxxxxxxxxx>
Sender: "tor-commits" <tor-commits-bounces@xxxxxxxxxxxxxxxxxxxx>

commit 42e31d525b38fd8810006d7deacc8f41ef34db8d
Author: Filippo Valsorda <hi@xxxxxxxxxx>
Date:   Fri Nov 17 15:19:45 2017 -0500

    rend-spec-v3: add details to blinding implementation (A.2.)
    
    In particular, document how to derive the second half of the private key.
---
 rend-spec-v3.txt | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/rend-spec-v3.txt b/rend-spec-v3.txt
index d595268..e408e8b 100644
--- a/rend-spec-v3.txt
+++ b/rend-spec-v3.txt
@@ -2162,6 +2162,7 @@ A.2. Tor's key derivation scheme
            h = H(BLIND_STRING | A | s | B | N)
            BLIND_STRING = "Derive temporary signing key" | INT_1(0)
            N = "key-blind" | INT_8(period-number) | INT_8(period_length)
+           B = "(1511[...]2202, 4631[...]5960)"
 
   then clamp the blinding factor 'h' according to the ed25519 spec:
 
@@ -2171,8 +2172,15 @@ A.2. Tor's key derivation scheme
 
   and do the key derivation as follows:
 
-      private key for the period:   a' = h a
-      public key for the period:    A' = h A = (ha)B
+      private key for the period:
+
+           a' = h a mod l
+           RH' = SHA-512(RH_BLIND_STRING | RH)[:32]
+           RH_BLIND_STRING = "Derive temporary signing key hash input"
+
+      public key for the period:
+
+           A' = h A = (ha)B
 
   Generating a signature of M: given a deterministic random-looking r
   (see EdDSA paper), take R=rB, S=r+hash(R,A',M)ah mod l. Send signature
@@ -2185,6 +2193,8 @@ A.2. Tor's key derivation scheme
           = rB + (hash(R,A',M)ah)B
           = R + hash(R,A',M)A' )
 
+  This boils down to regular Ed25519 with key pair (a', A').
+
   See [KEYBLIND-REFS] for an extensive discussion on this scheme and
   possible alternatives. Also, see [KEYBLIND-PROOF] for a security
   proof of this scheme.



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

Prev by Author: [tor-commits] [tor/maint-0.3.3] rust: Add new protover::UnvalidatedProtoEntry type.
Next by Author: [tor-commits] [tor/master] config: Set up periodic events when options changes
Previous by thread: [tor-commits] [torspec/master] dir-spec: remove 5.4.4. Warning about a router's status.
Next by thread: [tor-commits] [torspec/master] dir-spec, rend-spec-v3: typos and simplifications
Index(es):
- Author
- Thread