[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [torspec/master] Specify the ED25519-V3 private key format, and explain why it is so.
commit 3c34000c9c28b6a55e2c4333a5ad0ccf99bd4026
Author: Taylor R Campbell <campbell+tor@xxxxxxxxxx>
Date: Fri Oct 19 17:43:17 2018 +0000
Specify the ED25519-V3 private key format, and explain why it is so.
---
control-spec.txt | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/control-spec.txt b/control-spec.txt
index 6f0a543..6a04b65 100644
--- a/control-spec.txt
+++ b/control-spec.txt
@@ -1671,8 +1671,18 @@
(The KeyBlob format is left intentionally opaque, however for "RSA1024"
keys it is currently the Base64 encoded DER representation of a PKCS#1
- RSAPrivateKey, with all newlines removed. For a "ED25519-V3" key is a Base64
- encoded ed25519 private key.)
+ RSAPrivateKey, with all newlines removed. For a "ED25519-V3" key is
+ the Base64 encoding of the concatenation of the 32-byte ed25519 secret
+ scalar in little-endian and the 32-byte ed25519 PRF secret.)
+
+ [Note: The ED25519-V3 format is not the same as, e.g., SUPERCOP
+ ed25519/ref, which stores the concatenation of the 32-byte ed25519
+ hash seed concatenated with the 32-byte public key, and which derives
+ the secret scalar and PRF secret by expanding the hash seed with
+ SHA-512. Our key blinding scheme is incompatible with storing
+ private keys as seeds, so we store the secret scalar alongside the
+ PRF secret, and just pay the cost of recomputing the public key when
+ importing an ED25519-V3 key.]
(The "NEW:BEST" option obeys the HiddenServiceVersion torrc option default
value. Currently it is 2.)
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits