[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] One Valid Next-Generation Onion Address per Private Key



On Sun, Mar 26, 2017 at 10:39:08PM +1100, teor wrote:
> Hi all,
> 
> Most onion service users expect that there is only one valid onion
> address for their private key. (For example, one address is listed in
> SSL certificates.)
> 
> I spoke with Ian, and he said that as part of validating the onion
> address, we should check if it is a valid point.
> 
> He said we need to multiply the point by L, and make sure there's no
> torsion component (that is, that the result is the identity).
> 
> This avoids the complexity of choosing a canonical point using some
> lexicographic order, or the complexity of using something like decaf.
> 
> (Hopefully, Ian will write back if I transcribed things incorrectly.)

Just to transcribe the further conversation:

Yes, that's fine to make sure you're using a legitimate point, and not
one that's been munged, it turns out you don't need to do even that.
The reason is that the daily derived blinded point includes a hash of
the onion address, so if someone changes the onion address in any way,
the daily blinded version will be totally different, and the modified
address won't work, *even if* the contained public key is "equivalent"
to the original key.
-- 
Ian Goldberg
Professor and University Research Chair
Cheriton School of Computer Science
University of Waterloo
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev