[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #22052 [Core Tor/Tor]: Synchronize prop224 key blinding spec with implementation
#22052: Synchronize prop224 key blinding spec with implementation
------------------------------------+------------------------------------
Reporter: asn | Owner: asn
Type: defect | Status: assigned
Priority: Medium | Milestone: Tor: 0.3.1.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: tor-hs prop224 ed25519 | Actual Points:
Parent ID: #21888 | Points: 1
Reviewer: | Sponsor:
------------------------------------+------------------------------------
Changes (by asn):
* cc: nickm (added)
Comment:
Here are a few places where the Tor code diverges from the spec. I'm CCing
Nick here since he is the author of the ed25519 blinding code.
----
In `ed25519_donna_gettweak()` tor clamps the blinding factor `h` before
using
it to calculate `a' = h*a` and `A' = h*A`:
{{{
static void
ed25519_donna_gettweak(unsigned char *out, const unsigned char *param)
{
...
out[0] &= 248; /* Is this necessary ? */
out[31] &= 63;
out[31] |= 64;
}
}}}
As discussed in [tor-dev] and [curves], clamping is not necessary for us
because we are only dealing with signatures:
https://moderncrypto.org/mail-archive/curves/2017/000874.html
Also, starting in #22006 we validate received ed25519 pubkeys so we are
not
afraid that a received onion address pubkey will have a torsion component
(hence clearing the lowest three bits is not necessary).
I actually don't think that clamping there is a terrible thing to do, but
it
reduces the strength of the blinding factor by 3 bits or something. I'm
not
sure if we should go ahead and remove the clamping or not, but we should
probably mention it in the spec if we do keep it.
----
The Tor ed25519 implementation also adds a constant string to the hash
input of
the extended secret key form like this:
{{{
static const char str[] = "Derive temporary signing key hash input";
...
ed25519_hash_init(&ctx);
ed25519_hash_update(&ctx, (const unsigned char*)str, strlen(str));
ed25519_hash_update(&ctx, inp + 32, 32);
ed25519_hash_final(&ctx, tweak);
memcpy(out + 32, tweak, 32);
}}}
We should probably specify this as it's not in the spec.
----
The Tor ed25519 implementation also adds a constant string to the
computation
of the blinding factor. Making it:
{{{
static const char str[] = "Derive temporary signing key hash input";
...
h = H(str | A | s | B | N)
}}}
We should specify this as it's not in the spec.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22052#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs