[tor-dev] Interest in collaborating on a standard Ed25519 key blinding scheme?

Subject: [tor-dev] Interest in collaborating on a standard Ed25519 key blinding scheme?

From: Tony Arcieri <bascule@xxxxxxxxx>

Date: Tue, 21 Mar 2017 13:46:53 -0700

Delivery-date: Tue, 21 Mar 2017 16:47:30 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=//72IcUTMmZXvqf3ZknsDZ94wRwSf2M/LkjMjoTpx2w=; b=hma9Dos3N2jmoaxZH5w7YW3cWSIcQtUXW7rnuTeajlYveyYJ56ij3Z9ZZRepAf3uun axYMQ1XX/Kgig9uoar9XRe0cSIC7bEkZ4DOo4K3YS7KKte4WTpQBkzs7YA1Rgvd/oEBb 2GHhuoHaHjR2jCetZr93tCiH3sItqQWfj0I3+Ygd2euNepowLp7wuEMRrRQUUqwdaTz2 vrRIC6j2omNr9zKNH0ekqanRoMKCJ1SmNL8AG04Qq/1oMzW9/eNvblTAUBp+qAsV+0Mr no5EUZ9iYkH6Avuixu/wPS9dftYH0m8a0xs0cEVnv5/AFgiosf6+io1p4FA5OjWEVvCM fn/w==

List-archive: <http://lists.torproject.org/pipermail/tor-dev/>

List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>

List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>

List-post: <mailto:tor-dev@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>

Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

I'm trying to gauge interest on the IRTF's CFRG mailing list regarding collaborating on a draft for a standard Ed25519 hierarchical derivation / key blinding scheme:

https://mailarchive.ietf.org/arch/msg/cfrg/lM1ix9R-0tVzhZorQhQlKvi4wpA

The post makes several mentions of Tor's work in the space in regard to the next-generation hidden services design.

I think it'd be great if Tor were to collaborate on the design of such a scheme and adopt it for the new hidden services design. I see a lot of convergent evolution in this space and think it would be great if there were a single standard everyone could implement.

Even if you don't, I think there are some ideas from similar schemes Tor should fold back into its own design, particularly in regard to how certain bits of the private scalar are "clamped". Some discussion of that here:

https://moderncrypto.org/mail-archive/curves/2017/000862.html

tl;dr: clamp the third highest bit of the root scalar to zero (in addition to the bits normally clamped in the non-canonical Ed25519 private scalar), and use 224-bit child scalars.

Tony Arcieri

_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev