commit 42e31d525b38fd8810006d7deacc8f41ef34db8d Author: Filippo Valsorda <hi@filippo.io> Date: Fri Nov 17 15:19:45 2017 -0500 rend-spec-v3: add details to blinding implementation (A.2.) In particular, document how to derive the second half of the private key. --- rend-spec-v3.txt | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/rend-spec-v3.txt b/rend-spec-v3.txt index d595268..e408e8b 100644 --- a/rend-spec-v3.txt +++ b/rend-spec-v3.txt @@ -2162,6 +2162,7 @@ A.2. Tor's key derivation scheme h = H(BLIND_STRING | A | s | B | N) BLIND_STRING = "Derive temporary signing key" | INT_1(0) N = "key-blind" | INT_8(period-number) | INT_8(period_length) + B = "(1511[...]2202, 4631[...]5960)" then clamp the blinding factor 'h' according to the ed25519 spec: @@ -2171,8 +2172,15 @@ A.2. Tor's key derivation scheme and do the key derivation as follows: - private key for the period: a' = h a - public key for the period: A' = h A = (ha)B + private key for the period: + + a' = h a mod l + RH' = SHA-512(RH_BLIND_STRING | RH)[:32] + RH_BLIND_STRING = "Derive temporary signing key hash input" + + public key for the period: + + A' = h A = (ha)B Generating a signature of M: given a deterministic random-looking r (see EdDSA paper), take R=rB, S=r+hash(R,A',M)ah mod l. Send signature @@ -2185,6 +2193,8 @@ A.2. Tor's key derivation scheme = rB + (hash(R,A',M)ah)B = R + hash(R,A',M)A' ) + This boils down to regular Ed25519 with key pair (a', A'). + See [KEYBLIND-REFS] for an extensive discussion on this scheme and possible alternatives. Also, see [KEYBLIND-PROOF] for a security proof of this scheme.