commit 999f249c9cd242098e651d1f2d828a00f468ccba Author: teor (Tim Wilson-Brown) teor2345@gmail.com Date: Sun May 8 19:13:56 2016 -0400

Tweak vanity onion scheme to avoid producing invalid keys

Also add a reference implementation for the scheme. --- proposals/224-rend-spec-ng.txt | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/proposals/224-rend-spec-ng.txt b/proposals/224-rend-spec-ng.txt index bad3a47..c0326ea 100644 --- a/proposals/224-rend-spec-ng.txt +++ b/proposals/224-rend-spec-ng.txt @@ -1643,6 +1643,9 @@ References: [SRV-TP-REFS]: https://lists.torproject.org/pipermail/tor-dev/2016-April/010759.html

+[VANITY-REFS]: + https://github.com/Yawning/horse25519 + Appendix A. Signature scheme with key blinding [KEYBLIND]

As described in [IMD:DIST] and [SUBCRED] above, we require a "key @@ -1740,11 +1743,14 @@ Appendix C. Recommendations for searching for vanity .onions [VANITY]

While pk does not satisfy X:

- Add the number 1 to sk - Add the scalar B to pk + Add the number 8 to sk + Add the scalar 8*B to pk

Return sk, pk.

+ We add 8 and 8*B, rather than 1 and B, so that sk is always a valid + Curve25519 private key, with the lowest 3 bits equal to 0. + This algorithm is safe [source: djb, personal communication] [TODO: Make sure I understood correctly!] so long as only the final (sk,pk) pair is used, and all previous values are discarded. @@ -1753,6 +1759,9 @@ Appendix C. Recommendations for searching for vanity .onions [VANITY] generated for each independent thread, and let each search proceed independently.

+ See [VANITY-REFS] for a reference implementation of this vanity .onion + search scheme. + Appendix D. Numeric values reserved in this document

[TODO: collect all the lists of commands and values mentioned above]