On Thu, Jul 30, 2020 at 01:18:33PM +0300, George Kadianakis wrote:
Matthew Finkel sysrqb@torproject.org writes:
Hello everyone,
Hello hello!
These are all good questions and they become more and more important as the onionspace grows and more use cases appear.
<snip>
For computing the blinded key, the first 32 bytes of the long-term secret key (LH) are multiplied with a blinding factor (h*a mod l), see the specification for the value of **h** [4]. This becomes LH' (LH-prime). The second 32 bytes of the secret key (RH) are concatenated with a string prefix and then the SHA3-256 digest is computed of the concatenated string. The first 32 bytes of the resulting digest become RH' (RH-prime). LH' and RH' are used as regular ed25519 secret keys for signing and verifying messages following EdDSA.
Hmm, not sure about this last sentence. Are you implying that LH' and RH' are two different secret keys? Because I don't think that's the case. LH' and RH' are components of the final public/private keypair.
Yes, but no, your description of them as "components of" the keypair seems more correct than mine. My goal was simply to imply that both LH' and RH' are secret values and they are used as secret inputs into the signing procedure, and I wanted to make it clear that the blinding procedure begins with a valid ed25519 secret key and derives a valid ed25519 secret key in the same format as the original (specifically a LH value and a RH value).
Hopefully this clarification doesn't make it more confusing/wrong.