[tor-bugs] #12980 [Tor]: Implement ed25519 primitives for proposals 220, 224, 228
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Aug 30 02:48:25 UTC 2014
#12980: Implement ed25519 primitives for proposals 220, 224, 228
------------------------+-----------------------------------------------
Reporter: nickm | Owner:
Type: defect | Status: needs_review
Priority: major | Milestone: Tor: 0.2.6.x-final
Component: Tor | Version:
Resolution: | Keywords: tor-relay prop220 prop224 prop228
Actual Points: | Parent ID:
Points: |
------------------------+-----------------------------------------------
Comment (by NickHopper):
Replying to [comment:3 nickm]:
> In Nick Hopper's writeup, he changes the formula for ''r'' in blinded
signatures from ''H(k,m)'' to ''H(k,t,m)''. To simplify the logic, I went
with ''H(H(k,s_t), m)'' -- this allows me to derive secret keys
''(a',k')'' as ''a'=s_t * a'', ''k' = H(k,s_t)''. Does this also work?
Yes, this will work without breaking the security proof.
> I'm using 's_t' in place of 't' nearly everywhere.
I only see one place t is used other than in the derivation of s_t, in the
derivation of the secret key k_t. Using s_t in place of t should be fine
here, since the security proof only relies on the reduction knowing s_t.
> AFAICT, Nick's document doesn't mention exactly ''how'' to multiply
''a'' by ''s_t''. I'm doing it modulo the group order ''l'' -- I think
that's right. I'm also applying the regular secret-key bit-manipulations
to 's_t' before I multiply by it. It appears to be necessary to clear the
high bits -- is it safe to leave the low bits uncleared?
Reducing a' modulo l is right. It's my understanding that it's always
safe to leave the low bits of an exponent in Ed25519 uncleared - clearing
them is just a small optimization.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12980#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list