[tor-bugs] #22052 [Core Tor/Tor]: Synchronize prop224 key blinding spec with implementation

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Apr 26 12:44:10 UTC 2017 

#22052: Synchronize prop224 key blinding spec with implementation
------------------------------------+------------------------------------
 Reporter:  asn                     |          Owner:  asn
     Type:  defect                  |         Status:  assigned
 Priority:  Medium                  |      Milestone:  Tor: 0.3.1.x-final
Component:  Core Tor/Tor            |        Version:
 Severity:  Normal                  |     Resolution:
 Keywords:  tor-hs prop224 ed25519  |  Actual Points:
Parent ID:  #21888                  |         Points:  1
 Reviewer:                          |        Sponsor:
------------------------------------+------------------------------------
Changes (by asn):

 * cc: nickm (added)


Comment:

 Here are a few places where the Tor code diverges from the spec. I'm CCing
 Nick here since he is the author of the ed25519 blinding code.

 ----

 In `ed25519_donna_gettweak()` tor clamps the blinding factor `h` before
 using
 it to calculate `a' = h*a` and `A' = h*A`:

 {{{
 static void
 ed25519_donna_gettweak(unsigned char *out, const unsigned char *param)
 {
 ...
   out[0] &= 248;  /* Is this necessary ? */
   out[31] &= 63;
   out[31] |= 64;
 }
 }}}

 As discussed in [tor-dev] and [curves], clamping is not necessary for us
 because we are only dealing with signatures:
    https://moderncrypto.org/mail-archive/curves/2017/000874.html

 Also, starting in #22006 we validate received ed25519 pubkeys so we are
 not
 afraid that a received onion address pubkey will have a torsion component
 (hence clearing the lowest three bits is not necessary).

 I actually don't think that clamping there is a terrible thing to do, but
 it
 reduces the strength of the blinding factor by 3 bits or something. I'm
 not
 sure if we should go ahead and remove the clamping or not, but we should
 probably mention it in the spec if we do keep it.

 ----

 The Tor ed25519 implementation also adds a constant string to the hash
 input of
 the extended secret key form like this:

 {{{
   static const char str[] = "Derive temporary signing key hash input";
 ...
   ed25519_hash_init(&ctx);
   ed25519_hash_update(&ctx, (const unsigned char*)str, strlen(str));
   ed25519_hash_update(&ctx, inp + 32, 32);
   ed25519_hash_final(&ctx, tweak);

   memcpy(out + 32, tweak, 32);
 }}}

 We should probably specify this as it's not in the spec.

 ----

 The Tor ed25519 implementation also adds a constant string to the
 computation
 of the blinding factor. Making it:

 {{{
    static const char str[] = "Derive temporary signing key hash input";
 ...
    h = H(str | A | s | B | N)
 }}}

 We should specify this as it's not in the spec.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22052#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list