[tor-commits] [torspec/master] Tweak vanity onion scheme to avoid producing invalid keys
nickm at torproject.org
nickm at torproject.org
Fri Aug 12 17:04:46 UTC 2016
commit 999f249c9cd242098e651d1f2d828a00f468ccba
Author: teor (Tim Wilson-Brown) <teor2345 at gmail.com>
Date: Sun May 8 19:13:56 2016 -0400
Tweak vanity onion scheme to avoid producing invalid keys
Also add a reference implementation for the scheme.
---
proposals/224-rend-spec-ng.txt | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/proposals/224-rend-spec-ng.txt b/proposals/224-rend-spec-ng.txt
index bad3a47..c0326ea 100644
--- a/proposals/224-rend-spec-ng.txt
+++ b/proposals/224-rend-spec-ng.txt
@@ -1643,6 +1643,9 @@ References:
[SRV-TP-REFS]:
https://lists.torproject.org/pipermail/tor-dev/2016-April/010759.html
+[VANITY-REFS]:
+ https://github.com/Yawning/horse25519
+
Appendix A. Signature scheme with key blinding [KEYBLIND]
As described in [IMD:DIST] and [SUBCRED] above, we require a "key
@@ -1740,11 +1743,14 @@ Appendix C. Recommendations for searching for vanity .onions [VANITY]
While pk does not satisfy X:
- Add the number 1 to sk
- Add the scalar B to pk
+ Add the number 8 to sk
+ Add the scalar 8*B to pk
Return sk, pk.
+ We add 8 and 8*B, rather than 1 and B, so that sk is always a valid
+ Curve25519 private key, with the lowest 3 bits equal to 0.
+
This algorithm is safe [source: djb, personal communication] [TODO:
Make sure I understood correctly!] so long as only the final (sk,pk)
pair is used, and all previous values are discarded.
@@ -1753,6 +1759,9 @@ Appendix C. Recommendations for searching for vanity .onions [VANITY]
generated for each independent thread, and let each search proceed
independently.
+ See [VANITY-REFS] for a reference implementation of this vanity .onion
+ search scheme.
+
Appendix D. Numeric values reserved in this document
[TODO: collect all the lists of commands and values mentioned above]
More information about the tor-commits
mailing list