[tor-commits] [torspec/master] dir-spec: Attempt to better document ECC key formats and sign bits.

isis at torproject.org isis at torproject.org
Mon Aug 7 23:46:03 UTC 2017 

commit 2395f34affbe97c19d7bb9e3e288bc20d2249edd
Author: Isis Lovecruft <isis at torproject.org>
Date:   Mon Aug 7 23:45:30 2017 +0000

    dir-spec: Attempt to better document ECC key formats and sign bits.
---
 dir-spec.txt | 79 +++++++++++++++++++++++++++++++++++++++++++++++-------------
 1 file changed, 62 insertions(+), 17 deletions(-)

diff --git a/dir-spec.txt b/dir-spec.txt
index ec0b2ab..ade48ae 100644
--- a/dir-spec.txt
+++ b/dir-spec.txt
@@ -535,10 +535,13 @@
        [0a].  The signed key here is the master identity key.
 
        Bit must be "0" or "1".  It indicates the sign of the ed25519
-       public key corresponding to the ntor onion key.
+       public key corresponding to the ntor onion key.  If Bit is "0",
+       then implementations MUST guarantee that the x-coordinate of
+       the resulting ed25519 public key is positive.  Otherwise, if
+       Bit is "1", then the sign of the x-coordinate MUST be negative.
 
-       To compute the ed25519 public key corresponding to a
-       curve25519 key, see appendix C.
+       To compute the ed25519 public key corresponding to a curve25519
+       key, and for further explanation on key formats, see appendix C.
 
        This signature proves that the party creating the descriptor
        had control over the secret key corresponding to the
@@ -3688,24 +3691,66 @@ B. General-use HTTP URLs
 
 C. Converting a curve25519 public key to an ed25519 public key
 
-   Given a curve25519 x-coordinate (u), we can get the y coordinate
-   of the ed25519 key using
+   Given an X25519 key, that is, an affine point (u,v) on the
+   Montgomery curve defined by
 
-         y = (u-1)/(u+1)
+         bv^2 = u(u^2 + au +1)
 
-   and then we can apply the usual ed25519 point decompression
-   algorithm to find the x coordinate of the ed25519 point to check
-   signatures with.
+   where
 
-   Note that we need the sign of the X coordinate to do this
-   operation; otherwise, we'll have two possible X coordinates that
-   might have correspond to the key.  Therefore, we need the 'sign'
-   of the X coordinate, as used by the ed25519 key expansion
-   algorithm.
+         a = 486662
+         b = 1
 
-   To get the sign, the easiest way is to take the same private key,
-   feed it to the ed25519 public key generation algorithm, and see
-   what the sign is.
+   and comprised of the compressed form (i.e. consisting of only the
+   u-coordinate), we can retrieve the y-coordinate of the affine point
+   (x,y) on the twisted Edwards form of the curve defined by
+
+         -x^2 + y^2 = 1 + d x^2 y^2
+
+   where
+
+         d = - 121665/121666
+
+   by computing
+
+         y = (u-1)/(u+1).
+
+   and then we can apply the usual curve25519 twisted Edwards point
+   decompression algorithm to find _an_ x-coordinate of an affine
+   twisted Edwards point to check signatures with.  Signing keys for
+   ed25519 are compressed curve points in twisted Edwards form (so a
+   y-coordinate and the sign of the x-coordinate), and X25519 keys are
+   compressed curve points in Montgomery form (i.e. a u-coordinate).
+
+   However, note that compressed point in Montgomery form neglects to
+   encode what the sign of the corresponding twisted Edwards
+   x-coordinate would be.  Thus, we need the sign of the x-coordinate
+   to do this operation; otherwise, we'll have two possible
+   x-coordinates that might have correspond to the ed25519 public key.
+
+   To get the sign, the easiest way is to take the corresponding
+   private key, feed it to the ed25519 public key generation
+   algorithm, and see what the sign is.
+
+   [Recomputing the sign bit from the private key every time sounds
+   rather strange and inefficient to me… —isis]
+
+   Alternatively, without access to the corresponding ed25519 private
+   key, one may use the Montgomery u-coordinate to recover the
+   Montgomery v-coordinate by computing the right-hand side of the
+   Montgomery curve equation:
+
+         bv^2 = u(u^2 + au +1)
+
+   where
+
+         a = 486662
+         b = 1
+
+   Then, knowing the intended sign of the Edwards x-coordinate, one
+   may recover said x-coordinate by computing:
+
+         x = (u/v) * sqrt(-a - 2)
 
 D. Inferring missing proto lines.

More information about the tor-commits mailing list