[tor-commits] [stem/master] Faster ed25519 blinding
atagar at torproject.org
atagar at torproject.org
Fri Nov 22 21:31:46 UTC 2019
commit a1d5d9726e3653f58035c76420582059b0c86d13
Author: Damian Johnson <atagar at torproject.org>
Date: Fri Nov 22 13:22:50 2019 -0800
Faster ed25519 blinding
Thanks to Paul ed25519 blinding is now fully two orders of magnitude faster!
https://github.com/pyca/cryptography/issues/5068
Replaced slow_ed25519.py with an optimized implementation from...
https://github.com/pyca/ed25519/
This changes the runtime of test_blinding as follows:
Python 2.7: 2.25s => 20 ms
Python 3.5: 1.83s => 19 ms
---
stem/descriptor/hidden_service.py | 44 ++---
stem/util/ed25519.py | 311 ++++++++++++++++++++++++++++++
stem/util/slow_ed25519.py | 171 ----------------
stem/util/test_tools.py | 11 ++
test/settings.cfg | 4 +-
test/unit/descriptor/hidden_service_v3.py | 4 +-
6 files changed, 347 insertions(+), 198 deletions(-)
diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py
index 94edeba4..ea1ae739 100644
--- a/stem/descriptor/hidden_service.py
+++ b/stem/descriptor/hidden_service.py
@@ -51,7 +51,6 @@ import stem.util.tor_tools
from stem.client.datatype import CertType
from stem.descriptor.certificate import ExtensionType, Ed25519Extension, Ed25519Certificate, Ed25519CertificateV1
-from stem.util import slow_ed25519
from stem.descriptor import (
PGP_BLOCK_END,
@@ -917,10 +916,8 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor):
Construction through this method can supply any or none of these, with
omitted parameters populated with randomized defaults.
- `Ed25519 key blinding takes several seconds
- <https://github.com/pyca/cryptography/issues/5068>`_, and as such is
- disabled if a **blinding_nonce** is not provided. To blind with a random
- nonce simply call...
+ Ed25519 key blinding adds an additional ~20 ms, and as such is disabled by
+ default. To blind with a random nonce simply call...
::
@@ -1302,13 +1299,16 @@ class InnerLayer(Descriptor):
def _blinded_pubkey(identity_key, blinding_nonce):
- mult = 2 ** (slow_ed25519.b - 2) + sum(2 ** i * slow_ed25519.bit(blinding_nonce, i) for i in range(3, slow_ed25519.b - 2))
- P = slow_ed25519.decodepoint(stem.util._pubkey_bytes(identity_key))
- return slow_ed25519.encodepoint(slow_ed25519.scalarmult(P, mult))
+ from stem.util import ed25519
+
+ mult = 2 ** (ed25519.b - 2) + sum(2 ** i * ed25519.bit(blinding_nonce, i) for i in range(3, ed25519.b - 2))
+ P = ed25519.decodepoint(stem.util._pubkey_bytes(identity_key))
+ return ed25519.encodepoint(ed25519.scalarmult(P, mult))
def _blinded_sign(msg, identity_key, blinded_key, blinding_nonce):
from cryptography.hazmat.primitives import serialization
+ from stem.util import ed25519
identity_key_bytes = identity_key.private_bytes(
encoding = serialization.Encoding.Raw,
@@ -1318,28 +1318,28 @@ def _blinded_sign(msg, identity_key, blinded_key, blinding_nonce):
# pad private identity key into an ESK (encrypted secret key)
- h = slow_ed25519.H(identity_key_bytes)
- a = 2 ** (slow_ed25519.b - 2) + sum(2 ** i * slow_ed25519.bit(h, i) for i in range(3, slow_ed25519.b - 2))
- k = b''.join([h[i:i + 1] for i in range(slow_ed25519.b // 8, slow_ed25519.b // 4)])
- esk = slow_ed25519.encodeint(a) + k
+ h = ed25519.H(identity_key_bytes)
+ a = 2 ** (ed25519.b - 2) + sum(2 ** i * ed25519.bit(h, i) for i in range(3, ed25519.b - 2))
+ k = b''.join([h[i:i + 1] for i in range(ed25519.b // 8, ed25519.b // 4)])
+ esk = ed25519.encodeint(a) + k
# blind the ESK with this nonce
- mult = 2 ** (slow_ed25519.b - 2) + sum(2 ** i * slow_ed25519.bit(blinding_nonce, i) for i in range(3, slow_ed25519.b - 2))
- s = slow_ed25519.decodeint(esk[:32])
- s_prime = (s * mult) % slow_ed25519.l
+ mult = 2 ** (ed25519.b - 2) + sum(2 ** i * ed25519.bit(blinding_nonce, i) for i in range(3, ed25519.b - 2))
+ s = ed25519.decodeint(esk[:32])
+ s_prime = (s * mult) % ed25519.l
k = esk[32:]
- k_prime = slow_ed25519.H(b'Derive temporary signing key hash input' + k)[:32]
- blinded_esk = slow_ed25519.encodeint(s_prime) + k_prime
+ k_prime = ed25519.H(b'Derive temporary signing key hash input' + k)[:32]
+ blinded_esk = ed25519.encodeint(s_prime) + k_prime
# finally, sign the message
- a = slow_ed25519.decodeint(blinded_esk[:32])
- r = slow_ed25519.Hint(b''.join([blinded_esk[i:i + 1] for i in range(slow_ed25519.b // 8, slow_ed25519.b // 4)]) + msg)
- R = slow_ed25519.scalarmult(slow_ed25519.B, r)
- S = (r + slow_ed25519.Hint(slow_ed25519.encodepoint(R) + blinded_key + msg) * a) % slow_ed25519.l
+ a = ed25519.decodeint(blinded_esk[:32])
+ r = ed25519.Hint(b''.join([blinded_esk[i:i + 1] for i in range(ed25519.b // 8, ed25519.b // 4)]) + msg)
+ R = ed25519.scalarmult(ed25519.B, r)
+ S = (r + ed25519.Hint(ed25519.encodepoint(R) + blinded_key + msg) * a) % ed25519.l
- return slow_ed25519.encodepoint(R) + slow_ed25519.encodeint(S)
+ return ed25519.encodepoint(R) + ed25519.encodeint(S)
# TODO: drop this alias in stem 2.x
diff --git a/stem/util/ed25519.py b/stem/util/ed25519.py
new file mode 100644
index 00000000..67b2db3c
--- /dev/null
+++ b/stem/util/ed25519.py
@@ -0,0 +1,311 @@
+# The following is copied from...
+#
+# https://github.com/pyca/ed25519
+#
+# This is under the CC0 license. For more information please see...
+#
+# https://github.com/pyca/cryptography/issues/5068
+
+
+# ed25519.py - Optimized version of the reference implementation of Ed25519
+#
+# Written in 2011? by Daniel J. Bernstein <djb at cr.yp.to>
+# 2013 by Donald Stufft <donald at stufft.io>
+# 2013 by Alex Gaynor <alex.gaynor at gmail.com>
+# 2013 by Greg Price <price at mit.edu>
+#
+# To the extent possible under law, the author(s) have dedicated all copyright
+# and related and neighboring rights to this software to the public domain
+# worldwide. This software is distributed without any warranty.
+#
+# You should have received a copy of the CC0 Public Domain Dedication along
+# with this software. If not, see
+# <http://creativecommons.org/publicdomain/zero/1.0/>.
+
+"""
+NB: This code is not safe for use with secret keys or secret data.
+The only safe use of this code is for verifying signatures on public messages.
+
+Functions for computing the public key of a secret key and for signing
+a message are included, namely publickey_unsafe and signature_unsafe,
+for testing purposes only.
+
+The root of the problem is that Python's long-integer arithmetic is
+not designed for use in cryptography. Specifically, it may take more
+or less time to execute an operation depending on the values of the
+inputs, and its memory access patterns may also depend on the inputs.
+This opens it to timing and cache side-channel attacks which can
+disclose data to an attacker. We rely on Python's long-integer
+arithmetic, so we cannot handle secrets without risking their disclosure.
+"""
+
+import hashlib
+import operator
+import sys
+
+
+__version__ = "1.0.dev0"
+
+
+# Useful for very coarse version differentiation.
+PY3 = sys.version_info[0] == 3
+
+if PY3:
+ indexbytes = operator.getitem
+ intlist2bytes = bytes
+ int2byte = operator.methodcaller("to_bytes", 1, "big")
+else:
+ int2byte = chr
+ range = xrange
+
+ def indexbytes(buf, i):
+ return ord(buf[i])
+
+ def intlist2bytes(l):
+ return b"".join(chr(c) for c in l)
+
+
+b = 256
+q = 2 ** 255 - 19
+l = 2 ** 252 + 27742317777372353535851937790883648493
+
+
+def H(m):
+ return hashlib.sha512(m).digest()
+
+
+def pow2(x, p):
+ """== pow(x, 2**p, q)"""
+ while p > 0:
+ x = x * x % q
+ p -= 1
+ return x
+
+
+def inv(z):
+ """$= z^{-1} \mod q$, for z != 0"""
+ # Adapted from curve25519_athlon.c in djb's Curve25519.
+ z2 = z * z % q # 2
+ z9 = pow2(z2, 2) * z % q # 9
+ z11 = z9 * z2 % q # 11
+ z2_5_0 = (z11 * z11) % q * z9 % q # 31 == 2^5 - 2^0
+ z2_10_0 = pow2(z2_5_0, 5) * z2_5_0 % q # 2^10 - 2^0
+ z2_20_0 = pow2(z2_10_0, 10) * z2_10_0 % q # ...
+ z2_40_0 = pow2(z2_20_0, 20) * z2_20_0 % q
+ z2_50_0 = pow2(z2_40_0, 10) * z2_10_0 % q
+ z2_100_0 = pow2(z2_50_0, 50) * z2_50_0 % q
+ z2_200_0 = pow2(z2_100_0, 100) * z2_100_0 % q
+ z2_250_0 = pow2(z2_200_0, 50) * z2_50_0 % q # 2^250 - 2^0
+ return pow2(z2_250_0, 5) * z11 % q # 2^255 - 2^5 + 11 = q - 2
+
+
+d = -121665 * inv(121666) % q
+I = pow(2, (q - 1) // 4, q)
+
+
+def xrecover(y):
+ xx = (y * y - 1) * inv(d * y * y + 1)
+ x = pow(xx, (q + 3) // 8, q)
+
+ if (x * x - xx) % q != 0:
+ x = (x * I) % q
+
+ if x % 2 != 0:
+ x = q-x
+
+ return x
+
+
+By = 4 * inv(5)
+Bx = xrecover(By)
+B = (Bx % q, By % q, 1, (Bx * By) % q)
+ident = (0, 1, 1, 0)
+
+
+def edwards_add(P, Q):
+ # This is formula sequence 'addition-add-2008-hwcd-3' from
+ # http://www.hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html
+ (x1, y1, z1, t1) = P
+ (x2, y2, z2, t2) = Q
+
+ a = (y1-x1)*(y2-x2) % q
+ b = (y1+x1)*(y2+x2) % q
+ c = t1*2*d*t2 % q
+ dd = z1*2*z2 % q
+ e = b - a
+ f = dd - c
+ g = dd + c
+ h = b + a
+ x3 = e*f
+ y3 = g*h
+ t3 = e*h
+ z3 = f*g
+
+ return (x3 % q, y3 % q, z3 % q, t3 % q)
+
+
+def edwards_double(P):
+ # This is formula sequence 'dbl-2008-hwcd' from
+ # http://www.hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html
+ (x1, y1, z1, t1) = P
+
+ a = x1*x1 % q
+ b = y1*y1 % q
+ c = 2*z1*z1 % q
+ # dd = -a
+ e = ((x1+y1)*(x1+y1) - a - b) % q
+ g = -a + b # dd + b
+ f = g - c
+ h = -a - b # dd - b
+ x3 = e*f
+ y3 = g*h
+ t3 = e*h
+ z3 = f*g
+
+ return (x3 % q, y3 % q, z3 % q, t3 % q)
+
+
+def scalarmult(P, e):
+ if e == 0:
+ return ident
+ Q = scalarmult(P, e // 2)
+ Q = edwards_double(Q)
+ if e & 1:
+ Q = edwards_add(Q, P)
+ return Q
+
+
+# Bpow[i] == scalarmult(B, 2**i)
+Bpow = []
+
+
+def make_Bpow():
+ P = B
+ for i in range(253):
+ Bpow.append(P)
+ P = edwards_double(P)
+make_Bpow()
+
+
+def scalarmult_B(e):
+ """
+ Implements scalarmult(B, e) more efficiently.
+ """
+ # scalarmult(B, l) is the identity
+ e = e % l
+ P = ident
+ for i in range(253):
+ if e & 1:
+ P = edwards_add(P, Bpow[i])
+ e = e // 2
+ assert e == 0, e
+ return P
+
+
+def encodeint(y):
+ bits = [(y >> i) & 1 for i in range(b)]
+ return b''.join([
+ int2byte(sum([bits[i * 8 + j] << j for j in range(8)]))
+ for i in range(b//8)
+ ])
+
+
+def encodepoint(P):
+ (x, y, z, t) = P
+ zi = inv(z)
+ x = (x * zi) % q
+ y = (y * zi) % q
+ bits = [(y >> i) & 1 for i in range(b - 1)] + [x & 1]
+ return b''.join([
+ int2byte(sum([bits[i * 8 + j] << j for j in range(8)]))
+ for i in range(b // 8)
+ ])
+
+
+def bit(h, i):
+ return (indexbytes(h, i // 8) >> (i % 8)) & 1
+
+
+def publickey_unsafe(sk):
+ """
+ Not safe to use with secret keys or secret data.
+
+ See module docstring. This function should be used for testing only.
+ """
+ h = H(sk)
+ a = 2 ** (b - 2) + sum(2 ** i * bit(h, i) for i in range(3, b - 2))
+ A = scalarmult_B(a)
+ return encodepoint(A)
+
+
+def Hint(m):
+ h = H(m)
+ return sum(2 ** i * bit(h, i) for i in range(2 * b))
+
+
+def signature_unsafe(m, sk, pk):
+ """
+ Not safe to use with secret keys or secret data.
+
+ See module docstring. This function should be used for testing only.
+ """
+ h = H(sk)
+ a = 2 ** (b - 2) + sum(2 ** i * bit(h, i) for i in range(3, b - 2))
+ r = Hint(
+ intlist2bytes([indexbytes(h, j) for j in range(b // 8, b // 4)]) + m
+ )
+ R = scalarmult_B(r)
+ S = (r + Hint(encodepoint(R) + pk + m) * a) % l
+ return encodepoint(R) + encodeint(S)
+
+
+def isoncurve(P):
+ (x, y, z, t) = P
+ return (z % q != 0 and
+ x*y % q == z*t % q and
+ (y*y - x*x - z*z - d*t*t) % q == 0)
+
+
+def decodeint(s):
+ return sum(2 ** i * bit(s, i) for i in range(0, b))
+
+
+def decodepoint(s):
+ y = sum(2 ** i * bit(s, i) for i in range(0, b - 1))
+ x = xrecover(y)
+ if x & 1 != bit(s, b-1):
+ x = q - x
+ P = (x, y, 1, (x*y) % q)
+ if not isoncurve(P):
+ raise ValueError("decoding point that is not on curve")
+ return P
+
+
+class SignatureMismatch(Exception):
+ pass
+
+
+def checkvalid(s, m, pk):
+ """
+ Not safe to use when any argument is secret.
+
+ See module docstring. This function should be used only for
+ verifying public signatures of public messages.
+ """
+ if len(s) != b // 4:
+ raise ValueError("signature length is wrong")
+
+ if len(pk) != b // 8:
+ raise ValueError("public-key length is wrong")
+
+ R = decodepoint(s[:b // 8])
+ A = decodepoint(pk)
+ S = decodeint(s[b // 8:b // 4])
+ h = Hint(encodepoint(R) + pk + m)
+
+ (x1, y1, z1, t1) = P = scalarmult_B(S)
+ (x2, y2, z2, t2) = Q = edwards_add(R, scalarmult(A, h))
+
+ if (not isoncurve(P) or not isoncurve(Q) or
+ (x1*z2 - x2*z1) % q != 0 or (y1*z2 - y2*z1) % q != 0):
+ raise SignatureMismatch("signature does not pass verification")
diff --git a/stem/util/slow_ed25519.py b/stem/util/slow_ed25519.py
deleted file mode 100644
index b23bf57c..00000000
--- a/stem/util/slow_ed25519.py
+++ /dev/null
@@ -1,171 +0,0 @@
-# Public domain ed25519 implementation from...
-#
-# http://ed25519.cr.yp.to/python/ed25519.py
-#
-# It isn't constant-time. Don't use it except for testing. Also, see
-# warnings about how very slow it is. Only use this for generating
-# test vectors, I'd suggest.
-#
-# Cryptography replacement of this is pending...
-#
-# https://github.com/pyca/cryptography/issues/5068
-
-import hashlib
-import stem.prereq
-
-b = 256
-q = 2 ** 255 - 19
-l = 2 ** 252 + 27742317777372353535851937790883648493
-
-
-def int_to_byte(val):
- """
- Convert an integer to its byte value in an interpreter agnostic way.
- """
-
- return bytes([val]) if stem.prereq.is_python_3() else chr(val)
-
-
-def H(m):
- return hashlib.sha512(m).digest()
-
-
-def expmod(b, e, m):
- if e == 0:
- return 1
-
- t = expmod(b, e // 2, m) ** 2 % m
-
- if e & 1:
- t = (t * b) % m
-
- return t
-
-
-def inv(x):
- return expmod(x, q - 2, q)
-
-
-d = -121665 * inv(121666)
-I = expmod(2, (q - 1) // 4, q)
-
-
-def xrecover(y):
- xx = (y * y - 1) * inv(d * y * y + 1)
- x = expmod(xx, (q + 3) // 8, q)
-
- if (x * x - xx) % q != 0:
- x = (x * I) % q
-
- if x % 2 != 0:
- x = q - x
-
- return x
-
-
-By = 4 * inv(5)
-Bx = xrecover(By)
-B = [Bx % q, By % q]
-
-
-def edwards(P, Q):
- x1 = P[0]
- y1 = P[1]
- x2 = Q[0]
- y2 = Q[1]
- x3 = (x1 * y2 + x2 * y1) * inv(1 + d * x1 * x2 * y1 * y2)
- y3 = (y1 * y2 + x1 * x2) * inv(1 - d * x1 * x2 * y1 * y2)
- return [x3 % q, y3 % q]
-
-
-def scalarmult(P, e):
- if e == 0:
- return [0, 1]
-
- Q = scalarmult(P, e // 2)
- Q = edwards(Q, Q)
-
- if e & 1:
- Q = edwards(Q, P)
-
- return Q
-
-
-def encodeint(y):
- bits = [(y >> i) & 1 for i in range(b)]
- return b''.join([int_to_byte(sum([bits[i * 8 + j] << j for j in range(8)])) for i in range(b // 8)])
-
-
-def encodepoint(P):
- x = P[0]
- y = P[1]
- bits = [(y >> i) & 1 for i in range(b - 1)] + [x & 1]
-
- return b''.join([int_to_byte(sum([bits[i * 8 + j] << j for j in range(8)])) for i in range(b // 8)])
-
-
-def bit(h, i):
- return (ord(h[i // 8:i // 8 + 1]) >> (i % 8)) & 1
-
-
-def publickey(sk):
- h = H(sk)
- a = 2 ** (b - 2) + sum(2 ** i * bit(h, i) for i in range(3, b - 2))
- A = scalarmult(B, a)
-
- return encodepoint(A)
-
-
-def Hint(m):
- h = H(m)
- return sum(2 ** i * bit(h, i) for i in range(2 * b))
-
-
-def signature(m, sk, pk):
- h = H(sk)
- a = 2 ** (b - 2) + sum(2 ** i * bit(h, i) for i in range(3, b - 2))
- r = Hint(b''.join([h[i:i + 1] for i in range(b // 8, b // 4)]) + m)
- R = scalarmult(B, r)
- S = (r + Hint(encodepoint(R) + pk + m) * a) % l
- return encodepoint(R) + encodeint(S)
-
-
-def isoncurve(P):
- x = P[0]
- y = P[1]
- return (-x * x + y * y - 1 - d * x * x * y * y) % q == 0
-
-
-def decodeint(s):
- return sum(2 ** i * bit(s, i) for i in range(0, b))
-
-
-def decodepoint(s):
- y = sum(2 ** i * bit(s, i) for i in range(0, b - 1))
- x = xrecover(y)
-
- if x & 1 != bit(s, b - 1):
- x = q - x
-
- P = [x, y]
-
- if not isoncurve(P):
- raise Exception('decoding point that is not on curve')
-
- return P
-
-
-def checkvalid(s, m, pk):
- if len(s) != b // 4:
- raise Exception('signature length is wrong')
-
- if len(pk) != b // 8:
- raise Exception('public-key length is wrong')
-
- R = decodepoint(s[0:b // 8])
- A = decodepoint(pk)
- S = decodeint(s[b // 8:b // 4])
- h = Hint(encodepoint(R) + pk + m)
-
- if scalarmult(B, S) != edwards(R, scalarmult(A, h)):
- raise Exception('signature does not pass verification')
diff --git a/stem/util/test_tools.py b/stem/util/test_tools.py
index 03741d98..36c88f6a 100644
--- a/stem/util/test_tools.py
+++ b/stem/util/test_tools.py
@@ -455,6 +455,7 @@ def stylistic_issues(paths, check_newlines = False, check_exception_keyword = Fa
ignore_rules = []
ignore_for_file = []
+ ignore_all_for_files = []
for rule in CONFIG['pycodestyle.ignore'] + CONFIG['pep8.ignore']:
if '=>' in rule:
@@ -463,6 +464,8 @@ def stylistic_issues(paths, check_newlines = False, check_exception_keyword = Fa
if ':' in rule_entry:
rule, code = rule_entry.split(':', 1)
ignore_for_file.append((path.strip(), rule.strip(), code.strip()))
+ elif rule_entry.strip() == '*':
+ ignore_all_for_files.append(path.strip())
else:
ignore_rules.append(rule)
@@ -471,6 +474,10 @@ def stylistic_issues(paths, check_newlines = False, check_exception_keyword = Fa
if path.endswith(ignored_path) and ignored_rule == rule and code.strip().startswith(ignored_code):
return True
+ for ignored_path in ignore_all_for_files:
+ if path.endswith(ignored_path):
+ return True
+
return False
if is_pycodestyle_available():
@@ -488,6 +495,10 @@ def stylistic_issues(paths, check_newlines = False, check_exception_keyword = Fa
is_block_comment = False
+ for ignored_path in ignore_all_for_files:
+ if filename.endswith(ignored_path):
+ return
+
for index, line in enumerate(lines):
content = line.split('#', 1)[0].strip()
diff --git a/test/settings.cfg b/test/settings.cfg
index 5443df41..2e7b7a80 100644
--- a/test/settings.cfg
+++ b/test/settings.cfg
@@ -169,6 +169,8 @@ pycodestyle.ignore E127
pycodestyle.ignore E131
pycodestyle.ignore E722
+pycodestyle.ignore stem/util/ed25519.py => *
+
pycodestyle.ignore stem/__init__.py => E402: import stem.util.connection
pycodestyle.ignore stem/descriptor/__init__.py => E402: import stem.descriptor.bandwidth_file
pycodestyle.ignore stem/descriptor/__init__.py => E402: import stem.descriptor.extrainfo_descriptor
@@ -177,8 +179,6 @@ pycodestyle.ignore stem/descriptor/__init__.py => E402: import stem.descriptor.m
pycodestyle.ignore stem/descriptor/__init__.py => E402: import stem.descriptor.networkstatus
pycodestyle.ignore stem/descriptor/__init__.py => E402: import stem.descriptor.server_descriptor
pycodestyle.ignore stem/descriptor/__init__.py => E402: import stem.descriptor.tordnsel
-pycodestyle.ignore stem/util/slow_ed25519.py => E741: l = 2 ** 252 + 27742317777372353535851937790883648493
-pycodestyle.ignore stem/util/slow_ed25519.py => E741: I = expmod(2, (q - 1) // 4, q)
pycodestyle.ignore test/unit/util/connection.py => W291: _tor tor 15843 10 pipe 0x0 state:
pycodestyle.ignore test/unit/util/connection.py => W291: _tor tor 15843 11 pipe 0x0 state:
diff --git a/test/unit/descriptor/hidden_service_v3.py b/test/unit/descriptor/hidden_service_v3.py
index 715a2b65..cb1e9c68 100644
--- a/test/unit/descriptor/hidden_service_v3.py
+++ b/test/unit/descriptor/hidden_service_v3.py
@@ -463,9 +463,7 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase):
@test.require.ed25519_support
def test_blinding(self):
"""
- Create a descriptor with key blinding. `This takes a while
- <https://github.com/pyca/cryptography/issues/5068>`_, so we should not do
- this more than once.
+ Create a descriptor with key blinding.
"""
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
More information about the tor-commits
mailing list