[tor-commits] [torspec/main] Clarify how we derive ed25519 for cross-certification.

dgoulet at torproject.org dgoulet at torproject.org
Tue Dec 14 17:58:47 UTC 2021 

commit 57d1e7d163910781b8b08dbbaa397c1d7c06abb7
Author: Nick Mathewson <nickm at torproject.org>
Date:   Wed Dec 8 11:25:09 2021 -0500

    Clarify how we derive ed25519 for cross-certification.
    
    The descriptor format uses a curve25519->ed25519 conversion
    algorithm to cross-certify descriptors with their ntor onion keys.
    
    This patch clarifies two aspects of the algorithm:
    
    1. When deriving a private key, how to derive the part of the
       private key that _isn't_ a point on the curve.
    
    2. That there are two algorithms here, one for private->private and
       one for public->public.
---
 dir-spec.txt | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/dir-spec.txt b/dir-spec.txt
index 543e341..0eb174a 100644
--- a/dir-spec.txt
+++ b/dir-spec.txt
@@ -4162,10 +4162,20 @@ C. Converting a curve25519 public key to an ed25519 public key
    [Recomputing the sign bit from the private key every time sounds
    rather strange and inefficient to me… —isis]
 
-   Alternatively, without access to the corresponding ed25519 private
-   key, one may use the Montgomery u-coordinate to recover the
-   Montgomery v-coordinate by computing the right-hand side of the
-   Montgomery curve equation:
+   Note that in addition to its coordinates, an expanded Ed25519 private key
+   also has a 32-byte random value, "prefix", used to compute internal `r`
+   values in the signature.  For security, this prefix value should be
+   derived deterministically from the curve25519 key.  The Tor
+   implementation derives it as SHA512(private_key | STR)[0..32], where
+   STR is the nul-terminated string:
+
+        "Derive high part of ed25519 key from curve25519 key\0"
+
+
+   On the client side, where there is no access to the curve25519 private
+   keys, one may use the curve25519 public key's Montgomery u-coordinate to
+   recover the Montgomery v-coordinate by computing the right-hand side of
+   the Montgomery curve equation:
 
          bv^2 = u(u^2 + au +1)

More information about the tor-commits mailing list