[tor-dev] Interest in collaborating on a standard Ed25519 key blinding scheme?

Ian Goldberg iang at cs.uwaterloo.ca
Sat Apr 15 20:00:39 UTC 2017

Note that the torsion-safe method explicitly *does* result in the low 3
bits being "000".  It does not explicity preserve the top bits being
"10", because in discussion, we could not determine an actual reason for
them to be fixed in that way.

Another thing to keep an eye on is how one produces subsequent blinded
values after the first.  If you use additive blinding, and you produce
the next blinded value by re-blinding the last blinded value with the
*same* blinding factor (i.e. P -> P + b*G -> P + (2b)*G -> P + (3b)*G,
etc.), then all of the pubkeys on that chain are linkable together as
coming from the same chain.

If you use multiplicative blinding, or derive new blinding factors each
time, and/or reblind the original P (i.e. P -> b_1 * P -> b_2 * P ->
b_3 * P where the b_i are either independent or even b_i = b^i
(multiplicatively blind by b in a chain)), the values are not linkable.
[Independently multiplicatively reblinding the original value is what
the Tor proposal does.]

   - Ian

More information about the tor-dev mailing list