[tor-dev] Interest in collaborating on a standard Ed25519 key blinding scheme?

Tony Arcieri bascule at gmail.com
Tue Mar 21 20:46:53 UTC 2017

I'm trying to gauge interest on the IRTF's CFRG mailing list regarding
collaborating on a draft for a standard Ed25519 hierarchical derivation /
key blinding scheme:


The post makes several mentions of Tor's work in the space in regard to the
next-generation hidden services design.

I think it'd be great if Tor were to collaborate on the design of such a
scheme and adopt it for the new hidden services design. I see a lot of
convergent evolution in this space and think it would be great if there
were a single standard everyone could implement.

Even if you don't, I think there are some ideas from similar schemes Tor
should fold back into its own design, particularly in regard to how certain
bits of the private scalar are "clamped". Some discussion of that here:


tl;dr: clamp the third highest bit of the root scalar to zero (in addition
to the bits normally clamped in the non-canonical Ed25519 private scalar),
and use 224-bit child scalars.

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20170321/f01312de/attachment.html>

More information about the tor-dev mailing list