[tor-dev] One Valid Next-Generation Onion Address per Private Key

Ian Goldberg iang at cs.uwaterloo.ca
Sun Mar 26 20:22:42 UTC 2017

On Sun, Mar 26, 2017 at 10:39:08PM +1100, teor wrote:
> Hi all,
> Most onion service users expect that there is only one valid onion
> address for their private key. (For example, one address is listed in
> SSL certificates.)
> I spoke with Ian, and he said that as part of validating the onion
> address, we should check if it is a valid point.
> He said we need to multiply the point by L, and make sure there's no
> torsion component (that is, that the result is the identity).
> This avoids the complexity of choosing a canonical point using some
> lexicographic order, or the complexity of using something like decaf.
> (Hopefully, Ian will write back if I transcribed things incorrectly.)

Just to transcribe the further conversation:

Yes, that's fine to make sure you're using a legitimate point, and not
one that's been munged, it turns out you don't need to do even that.
The reason is that the daily derived blinded point includes a hash of
the onion address, so if someone changes the onion address in any way,
the daily blinded version will be totally different, and the modified
address won't work, *even if* the contained public key is "equivalent"
to the original key.
Ian Goldberg
Professor and University Research Chair
Cheriton School of Computer Science
University of Waterloo

More information about the tor-dev mailing list