[tor-dev] Interest in collaborating on a standard Ed25519 key blinding scheme?

Nick Mathewson nickm at alum.mit.edu
Thu Mar 30 16:06:54 UTC 2017

On Wed, Mar 22, 2017 at 12:07 PM, Tony Arcieri <bascule at gmail.com> wrote:
> On Wed, Mar 22, 2017 at 6:15 AM, Nick Mathewson <nickm at torproject.org>
> wrote:
>> Hi! I guess we could keep an eye on the process, though I don't know that
>> I'd have much to contribute myself: I'm more of a crypto consumer than a
>> crypto generator.  Maybe one of the developers who knows crypto better can
>> join in here?
> The main notable points of discussion so far have all been around preserving
> Ed25519's original "clamping" invariants. I didn't see any discussion of
> this in the current Tor spec.
>> As for adoption: we're on track to deploy next generation hidden services
>> some time this year, ideally in the next 4 or 5 months, so the window to
>> converge on a common system is small by standards-body standards.
> Yeah, that's a blink of an eye in the IETF timescale. However, I think if
> you incorporate some feedback into your current design and do end up
> shipping it before a draft standard undergoes the requisite bikeshedding,
> the "running code" aspect of Tor using it in the wild will probably help the
> standard converge around whatever you ship. Worked out for Ed25519 itself,
> anyway.

Fair enough.  My understanding right now is that a bunch of us think
this solution looks promising, and will probably be what we build,
unless it turns out to be bad or someone comes up with something even

Henry, Isis, Ian, George: Would one of you like to join in on the the
CFRG thread about this?  I'm not sure I'm enough of a cryptographer to
be a good advocate here.


More information about the tor-dev mailing list