[tor-dev] Safe Alternative Uses of Onion Service Keys
Matthew Finkel
sysrqb at torproject.org
Thu Jul 30 14:06:52 UTC 2020
On Thu, Jul 30, 2020 at 01:18:33PM +0300, George Kadianakis wrote:
> Matthew Finkel <sysrqb at torproject.org> writes:
>
> > Hello everyone,
> >
>
> Hello hello!
>
> These are all good questions and they become more and more important as
> the onionspace grows and more use cases appear.
>
> > <snip>
> >
> > For computing the blinded key, the first 32 bytes of the long-term
> > secret key (LH) are multiplied with a blinding factor (h*a mod l), see
> > the specification for the value of **h** [4]. This becomes LH'
> > (LH-prime). The second 32 bytes of the secret key (RH) are concatenated
> > with a string prefix and then the SHA3-256 digest is computed of the
> > concatenated string. The first 32 bytes of the resulting digest become
> > RH' (RH-prime). LH' and RH' are used as regular ed25519 secret keys for
> > signing and verifying messages following EdDSA.
> >
>
> Hmm, not sure about this last sentence. Are you implying that LH' and RH' are
> two different secret keys? Because I don't think that's the case. LH' and RH'
> are components of the final public/private keypair.
>
Yes, but no, your description of them as "components of" the keypair
seems more correct than mine. My goal was simply to imply that both LH'
and RH' are secret values and they are used as secret inputs into the
signing procedure, and I wanted to make it clear that the blinding
procedure begins with a valid ed25519 secret key and derives a valid
ed25519 secret key in the same format as the original (specifically a LH
value and a RH value).
Hopefully this clarification doesn't make it more confusing/wrong.
More information about the tor-dev
mailing list