#22052: Synchronize prop224 key blinding spec with implementation ------------------------------------+------------------------------------ Reporter: asn | Owner: asn Type: defect | Status: assigned Priority: Medium | Milestone: Tor: 0.3.1.x-final Component: Core Tor/Tor | Version: Severity: Normal | Resolution: Keywords: tor-hs prop224 ed25519 | Actual Points: Parent ID: #21888 | Points: 1 Reviewer: | Sponsor: ------------------------------------+------------------------------------ Changes (by asn):
* cc: nickm (added) Comment: Here are a few places where the Tor code diverges from the spec. I'm CCing Nick here since he is the author of the ed25519 blinding code. ---- In `ed25519_donna_gettweak()` tor clamps the blinding factor `h` before using it to calculate `a' = h*a` and `A' = h*A`: {{{ static void ed25519_donna_gettweak(unsigned char *out, const unsigned char *param) { ... out[0] &= 248; /* Is this necessary ? */ out[31] &= 63; out[31] |= 64; } }}} As discussed in [tor-dev] and [curves], clamping is not necessary for us because we are only dealing with signatures: https://moderncrypto.org/mail-archive/curves/2017/000874.html Also, starting in #22006 we validate received ed25519 pubkeys so we are not afraid that a received onion address pubkey will have a torsion component (hence clearing the lowest three bits is not necessary). I actually don't think that clamping there is a terrible thing to do, but it reduces the strength of the blinding factor by 3 bits or something. I'm not sure if we should go ahead and remove the clamping or not, but we should probably mention it in the spec if we do keep it. ---- The Tor ed25519 implementation also adds a constant string to the hash input of the extended secret key form like this: {{{ static const char str[] = "Derive temporary signing key hash input"; ... ed25519_hash_init(&ctx); ed25519_hash_update(&ctx, (const unsigned char*)str, strlen(str)); ed25519_hash_update(&ctx, inp + 32, 32); ed25519_hash_final(&ctx, tweak); memcpy(out + 32, tweak, 32); }}} We should probably specify this as it's not in the spec. ---- The Tor ed25519 implementation also adds a constant string to the computation of the blinding factor. Making it: {{{ static const char str[] = "Derive temporary signing key hash input"; ... h = H(str | A | s | B | N) }}} We should specify this as it's not in the spec. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22052#comment:2> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs