#28123 closed defect (fixed)

Missing description of ED25519-V3 private key format in rend-spec-v3.txt

Reported by: riastradh Owned by:
Priority: Medium Milestone: Tor: 0.3.5.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-spec
Cc: Actual Points:
Parent ID: Points:
Reviewer: asn Sponsor:

Description

rend-spec-v3.txt does not specify the format of ED25519-V3 keys in enough detail to make an interoperable implementation. And in particular, the format is _different_ from typical Ed25519 implementations like ed25519/ref in SUPERCOP.

In contrast, the document does specify the format of RSA1024 (v2) keys in enough detail to make an interoperable implementation.

Child Tickets

Attachments (1)

patch (1.6 KB) - added by riastradh 11 months ago.
patch to torspec.git

Download all attachments as: .zip

Change History (6)

Changed 11 months ago by riastradh

Attachment: patch added

patch to torspec.git

comment:1 Changed 11 months ago by arma

Status: newneeds_review

comment:2 Changed 11 months ago by nickm

Milestone: Tor: 0.3.5.x-final

comment:3 Changed 11 months ago by dgoulet

Reviewer: asn

comment:4 Changed 11 months ago by asn

Status: needs_reviewmerge_ready

LGTM!

See https://github.com/torproject/torspec/pull/36 for a PR of Riastradh's patch.

Also inlining a very useful IRC log in case this comes up in the future:

<+asn> Riastradh: hello
<+asn> Riastradh: im reading #28123
-zwiebelbot:#tor-dev- tor#28123: Missing description of ED25519-V3 private key format in rend-spec-v3.txt - [needs_review] - https://bugs.torproject.org/28123
<+asn> Riastradh: thx for documenting the current behavior
<+asn> Riastradh: did you encounter issues using add_onion with ur own ed25519 keys?
<+asn> or what made you write this patch?
< Riastradh> asn: Yep, that's right.
< Riastradh> asn: https://mumble.net/~campbell/hg/ucspi-onion/
<+asn> Riastradh: do you think the current behavior makes sense?
<+asn> it does seem like exposing our messy internals to the world.
< Riastradh> The oniongen1 tool generates the key offline.

< Riastradh> asn: I don't have strong feelings about it.  If you need to
             do arithmetic on the scalar, then obviously you can't pass
             around a seed from which the scalar is derived by SHA-512.
             And Tor does need to do some arithmetic on scalars -- but
             maybe not for the long-term Ed25519 private keys per se.

<+asn> hm ok 
<+asn> i need to read again how the ed25519 privkey format works, and how our own format works.
< Riastradh> The other cost to using (scalar, prf key) rather than (seed, pub key) is that you need to do another scalar multiplication every time you load (scalar, prf key) if you want to 
             make signatures with it, because computing signatures involves the public key.
<+asn> Riastradh: ack
<+asn> thx for the feedback
<+asn> i will finish up review tomorrow. not much brain atm.
< Riastradh> Here's the quick summary: signing requires scalar a, PRF key h, and pub key A = a*P, where P is the standard base point, to compute s = r + H(R, A, m)*a where r = H(h, m).
< Riastradh> The ed25519-ref code uses (seed, A), and to make a signature derives (a, h) = SHA512(seed).
< Riastradh> Tor uses (a, h), and to make a signature derives A = a*P.
< Riastradh> If you need to derive a key pair (a', h, A') from (a, h, A) by arithmetic on a' (which carries over to A'), you can't use a seed because you have no hope of finding the seed' 
             such that (a', h) = SHA512(seed').
< Riastradh> What RFC 8032 calls a `private key' is just the 32-byte seed, so a lot of implementations will probably work with that.  https://tools.ietf.org/html/rfc8032#section-3.2
< Riastradh> But conversely it probably isn't hard to adapt them to work with (a, h) instead.
< Riastradh> asn: Shall I copy this up into he ticket for reference when you have replenished brain?
< Riastradh> into the ticket
< > asn, Riastradh: outsider here, but give some insight, standard Go ed25519 keys could not be used because they were seed + pub key (ref 
            https://stackoverflow.com/questions/44810708/ed25519-public-result-is-different and https://github.com/cretz/bine/blob/master/torutil/ed25519/ed25519.go)
< > so I used my own there which works fine w/ add_onion...as for storage to disk, I juse pem-formatted the private key

comment:5 Changed 11 months ago by dgoulet

Keywords: tor-spec added
Resolution: fixed
Status: merge_readyclosed

Merged. Thanks!

Note: See TracTickets for help on using tickets.