Missing description of ED25519-V3 private key format in rend-spec-v3.txt
rend-spec-v3.txt does not specify the format of ED25519-V3 keys in enough detail to make an interoperable implementation. And in particular, the format is different from typical Ed25519 implementations like ed25519/ref in SUPERCOP.
In contrast, the document does specify the format of RSA1024 (v2) keys in enough detail to make an interoperable implementation.
Activity
changed milestone to %Tor: 0.3.5.x-final
LGTM!
See https://github.com/torproject/torspec/pull/36 for a PR of Riastradh's patch.
Also inlining a very useful IRC log in case this comes up in the future:
<+asn> Riastradh: hello <+asn> Riastradh: im reading #28123 -zwiebelbot:#tor-dev- tor#28123: Missing description of ED25519-V3 private key format in rend-spec-v3.txt - [needs_review] - https://bugs.torproject.org/28123 <+asn> Riastradh: thx for documenting the current behavior <+asn> Riastradh: did you encounter issues using add_onion with ur own ed25519 keys? <+asn> or what made you write this patch? < Riastradh> asn: Yep, that's right. < Riastradh> asn: https://mumble.net/~campbell/hg/ucspi-onion/ <+asn> Riastradh: do you think the current behavior makes sense? <+asn> it does seem like exposing our messy internals to the world. < Riastradh> The oniongen1 tool generates the key offline. < Riastradh> asn: I don't have strong feelings about it. If you need to do arithmetic on the scalar, then obviously you can't pass around a seed from which the scalar is derived by SHA-512. And Tor does need to do some arithmetic on scalars -- but maybe not for the long-term Ed25519 private keys per se. <+asn> hm ok <+asn> i need to read again how the ed25519 privkey format works, and how our own format works. < Riastradh> The other cost to using (scalar, prf key) rather than (seed, pub key) is that you need to do another scalar multiplication every time you load (scalar, prf key) if you want to make signatures with it, because computing signatures involves the public key. <+asn> Riastradh: ack <+asn> thx for the feedback <+asn> i will finish up review tomorrow. not much brain atm. < Riastradh> Here's the quick summary: signing requires scalar a, PRF key h, and pub key A = a*P, where P is the standard base point, to compute s = r + H(R, A, m)*a where r = H(h, m). < Riastradh> The ed25519-ref code uses (seed, A), and to make a signature derives (a, h) = SHA512(seed). < Riastradh> Tor uses (a, h), and to make a signature derives A = a*P. < Riastradh> If you need to derive a key pair (a', h, A') from (a, h, A) by arithmetic on a' (which carries over to A'), you can't use a seed because you have no hope of finding the seed' such that (a', h) = SHA512(seed'). < Riastradh> What RFC 8032 calls a `private key' is just the 32-byte seed, so a lot of implementations will probably work with that. https://tools.ietf.org/html/rfc8032#section-3.2 < Riastradh> But conversely it probably isn't hard to adapt them to work with (a, h) instead. < Riastradh> asn: Shall I copy this up into he ticket for reference when you have replenished brain? < Riastradh> into the ticket < > asn, Riastradh: outsider here, but give some insight, standard Go ed25519 keys could not be used because they were seed + pub key (ref https://stackoverflow.com/questions/44810708/ed25519-public-result-is-different and https://github.com/cretz/bine/blob/master/torutil/ed25519/ed25519.go) < > so I used my own there which works fine w/ add_onion...as for storage to disk, I juse pem-formatted the private keyTrac:
Status: needs_review to merge_readymoved to tpo/core/tor#28123 (closed)
Please register or sign in to reply