tor-llcrypto: key blinding: Use consistent terminology
Unhelpfully, the spec uses the variable name `h` and the phrase "blinding factor" for both the unclamped and clamped value. The clamped value is internal to the algorithm. In our code: * Don't ever use the word "parameter" or variable name `param`. This doesn't appear in the spec anywhere. * Use `h` for the unclamped blinding factor, and `blinding_factor` for the clamped blinding factor. * Rename `blinding_factor` function to `clamp_blinding_factor`, since in the spec's terminology it takes an (unclamped) "blinding factor" and returns a (clamped) "blinding factor". * State explicitly what thing in the spec the `h` parameters are.
This commit is contained in:
parent
f52b30d4ff
commit
def291dcb5
|
@ -126,29 +126,31 @@ impl From<ed25519_dalek::SignatureError> for BlindingError {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Helper: clamp a blinding parameter and use it to compute a blinding factor.
|
/// Helper: clamp a blinding factor and use it to compute a blinding factor.
|
||||||
|
///
|
||||||
|
/// Described in part of rend-spec-v3 A.2.
|
||||||
///
|
///
|
||||||
/// This is a common step for public-key and private-key blinding.
|
/// This is a common step for public-key and private-key blinding.
|
||||||
#[cfg(any(feature = "hsv3-client", feature = "hsv3-service"))]
|
#[cfg(any(feature = "hsv3-client", feature = "hsv3-service"))]
|
||||||
fn blinding_factor(mut param: [u8; 32]) -> Scalar {
|
fn clamp_blinding_factor(mut h: [u8; 32]) -> Scalar {
|
||||||
// Clamp the blinding parameter
|
h[0] &= 248;
|
||||||
param[0] &= 248;
|
h[31] &= 63;
|
||||||
param[31] &= 63;
|
h[31] |= 64;
|
||||||
param[31] |= 64;
|
|
||||||
|
|
||||||
// Transform it into a scalar so that we can do scalar mult.
|
// Transform it into a scalar so that we can do scalar mult.
|
||||||
Scalar::from_bytes_mod_order(param)
|
Scalar::from_bytes_mod_order(h)
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Blind the ed25519 public key `pk` using the blinding parameter
|
/// Blind the ed25519 public key `pk` using the blinding factor
|
||||||
/// `param`, and return the blinded public key.
|
/// `h`, and return the blinded public key.
|
||||||
///
|
///
|
||||||
/// This algorithm is described in `rend-spec-v3.txt`, section A.2.
|
/// This algorithm is described in `rend-spec-v3.txt`, section A.2.
|
||||||
/// In the terminology of that section, the value `pk` corresponds to
|
/// In the terminology of that section, the value `pk` corresponds to
|
||||||
/// `A`, and the value `param` corresponds to `h`.
|
/// `A`, and
|
||||||
|
/// `h` is the value `h = H(...)`, before clamping.
|
||||||
///
|
///
|
||||||
/// Note that the approach used to clamp `param` to a scalar means
|
/// Note that the approach used to clamp `h` to a scalar means
|
||||||
/// that different possible values for `param` may yield the same
|
/// that different possible values for `h` may yield the same
|
||||||
/// output for a given `pk`. This and other limitations make this
|
/// output for a given `pk`. This and other limitations make this
|
||||||
/// function unsuitable for use outside the context of
|
/// function unsuitable for use outside the context of
|
||||||
/// `rend-spec-v3.txt` without careful analysis.
|
/// `rend-spec-v3.txt` without careful analysis.
|
||||||
|
@ -162,10 +164,10 @@ fn blinding_factor(mut param: [u8; 32]) -> Scalar {
|
||||||
///
|
///
|
||||||
/// This function is only available when the `hsv3-client` feature is enabled.
|
/// This function is only available when the `hsv3-client` feature is enabled.
|
||||||
#[cfg(feature = "hsv3-client")]
|
#[cfg(feature = "hsv3-client")]
|
||||||
pub fn blind_pubkey(pk: &PublicKey, param: [u8; 32]) -> Result<PublicKey, BlindingError> {
|
pub fn blind_pubkey(pk: &PublicKey, h: [u8; 32]) -> Result<PublicKey, BlindingError> {
|
||||||
use curve25519_dalek::edwards::CompressedEdwardsY;
|
use curve25519_dalek::edwards::CompressedEdwardsY;
|
||||||
|
|
||||||
let blinding_factor = blinding_factor(param);
|
let blinding_factor = clamp_blinding_factor(h);
|
||||||
|
|
||||||
// Convert the public key to a point on the curve
|
// Convert the public key to a point on the curve
|
||||||
let pubkey_point = CompressedEdwardsY(pk.to_bytes())
|
let pubkey_point = CompressedEdwardsY(pk.to_bytes())
|
||||||
|
@ -178,13 +180,14 @@ pub fn blind_pubkey(pk: &PublicKey, param: [u8; 32]) -> Result<PublicKey, Blindi
|
||||||
Ok(PublicKey::from_bytes(&blinded_pubkey_point.0)?)
|
Ok(PublicKey::from_bytes(&blinded_pubkey_point.0)?)
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Blind the ed25519 secret key `sk` using the blinding parameter `param`, and
|
/// Blind the ed25519 secret key `sk` using the blinding factor `h`, and
|
||||||
/// return the blinded secret key.
|
/// return the blinded secret key.
|
||||||
///
|
///
|
||||||
/// This algorithm is described in `rend-spec-v3.txt`, section A.2.
|
/// This algorithm is described in `rend-spec-v3.txt`, section A.2.
|
||||||
|
/// `h` is the value `h = H(...)`, before clamping.
|
||||||
///
|
///
|
||||||
/// Note that the approach used to clamp `param` to a scalar means that
|
/// Note that the approach used to clamp `h` to a scalar means that
|
||||||
/// different possible values for `param` may yield the same output for a given
|
/// different possible values for `h` may yield the same output for a given
|
||||||
/// `pk`. This and other limitations make this function unsuitable for use
|
/// `pk`. This and other limitations make this function unsuitable for use
|
||||||
/// outside the context of `rend-spec-v3.txt` without careful analysis.
|
/// outside the context of `rend-spec-v3.txt` without careful analysis.
|
||||||
///
|
///
|
||||||
|
@ -211,7 +214,7 @@ pub fn blind_pubkey(pk: &PublicKey, param: [u8; 32]) -> Result<PublicKey, Blindi
|
||||||
#[cfg(feature = "hsv3-service")]
|
#[cfg(feature = "hsv3-service")]
|
||||||
pub fn blind_seckey(
|
pub fn blind_seckey(
|
||||||
sk: &ExpandedSecretKey,
|
sk: &ExpandedSecretKey,
|
||||||
param: [u8; 32],
|
h: [u8; 32],
|
||||||
) -> Result<ExpandedSecretKey, BlindingError> {
|
) -> Result<ExpandedSecretKey, BlindingError> {
|
||||||
use arrayref::{array_mut_ref, array_ref};
|
use arrayref::{array_mut_ref, array_ref};
|
||||||
use zeroize::Zeroizing;
|
use zeroize::Zeroizing;
|
||||||
|
@ -221,7 +224,7 @@ pub fn blind_seckey(
|
||||||
/// implementations consistent.)
|
/// implementations consistent.)
|
||||||
const RH_BLIND_STRING: &[u8] = b"Derive temporary signing key hash input";
|
const RH_BLIND_STRING: &[u8] = b"Derive temporary signing key hash input";
|
||||||
|
|
||||||
let blinding_factor = blinding_factor(param);
|
let blinding_factor = clamp_blinding_factor(h);
|
||||||
let secret_key_bytes = Zeroizing::new(sk.to_bytes());
|
let secret_key_bytes = Zeroizing::new(sk.to_bytes());
|
||||||
let mut blinded_key_bytes = Zeroizing::new([0_u8; 64]);
|
let mut blinded_key_bytes = Zeroizing::new([0_u8; 64]);
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue