On Sun, Mar 26, 2017 at 10:39:08PM +1100, teor wrote:
Hi all,
Most onion service users expect that there is only one valid onion address for their private key. (For example, one address is listed in SSL certificates.)
I spoke with Ian, and he said that as part of validating the onion address, we should check if it is a valid point.
He said we need to multiply the point by L, and make sure there's no torsion component (that is, that the result is the identity).
This avoids the complexity of choosing a canonical point using some lexicographic order, or the complexity of using something like decaf.
(Hopefully, Ian will write back if I transcribed things incorrectly.)
Just to transcribe the further conversation:
Yes, that's fine to make sure you're using a legitimate point, and not one that's been munged, it turns out you don't need to do even that. The reason is that the daily derived blinded point includes a hash of the onion address, so if someone changes the onion address in any way, the daily blinded version will be totally different, and the modified address won't work, *even if* the contained public key is "equivalent" to the original key.