Hi all,
Most onion service users expect that there is only one valid onion address for their private key. (For example, one address is listed in SSL certificates.)
I spoke with Ian, and he said that as part of validating the onion address, we should check if it is a valid point.
He said we need to multiply the point by L, and make sure there's no torsion component (that is, that the result is the identity).
This avoids the complexity of choosing a canonical point using some lexicographic order, or the complexity of using something like decaf.
(Hopefully, Ian will write back if I transcribed things incorrectly.)
T -- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
On Sun, Mar 26, 2017 at 10:39:08PM +1100, teor wrote:
Hi all,
Most onion service users expect that there is only one valid onion address for their private key. (For example, one address is listed in SSL certificates.)
I spoke with Ian, and he said that as part of validating the onion address, we should check if it is a valid point.
He said we need to multiply the point by L, and make sure there's no torsion component (that is, that the result is the identity).
This avoids the complexity of choosing a canonical point using some lexicographic order, or the complexity of using something like decaf.
(Hopefully, Ian will write back if I transcribed things incorrectly.)
Just to transcribe the further conversation:
Yes, that's fine to make sure you're using a legitimate point, and not one that's been munged, it turns out you don't need to do even that. The reason is that the daily derived blinded point includes a hash of the onion address, so if someone changes the onion address in any way, the daily blinded version will be totally different, and the modified address won't work, *even if* the contained public key is "equivalent" to the original key.
-
Ian Goldberg -
teor