Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
T
Tor
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 1,073
    • Issues 1,073
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 39
    • Merge Requests 39
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

  • The Tor Project
  • Core
  • Tor
  • Issues
  • #40078

Closed
Open
Opened Jul 31, 2020 by hdevalence@hdevalence

Potential consensus divergence from Ed25519 edge cases

Ed25519 poses risks in consensus-critical applications, because (a) the spec does not require that implementations agree on whether signatures are valid and (b) in practice, implementations differ from the spec and from each other.

In the context of working to address this issue in Zcash (resulting in ZIP215), I created a set of 196 test vectors, consisting of hex-encoded (public key, signature) pairs on the message b"Zcash". Running these test vectors across various other Ed25519 implementations reveals a wide divergence in behaviour (see 1 2 for additional context).

From a quick look at the Tor source and some tips from Teor, it looks like Tor has four different verification codepaths: ref10 open, ref10 open_batch, donna open, and donna open_batch. But I'm not entirely sure whether these are all used, because that requires a deeper knowledge of the codebase than I have.

The test vectors can be found in C-friendly format (thanks to Patrick Steuer) here: https://github.com/p-steuer/ossl-eddsa-tests

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: tpo/core/tor#40078