rend-spec: Do not claim that master key is underivable from blinded key
Only one of these two passages may be right:
Knowing the subcredential, even in combination with the blinded private key, does not enable the hidden service host to derive the main credential--therefore, it is safe to put the subcredential on the hidden service host while leaving the hidden service's private key offline.
It's important to not send the private part of the blinded signing key to the Hidden Service since an attacker can derive from it the secret master identity key. The secret blinded signing key should only be used to create credentials for the descriptor signing keys.
The second passage is correct, the first one is not. You can trivially derive the master identity key from a blinded private key. You get the blinded private key by taking the master key (a
) and multiplying it by the blinding factor (h
). The blinding factor isn't secret, it's just a hash of the public key, the base point, the current epoch, and (if enabled) the client authorization secret.
This means that if you have the blinded private key for the period (a'
), you can re-obtain the master key by simply dividing a'
by h
- in other words, by calculating the multiplicative inverse of h
and multiplying it by a'
. Note also that the following remark is a bit confusing:
(This is an ECC group, so remember that scalar multiplication is the trapdoor function, and it's defined in terms of iterated point addition. See the Ed25519 paper [Reference ED25519-REFS] for a fairly clear writeup.)
Scalar multiplication is indeed a trapdoor in the sense that if I take a point P, and a scalar s, and calculate Q = P * s, it is no longer possible, given only Q and P, to figure out what the value of s was. However, given Q and s, I can calculate what P was. In that way it is very much a two-way function.