123 blinding update

i2p2www/spec/proposals/123-new-netdb-entries.rst

@@ -798,33 +798,35 @@ The secret alpha and the blinded keys are calculated as follows:
 
   {% highlight lang='text' %}
 GENERATE_ALPHA(destination, date, secret), for all parties:
-  secret is optional, else zero-length
-  personalization = 12 bytes "i2pblinding1"
-  datestring = YYYYMMDD from the current date UTC
-  alpha = SHA256(personalization || SHA256(destination) || datestring || secret)
-  "clamp" the hash to make a valid Ed25519 little-endian private key:
-  alpha[0] &= 248;
-  alpha[31] &= 63;
-  alpha[31] |= 64;
+  // secret is optional, else zero-length
+  datestring = 8 bytes ASCII YYYYMMDD from the current date UTC
+  seed = HKDF(SHA256(destination), datestring || secret, "i2pblinding1", 32)
+  // Now make a Ed25519 private key, as usual.
+  // Hash the seed, then "clamp" the hash
+  // to make a valid Ed25519 little-endian private key:
+  h = SHA512(seed)
+  h[0] &= 248;
+  h[31] &= 63;
+  h[31] |= 64;
+  alpha = h[0:31]
 
-  BLIND_PRIVKEY(), for the owner of the leaseset:
+  //BLIND_PRIVKEY(), for the owner of the leaseset:
   alpha = GENERATE_ALPHA(destination, date, secret)
-  Take the destination's signing private key a
+  //Take the destination's signing private key a
   blinded signing private key = a' = BLIND_PRIVKEY(a, alpha) = (a + alpha) mod B
   blinded signing public key = A' = DERIVE_PUBLIC(a')
 
-  BLIND_PUBKEY(), for those retrieving the leaseset:
+  //BLIND_PUBKEY(), for those retrieving the leaseset:
   alpha = GENERATE_ALPHA(destination, date, secret)
-  Take the destination's signing public key A
+  //Take the destination's signing public key A
   blinded public key = A' = BLIND_PUBKEY(A, alpha) = A + DERIVE_PUBLIC(alpha)
 
-  Both methods of calculating A' yield the same result, as required.
+  //Both methods of calculating A' yield the same result, as required.
 {% endhighlight %}
 
 Issues
 
 - Transient keys
-- Should we use HKDF for GENERATE_ALPHA?