When generating a tor address domain and keys the secret key must be additionally “expanded”:
- specification for key expansion: torspec/rend-spec-v3.txt at 12271f0e6db00dee9600425b2de063e02f19c1ee · torproject/torspec · GitHub
- implementation in tor: src/ext/ed25519/donna/ed25519_tor.c · main · The Tor Project / Core / Tor · GitLab
- implementation in mkp224o: mkp224o/ed25519/ed25519.h at af5a7cfe122ba62e819b92c8b5a662151a284c69 · cathugger/mkp224o · GitHub
- implementation in Golang oniongen-go/main.go at master · rdkr/oniongen-go · GitHub
Is it possible to explain in simple words why the expansion is needed? I have no background in Cryptography but maybe there is some simple explanation.
I just generated an ed25519 key and stored as hs_ed25519_secret_key with == ed25519v1-secret: type0 ==\x00\x00\x00 prefix and to my surprise it worked in Tor and I was able to open the self generated onion service.
So now I’m confused. What is the purpose of the expansion?
Will it be fine to use an onion domain without the expansion?
Another one question is why is the checksum generation so complicated?
We should make sha3 from the concatenation of “.onion checksum” (?) and version (?).
But then take only 2 bytes of the hash.
I can’t understand why the checksum was chosen. It’s difficult to generate and verify.
Why can’t we just use the Luhn algorithm or ISIN, IBAN etc.
Here I don’t see why the cryptographic digest hash was used and anyway most of its calculated bytes are dropped and only two are used.
Does the Tor browser or anyone verify the checksum? Would it be legit to use an onion address without the last two bytes?
I’m asking because the checksum generation is not possible for me to do.
I’m working on the generation of onion domains for a system that I described in the letter here “Use onion-like domains for a regular websites and DynDNS”.
My end goal is to generate an onion domain in plain shell script from an OpenWrt router and avoid C code and compilation for all platforms.
So each step is a challenge.
I can generate the ed25510 key by ssh-keygen or signify/usign, extract it and even make the key expansion in the shell.
There is no sha3sum (only sha256 and md5).
The only way to calculate it is to install the openssl-tools which is quite a big thing.
A checksum based on Luhn would be also difficult to implement but some less advanced hash might simplify my job.
The md5 is fine for simplest checksum when you don’t care about collisions but about integrity.
IMHO you might simply use it.