odiferousmint
commented
4 years ago Worth noting:
[Note: The ED25519-V3 format is not the same as, e.g., SUPERCOP
ed25519/ref, which stores the concatenation of the 32-byte ed25519
hash seed concatenated with the 32-byte public key, and which derives
the secret scalar and PRF secret by expanding the hash seed with
SHA-512. Our key blinding scheme is incompatible with storing
private keys as seeds, so we store the secret scalar alongside the
PRF secret, and just pay the cost of recomputing the public key when
importing an ED25519-V3 key.]Source: https://github.com/torproject/torspec/blob/master/control-spec.txt?ts=2#L1703
morganava
The current protocol uses RSA key exchange to establish a symmetric key. This is not the current industry standard as it does not provide perfect forward secrecy. The ideal option is to use ECDH key agreement.