[tor-dev] Key Blinding Secrets
Nick Mathewson
nickm at torproject.org
Sat May 4 17:30:25 UTC 2024
On Tue, Apr 30, 2024 at 8:07 AM Bellebaum, Thomas
<thomas.bellebaum at aisec.fraunhofer.de> wrote:
>
> Hello everyone,
>
> I am a researcher currently looking into different schemes for what you call Keyblinding in the rendevouz spec.
Hello and welcome!
> https://spec.torproject.org/rend-spec/keyblinding-scheme.html
>
> I noticed that your description there mentiones a secret `s` to be hashed into the blinding factor, and have a few questions about it:
>
> 1. Is this secret currently being used / intended to be used? If so, how?
Nope, nothing is using it or setting it right now.
> 2. What kinds of security (formally or informally) would you expect from using a secret in the derivation process? For example, do you just require that someone without `s` cannot look up the service, or is this also meant as a way of ensuring that HSDir nodes cannot find correlations between services and descriptors (amounting to some sort of additional censorship resistance)?
So, I worked on this design more than 10 years ago, and I am not 100%
sure I remember what we originally had in mind for `s`.
That said, I think my expectation would have been that somebody
without `s` should not be able to look up the onion service, connect
to the onion service, *or* link services and descriptors, or link
descriptors to one another. I don't know if we ever relied on that
latter piece though.
The reason we never built it (IIRC) is that having `KP_hs_id` public
but keeping `s` secret didn't actually achieve anything that couldn't
be achieved just as easily by keeping KP_hs_id secret.
best wishes,
--
Nick
More information about the tor-dev
mailing list