On Tue, Apr 30, 2024 at 8:07 AM Bellebaum, Thomas <thomas.belleb...@aisec.fraunhofer.de> wrote: > > Hello everyone, > > I am a researcher currently looking into different schemes for what you call > Keyblinding in the rendevouz spec.
Hello and welcome! > https://spec.torproject.org/rend-spec/keyblinding-scheme.html > > I noticed that your description there mentiones a secret `s` to be hashed > into the blinding factor, and have a few questions about it: > > 1. Is this secret currently being used / intended to be used? If so, how? Nope, nothing is using it or setting it right now. > 2. What kinds of security (formally or informally) would you expect from > using a secret in the derivation process? For example, do you just require > that someone without `s` cannot look up the service, or is this also meant as > a way of ensuring that HSDir nodes cannot find correlations between services > and descriptors (amounting to some sort of additional censorship resistance)? So, I worked on this design more than 10 years ago, and I am not 100% sure I remember what we originally had in mind for `s`. That said, I think my expectation would have been that somebody without `s` should not be able to look up the onion service, connect to the onion service, *or* link services and descriptors, or link descriptors to one another. I don't know if we ever relied on that latter piece though. The reason we never built it (IIRC) is that having `KP_hs_id` public but keeping `s` secret didn't actually achieve anything that couldn't be achieved just as easily by keeping KP_hs_id secret. best wishes, -- Nick _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev