On Tue, Apr 30, 2024 at 8:07 AM Bellebaum, Thomas thomas.bellebaum@aisec.fraunhofer.de wrote:
Hello everyone,
I am a researcher currently looking into different schemes for what you call Keyblinding in the rendevouz spec.
Hello and welcome!
https://spec.torproject.org/rend-spec/keyblinding-scheme.html
I noticed that your description there mentiones a secret `s` to be hashed into the blinding factor, and have a few questions about it:
- Is this secret currently being used / intended to be used? If so, how?
Nope, nothing is using it or setting it right now.
- What kinds of security (formally or informally) would you expect from using a secret in the derivation process? For example, do you just require that someone without `s` cannot look up the service, or is this also meant as a way of ensuring that HSDir nodes cannot find correlations between services and descriptors (amounting to some sort of additional censorship resistance)?
So, I worked on this design more than 10 years ago, and I am not 100% sure I remember what we originally had in mind for `s`.
That said, I think my expectation would have been that somebody without `s` should not be able to look up the onion service, connect to the onion service, *or* link services and descriptors, or link descriptors to one another. I don't know if we ever relied on that latter piece though.
The reason we never built it (IIRC) is that having `KP_hs_id` public but keeping `s` secret didn't actually achieve anything that couldn't be achieved just as easily by keeping KP_hs_id secret.
best wishes,