[tor-dev] Hidden Service Scaling

Nicholas Hopper hopper at cs.umn.edu
Tue May 6 19:13:43 UTC 2014

On Sat, May 3, 2014 at 5:58 AM, Christopher Baines <cbaines8 at gmail.com> wrote:
> On 03/05/14 11:21, George Kadianakis wrote:
>>> On 08/10/13 06:52, Christopher Baines wrote:
>>> In short, I modified tor such that:
>>>  - The services public key is used in the connection to introduction
>>> points (a return to the state as of the v0 descriptor)
>> Ah, this means that now IPs know which HSes they are serving (even if
>> they don't have the HS descriptor). Why was this change necessary?
> If the "service key"'s (randomly generated keys per introduction point)
> are used, then this would complicate/cause problems with the multiple
> instances connecting to one introduction point. Only one key would be
> listed in the descriptor, which would only allow one instance to get the
> traffic.
> Using the same key is good. Using the services key, is not great. One
> possible improvement might be to generate a key for an introduction
> point based off the identity of the introduction point, plus some other
> stuff to make it secure.

Would it make sense to solve this problem using a similar approach to
the key blinding described in proposal 224?  For example, if the
public key is g^x and the introduction point has identity (e.g.
fingerprint) y, then the IP blinding factor would be

t_{IP} = Hash(y | g^x)

and the IP-specific public key would be

P_{IP} = g^{x*t_{IP}}

This way the IP doesn't learn what HS it's serving if it doesn't know
the descriptor, but any HS server that knows the secret key (x) can
compute the IP secret key x*t.

Nicholas Hopper
Associate Professor, Computer Science & Engineering, University of Minnesota
Visiting Research Director, The Tor Project

More information about the tor-dev mailing list