[tor-dev] prop224: Ditching key blinding for shorter onion addresses

Nick Mathewson nickm at alum.mit.edu
Fri Jul 29 15:37:40 UTC 2016

On Fri, Jul 29, 2016 at 11:26 AM, George Kadianakis
<desnacked at riseup.net> wrote:
> So basically in this scheme, HSDirs won't be able to verify the signatures of
> received descriptors.
> The obvious question here is, is this a problem?

I'm not sure I fully understand, so here's a couple of quick questions
before I look more deeply.  (I'm assuming that descriptors are indexed
by their ephemeral address here.  If that's wrong and they're indexed
by something other than than ephemeral address, my analysis is wrong.)

1) In your scheme, how does descriptor replacement work?  In the
current scheme, if my introduction points change, I can upload a new
descriptor.  In this scheme, it seems that either _anyone_ can upload
a new descriptor with the same ephemeral address (which is insecure),
or descriptors cannot be replaced (which is problematic).

2) Even if descriptors can't be replaced, there's still a problem:
What stops an attacker from racing the hidden service to try to upload
their own competing descriptor with the same ephemeral address?

More information about the tor-dev mailing list