[tor-dev] Probability of Guessing a v3 Onion Address

Wed Dec 11 23:30:08 UTC 2019

procmem at riseup.net wrote:
> Hi I was wondering what the mathematical probability of guessing an
> onion v3 address that is kept secret.
> 
> Or asked differently: what is the entropy of v3 addresses if an
> adversary decides to bruteforce the entire keyspace?
> 
> I am struggling to come up with a usecase for authenticated v3 services
> when keeping an address secret has the same effect and one can generate
> multiple addresses for the same server and share them with different
> entities.  The degraded usability of v3 auth services compared to v2 is
> the reason I'm asking.
> 

The probability is so close to 0 that we can safely assume it's
impossible. v2 addresses are 80 bit. v3 addresses are 256 bit. v3
addresses are whole ed25519 public keys base32 encoded with a checksum
and .onion at the end.

Do not be confused in comparing 80 to 256 like "just little over 3 times
stronger" because in cryptography the difference between 256 bit
security vs 80 bit security is orders of magnitude greater.

2^80 = 1208925819614629174706176
vs
2^256 = 115792089237316195423570985008687907853269984665640564039457584
007913129639936

Bruteforcing the entire keyspace of ed25519 is not something industry
standards consider practical in the real world now, or in the
foreseeable future.

However, your point is not correct. Keeping the address secret does not
have the same effect as authenticated v3. Authenticated v3 exist to
eliminate the side risks where the v3 address is not guessed (brute
forced) but accidentally (or intentionally) leaked. This can be due to
human error, malware / spyware, bug in the software using the v3
address, other kind of trojan-type operation and tons of other
possibilities. Of course one can argue that such threats as described
above can also steal the auth credentials / cookie and have the same
effect on authenticated v3, but it's at least an additional precaution.

Also, if you have multiple users, having one v3 address with
authentication is much better than multiple addresses, for the following
reasons:
- easier management
- easier to configure and easier to maintain the application behind it
(web server or whatever it is)
- less resources needed by the Tor daemon
- less load on your guard(s) / bridge(s), thus more capacity and better
experience for your clients / visitors (if you have multiple addresses
you need to maintain active introduction point circuits for all of them,
publish descriptors, etc.)

Many cons and no pro the way I see it.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20191212/bb7dfdc6/attachment.sig>