[tor-dev] Key Blinding Secrets

[Nick Mathewson]

On Tue, Apr 30, 2024 at 8:07 AM Bellebaum, Thomas
<thomas.bellebaum at aisec.fraunhofer.de> wrote:
>
> Hello everyone,
>
> I am a researcher currently looking into different schemes for what you call Keyblinding in the rendevouz spec.

Hello and welcome!

> https://spec.torproject.org/rend-spec/keyblinding-scheme.html
>
> I noticed that your description there mentiones a secret `s` to be hashed into the blinding factor, and have a few questions about it:
>
> 1. Is this secret currently being used / intended to be used? If so, how?

Nope, nothing is using it or setting it right now.

> 2. What kinds of security (formally or informally) would you expect from using a secret in the derivation process? For example, do you just require that someone without `s` cannot look up the service, or is this also meant as a way of ensuring that HSDir nodes cannot find correlations between services and descriptors (amounting to some sort of additional censorship resistance)?

So, I worked on this design more than 10 years ago, and I am not 100%
sure I remember what we originally had in mind for `s`.

That said, I think my expectation would have been that somebody
without `s`  should not be able to look up the onion service, connect
to the onion service, *or* link services and descriptors, or link
descriptors to one another.  I don't know if we ever relied on that
latter piece though.

The reason we never built it (IIRC) is that having `KP_hs_id` public
but keeping `s` secret didn't actually achieve anything that couldn't
be achieved just as easily by keeping KP_hs_id secret.

best wishes,
-- 
Nick