[tor-talk] Choosing a name for a .onon

Seth David Schoen schoen at eff.org
Thu Mar 29 23:54:53 UTC 2012

Adrian Crenshaw writes:

> Hi all,
>    I was under the impression that the .onion names for Tor Hidden Services
> were pseudo-random based on the public key. How was someone able to choose
> one/choose some character in one? As an example:
> http://silkroadvb5piz3r.onion (hope it is not against policy to post that
> link, only example I know. ) How did they choose the first 8 characters?

The basic answer is "try a lot of possibilities on a computer until the one
you want comes up"!

According to


the .onion name is a base32-encoded version of the first 80 bits of the
SHA1 of the hidden service public key.  base32 is 5 bits per character,
so the prefix "silkroad" in the .onion address above is 5×8=40 bits
(indeed, exactly half of the 80 bits in the entire .onion name).  Choosing
the first 40 bits of a hash generally requires trying an average of 2⁴⁰
possibilities; my laptop does about 3-4 million SHA1 operations per second
(per CPU core) so it would take me 3-4 days (per CPU core) of computation
to try that many possibilities on my laptop.  Since hash value searches
are completely parallelizable, you can make this arbitrarily faster by
adding more computers to the search.

Of course this requires being able to change something trivial about the
public key when generating the .onion address.  (Generating a new public
key from scratch would be very time-consuming; making a 1024-bit keypair
from scratch on my machine takes around 0.1 second, depending on how lucky
the key-generation process gets, which is considerably longer than the
0.0000003 seconds that trying a SHA1 operation requires.)  I'm not sure
exactly what you would change because I'm not sure what data is (or can
be) included in a hidden service public key, but there's probably something
you can change without actually needing to make a new keypair.

There's a nice description of the possibility of creating a public key
with a chosen set of bits at the beginning or end at


although note that the Tor hidden service identifiers are 80 bits, while
PGP short key IDs are only 32 bits, so it's 2⁴⁸ times as hard to fake a
hidden service as it is to make a colliding PGP short key ID.  (Full PGP
fingerprints are 160 bits.)

I first got interested in this when I used to develop a live-CD called
LNX-BBC (for "bootable business card").  At that time we were using MD5
checksums on our web site, and I wrote a program to try lots of
possibilities so that all of our MD5 values started with "bbcbbc" in
hexadecimal (on average only 2²⁴ MD5 attempts).

For more on the base32 encoding, see


Seth Schoen  <schoen at eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
454 Shotwell Street, San Francisco, CA  94110   +1 415 436 9333 x107

More information about the tor-talk mailing list