Vanity .onion Tor Addresses

Published on April 27, 2020 by

Tor .onion domains are the hashes of public keys. Generally, they look random, but it is possible for am Tor hidden service operator to generate onion domains that start with a human readable part such as “silkroad7rn2puhj.onion”. Those are called “vanity onion addresses” and there are tools like Shallot and Eschalot that will create the customized .onion address.

The number of characters that can be customized are limited by processing power. Shallot published this table with the description “Time to Generate a .onion with a Given Number of Initial Characters on a 1.5Ghz Processor”:

characterstime to generate (approx.)
1less than 1 second
2less than 1 second
3less than 1 second
42 seconds
51 minute
630 minutes
71 day
825 days
92.5 years
1040 years
11640 years
1210 millenia
13160 millenia
142.6 million years

This means that generating an onion domain with 8 defined characters is simple even on a desktop machine.

Another tool to generate vanity addresses is Scallion, which describes itself as “GPU-based Onion Hash generator”. The author claims “For example on my nVidia Quadro K2000M, I see around 90 MH/s. With those speed I can generate an eight character .onion prefix in about 1h 41m“. His formula is “2^(5*length-1) / hashspeed”.

The Scallion readme mentions that a “AMD Vega Frontier Edition” has a hash rate of 7119 MH/s. That graphic card costs between $300 (used) and $1000 (retail price in 2017).

CharactersHash Speed MH/sEstimated Time in DaysHash Speed MH/sEstimated Time in Days
1900.0071190.00
2900.0071190.00
3900.0071190.00
4900.0071190.00
5900.0071190.00
6900.0071190.00
7900.0071190.00
8900.0771190.00
9902.2671190.03
109072.4071190.92
11902,316.67711929.29
129074,133.337119937.21
13902,372,266.47711929,990.73
149075,912,527.057119959,703.25

According to this calculation, a domain with 11 specific characters (for example “facebookcor”) would take less than 1 month on a $300 graphic card. Using 100 of those graphic cards would allow to crack 12 characters in less than 10 days and 13 characters in less than 300 days.

Note that a full (version 2) domain has 16 characters.

facebookcorewwwi.onion

Facebook generated its own domain “facebookcorewwwi.onion” for its Tor connecting Facebook site. According to the information below, only the first 8 characters “facebook” were defined, and the rest “corewwwi” happened because they got lucky. From https://news.ycombinator.com/item?id=8538334

It concerns me that they were able to brute force a key for facebookcorewwwi.onion. If they can do that, what’s to stop somebody else coming along and brute forcing a key for the same hostname.

User mike-cardwell on Oct 31, 2014

A response was posted on the “Tor Talk list” by Facebook engineer Alec on October 31, 2014:

Hi - My name¹s Alec, I work for Facebook and am the team lead for Facebook over Tor.

Long story short: details will come out later, but we just did the same thing as everyone else:
generated a bunch of keys with a fixed lead prefix ("facebook") and then went fishing looking for good ones.

I feel that we got tremendous lucky.

    - alec
https://archives.seul.org/tor/talk/Oct-2014/msg00433.html

Paid

There are services like https://peername.com/pricing/ that offer an 8-character onion domain for $19.98.

Address generator for Tor onion v3 (ed25519) hidden services

The project mkp224o can generate vanity addresses in the long v3 format. For context, here is part of the “rend-spec-v3.txt”:

The names in this format are distinct from earlier names because of their length. An older name might look like:

    unlikelynamefora.onion
    yyhws9optuwiwsns.onion

And a new name following this specification might look like:

    l5satjgud6gucryazcyvyvhuxhr74u6ygigiuyixe3a6ysis67ororad.onion

There is a detailed blog post specifically about generating v3 onion addresses here.

SHA-1 is not considered secure

In 2017 a SHA-1 hash collision was reported by Google researchers. According to this blog post, it “does not significantly impact Tor yet” and mentions that it is already addressed by the longer v3 onion addresses.

Higher cracking speeds?

There is an excellent blog post here about using the “NVIDIA Tesla V100 Data Center GPU” (cost: ~$10k retail) with a hash speed of 11,646MH/s at Amazon EC2 on a “p3.2xlarge instances for as little as $3.06 USD per hour” (and a “spot instance” for “as little as $1.01 USD per hour”).

At the time of writing, this cost is down to $0.918 per hour (source). Let’s assume the reported hash speed is 11,646MH/s and use the formula “time=2^(5*length-1) / hashspeed”. It would take 1.6 million years (= 2^(5*16-1)/(11646000000)/60/60/24/365) with a single GPU and cost $13 billion (= 2^(5*16-1)/(11646000000)/60/60*0.918).

CharactersEstimated Time in DaysEstimated Time in YearsCost
10.000 $                             0.00
20.000 $                             0.00
30.000 $                             0.00
40.000 $                             0.00
50.000 $                             0.00
60.000 $                             0.00
70.000 $                             0.00
80.000 $                             0.01
90.020 $                             0.39
100.560 $                           12.33
1117.900 $                        394.44
12572.902 $                  12,622.14
1318,332.8250 $                403,908.62
14586,650.131,607 $          12,925,075.70
1518,772,804.2251,432 $        413,602,422.51
16600,729,734.941,645,835 $  13,235,277,520.25

As you can see in the table, with the before mentioning pricing and hash rate, only up to 13 out of 16 characters are now crackable at a cost of less than $500,000.

What happens if 2 servers announce the same onion key?

According to this post, the most recently announced one will be the “valid” one:

If two people have the keys and update it, whichever publishes most recently will be believed as genuine and clients will be directed there.

This is bad if the second site to publish is a fake, but the network has no way of knowing if you are just upgrading servers, taking a site back from a scammer, or “stealing” one yourself.

Related articles