[tor-relays] Security implications of disabling onion key rotation?

Linus Nordberg and I have had a paper accepted to FOCI 2023 on the
special pluggable transports configuration used on the Snowflake
bridges. That design was first hashed out on this mailing list last

There is a draft of the paper here:


A question that more than one reviewer asked is, what are the security
implications of disabling onion key rotation as we do? (Section 3.2 in
the draft.) It's a good question and one we'd like to address in the
final draft.

What are the risks of not rotating onion keys? My understanding is that
rotation is meant to enhance forward security; i.e., limit how far back
in time past recorded connections can be attacked in the case of key
compromise. https://spec.torproject.org/tor-design Section 4 says:
  Short-term keys are rotated periodically and independently, to
  limit the impact of key compromise.
Do the considerations differ when using ntor keys versus TAP keys?


tor-relays mailing list