HIDDEN SERVICES
Onion-routed service endpoints where both client and server remain anonymous. No IP addresses are exchanged — ever.
Publishing to the DHT
Service Registration
The service generates an Ed25519 key pair. The public key becomes the service address. It signs an encrypted descriptor — containing the introduction point list — and publishes it to the distributed hash table.
Establishing contact addresses
Introduction Points
The service builds long-lived Sphinx circuits to three introduction points. These nodes agree to relay introduction messages to the service, but they never learn the final service location.
Discovering the service
Client Lookup
The client queries the DHT for the service descriptor using the service address as a key. The DHT returns the encrypted descriptor, which the client verifies and decrypts to find the introduction points.
Meeting in the dark
Rendezvous Setup
The client picks a random relay node as a rendezvous point and sends a cookie to it. The client then sends an introduction message through the service's introduction point — which forwards it to the service. The service connects back to the rendezvous point.
End-to-end privacy
Traffic Exchange
Bidirectional traffic flows through overlapping circuits. The rendezvous point sees only encrypted, unlinkable Sphinx packets. Neither side knows the other's real IP address or routing path.
Privacy Properties
Zero Protocol hidden services provide mathematically provable privacy guarantees for both parties.
Server Anonymity
The service IP address is never revealed to any client, relay, or observer.
Client Anonymity
The client IP address is never revealed to the service or any introduction point.
End-to-End Encryption
Traffic is double-wrapped in Sphinx: once for the hidden service circuit, once for the client circuit.
Censorship Resistance
Service discovery is distributed across thousands of DHT nodes — no single point of failure.