Encryption is the foundation of darknet privacy. From the multiple layers of Tor's onion routing to PGP-encrypted messages and cryptocurrency transactions, cryptographic protocols enable anonymous communication and commerce. Understanding these systems is essential for security researchers and privacy advocates.
Cryptographic Fundamentals
Symmetric vs Asymmetric Encryption
| Symmetric | Asymmetric |
|---|---|
| Same key encrypts and decrypts | Public key encrypts, private key decrypts |
| Fast, efficient | Slower, computationally intensive |
| Key distribution problem | Solves key distribution |
| AES, ChaCha20 | RSA, ECC, Ed25519 |
Hybrid Encryption
Most real-world systems use hybrid encryption: asymmetric encryption securely exchanges a symmetric key, which then encrypts the actual data. This combines the security of asymmetric with the speed of symmetric.
Tor Network Cryptography
Circuit Encryption
Tor creates circuits through multiple relays. Each layer uses:
Key Exchange: x25519 (Curve25519 ECDH)
Symmetric Cipher: AES-256-CTR
Authentication: HMAC-SHA256
Handshake: ntor protocol
Directory Signatures: Ed25519
Onion Service Cryptography
Version 3 .onion addresses (56 characters) use:
- Ed25519 for identity keys
- x25519 for ephemeral key exchange
- SHA3-256 for hashing
- Address = base32(pubkey + checksum + version)
V3 onion addresses are derived from the service's Ed25519 public key. This means the address IS the public key (plus checksum), providing cryptographic binding between address and service identity.
PGP/GPG Encryption
Pretty Good Privacy (PGP) remains the standard for encrypted communications in darknet communities.
Common Algorithms
RSA-4096
Classic asymmetric algorithm. 4096-bit keys standard for security. Quantum-vulnerable long-term.
Ed25519
Modern elliptic curve. Smaller keys, faster operations. Increasingly preferred.
AES-256
Symmetric cipher for message body encryption after key exchange.
SHA-256
Hash function for fingerprints and integrity verification.
Best Practices
- Generate keys on air-gapped systems
- Use subkeys for daily operations
- Set reasonable expiration dates
- Publish to keyservers only if necessary
- Verify fingerprints through multiple channels
Filesystem Encryption
Full Disk Encryption
| Tool | Platform | Algorithm |
|---|---|---|
| LUKS | Linux | AES-XTS-256 |
| VeraCrypt | Cross-platform | AES, Serpent, Twofish (cascaded) |
| FileVault 2 | macOS | AES-XTS-128 |
| BitLocker | Windows | AES-XTS-128/256 |
Hidden Volumes
VeraCrypt supports hidden volumes—encrypted volumes within encrypted volumes. With different passwords revealing different content, this provides plausible deniability.
Operational Note
Tails OS stores nothing by default. All data exists only in RAM and is cryptographically wiped on shutdown. This is the gold standard for operational security.
Cryptocurrency Cryptography
Bitcoin
- Addresses: ECDSA secp256k1 + SHA256 + RIPEMD160
- Signatures: Schnorr (Taproot) or ECDSA
- Not private: Transparent blockchain
Monero Privacy Features
- Ring Signatures: Hide sender among decoys
- RingCT: Hide transaction amounts
- Stealth Addresses: One-time recipient addresses
- Bulletproofs: Efficient range proofs
Future: Post-Quantum Cryptography
Quantum computers threaten current public-key cryptography. The darknet community is watching developments in:
- CRYSTALS-Kyber: NIST-selected key encapsulation
- CRYSTALS-Dilithium: NIST-selected digital signatures
- SPHINCS+: Hash-based signatures
Harvest Now, Decrypt Later
Intelligence agencies may be storing encrypted traffic now to decrypt later with quantum computers. This is why some advocate switching to post-quantum algorithms before quantum computers arrive—especially for long-term secrets.