[snagglegaggle]

And opens the network to abuses Tor was meant to protect against. If proof-of-destination is built into the network then that is a huge step towards invalidating the main benefit of using a VPN -- you don't want someone (your local authority) knowing where you've been. Current VPNs sort-of work by not being in your local jurisdiction. Decentralizing it makes it easier to attack.

[mlyle]

It uses zero knowledge proofs, so it doesn't really give anyone on the way proof-of-destination.

[snagglegaggle]

You have proof that someone visited a specific site because it uses a value derived from that site's SSL cert. You just don't have any more knowledge than that.

[mlyle]

No.. You wouldn't need a ZKP for that.

From the paper:

> Note that such a proof is not straightforward. We firstly prove that a ciphertext, CS N I , is the result of an encryption without disclosing the public key nor the plaintext. This causes the highest overhead in our construction. We use the construction presented in [7] for this purpose.

> Then we need to link the public key encrypted in clause two, with the one used in clause one. For this we use a proof that two commitments hide the same secret [5].

> Finally the third clause can be openly computed by A given that it received the public key from R.

> Using this, S can convince A that the tunnel created is to a domain that the latter considers valid, without disclosing which one.