Yeah, using a random string to generate the descriptor ID should solve the issue of an attacker positioning himself as HSDirs. The random string is effectively a salt. Instead of: descriptor-id = H(permanent-id | H(time-period | replica)) They would do: descriptor-id = H(permanent-id | H(time-period | replica) | random string) If the directory authorities generate the consensus random string an hour before the new GMT date, attackers won't have enough time to brute force a relay fingerprint close to the descriptor ID.