They don't have to break Tors crypto to figure out where hidden services are. They just need to identify which IPs are consistantly connected to the Tor network, and then prod them and see if the hidden service goes offline.
That is one of the reasons why you're absolutely not supposed to run a relay from the same IP that you run a hidden service from. Because your IP is published if you do that.
If I were to run such a service, I would want to make sure that the IP that the hidden service is running from has as little connection to me as possible.
[edit] If it were my full time job to locate Tor hidden services, I'm pretty sure I could make a decent go of it. Certainly for a lot of them. Given the resources the NSA and GCHQ have, I have to believe that they can do a much better job of it.
"It is generally a better idea to host hidden services on a Tor client rather than a Tor relay, since relay uptime and other properties are publicly visible."
That is one of the reasons why you're absolutely not supposed to run a relay from the same IP that you run a hidden service from. Because your IP is published if you do that.
If I were to run such a service, I would want to make sure that the IP that the hidden service is running from has as little connection to me as possible.
[edit] If it were my full time job to locate Tor hidden services, I'm pretty sure I could make a decent go of it. Certainly for a lot of them. Given the resources the NSA and GCHQ have, I have to believe that they can do a much better job of it.