This paper presents MTor, a low-latency anonymous group communication system. We construct MTor as an extension to Tor, allowing the construction of multi-source multicast trees on top of the existing Tor infrastructure. MTor does not depend on an external service to broker the group communication, and avoids central points of failure and trust. MTor’s substantial bandwidth savings and graceful scalability enable new classes of anonymous applications that are currently too bandwidth-intensive to be viable through traditional unicast Tor communication-e.g., group file transfer, collaborative editing, streaming video, and real-time audio conferencing.
We detail the design of MTor and then analyze its performance and anonymity. By simulating MTor in Shadow and TorPS using realistic models of the live Tor network’s topology and recent consensus records from the live Tor network, we show that MTor achieves a 29% savings in network bandwidth and a 73% reduction in transmission time as compared to the baseline approach for anonymous group communication among 20 group members. We also demonstrate that MTor scales gracefully with the number of group participants, and allows dynamic group composition over time. Importantly, as more Tor users switch to group communication, we show that the overall performance and utilization for group communication improves. Finally, we discuss the anonymity implications of MTor and measure its resistance to traffic correlation.
 D. J. Bernstein, N. Duif, T. Lange, P. Schwabe, and B.-Y. Yang. High-speed High-security Signatures. Journal of Cryptographic Engineering, 2(2):77-89, 2012.
 X. Cai, X. C. Zhang, B. Joshi, and R. Johnson. Touching from a Distance: Website Fingerprinting Attacks and Defenses. In ACM Conference on Computer and Communications Security (CCS), 2012.
 M. Castro, P. Druschel, A.-M. Kermarrec, and A. I. T. Rowstron. Scribe: A Large-Scale and Decentralized Application- Level Multicast Infrastructure. 20(8), October 2002.
 M. Castro, P. Druschel, A.-M. Kermarrec, A. Nandi, A. I. T. Rowstron, and A. Singh. SplitStream: High-Bandwidth Multicast in Cooperative Environments. In ACM Symposium on Operating Systems Principles (SOSP), pages 298-313, 2003.
 D. Chaum. The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability. Journal of Cryptology, 1(1):65-75, 1988.
 Y.-h. Chu, S. G. Rao, and H. Zhang. A Case for End System Multicast. In ACM SIGMETRICS Performance Evaluation Review, 2000.
 H. Corrigan-Gibbs and B. Ford. Dissent: Accountable Anonymous Group Messaging. In ACM Conference on Computer and Communications Security (CCS), 2010.
 H. Corrigan-Gibbs, D. I. Wolinsky, and B. Ford. Proactively Accountable Anonymous Messaging in Verdict. In USENIX Security Symposium (USENIX), 2013.
 S. E. Deering and D. R. Cheriton. Multicast Routing in Datagram Internetworks and Extended LANs. ACM Transactions on Computer Systems (TOCS), 8(2):85-110, 1990.
 C. Díaz, S. Seys, J. Claessens, and B. Preneel. Towards Measuring Anonymity. In Privacy Enhancing Technologies (PET), 2003.
 R. Dingledine. Research Problem: Better Guard Rotation Parameters, August 2011. Available at https: //blog.torproject.org/blog/research-problem-better-guardrotation- parameters.
 R. Dingledine, N. Mathewson, and P. Syverson. Tor: The Second-Generation Onion Router. In USENIX Security Symposium (USENIX), August 2004.
 R. Dingledine, N. Hopper, G. Kadianakis, and N. Mathewson. One Fast Guard for Life (or 9 months). In Privacy Enhancing Technologies Symposium (PETS), 2014.
 N. S. Evans, R. Dingledine, and C. Grothoff. A Practical Congestion Attack on Tor using Long Paths. In USENIX Security Symposium (USENIX), 2009.
 P. Francis. Yoid: Extending the Internet Multicast Architecture, 2000. Unpublished manuscript, available at https://mpi-sws.org/~francis/yoidArch.pdf.
 J. Geddes, R. Jansen, and N. Hopper. IMUX: Managing Tor Connections from Two to Infinity, and Beyond. In Workshop on Privacy in the Electronic Society (WPES), 2014.
 Global IP Solutions. The Internet Low Bitrate Codec (ILBC). http://tools.ietf.org/html/rfc3951.
 S. Goel, M. Robson, M. Polte, and E. Sirer. Herbivore: A Scalable and Efficient Protocol for Anonymous Communication. Technical report, Cornell University, 2003.
 S. Hahn and K. Loesing. Privacy-preserving Ways to Estimate the Number of Tor Users. Technical Report 2010-11-001, Tor Project, November 2010.
 A. Hamel, J.-C. Grégoire, and I. Goldberg. The Misentropists: New Approaches to Measures in Tor. Technical Report 2011-18, Cheriton School of Computer Science, University of Waterloo, 2011.
 D. Herrmann, R. Wendolsky, and H. Federrath. Website Fingerprinting: Attacking Popular Privacy Enhancing Technologies with the Multinomial Naive-bayes Classifier. In ACM Workshop on Cloud Computing Security (CCSW), 2009.
 N. Hopper. Proving Security of Tor’s Hidden Service Identity Blinding Protocol. Technical Report 2013-12-001, Tor Project, 2013.
 J. Jannotti, D. K. Gifford, K. L. Johnson, M. F. Kaashoek, and J. W. O’Toole, Jr. Overcast: Reliable Multicasting with an Overlay Network. In Symposium on Operating System Design & Implementation (OSDI), 2000.
 R. Jansen and N. Hopper. Shadow: Running Tor in a Box for Accurate and Efficient Experimentation. In Network and Distributed System Security Symposium (NDSS), 2012.
 R. Jansen, K. S. Bauer, N. Hopper, and R. Dingledine. Methodically Modeling the Tor Network. In CSET, 2012.
 R. Jansen, A. Johnson, and P. F. Syverson. LIRA: Lightweight Incentivized Routing for Anonymity. In Network and Distributed System Security Symposium (NDSS), 2013.
 R. Jansen, J. Geddes, C. Wacek, M. Sherr, and P. Syverson. Never Been KIST: Tor’s Congestion Management Blossoms with Kernel-Informed Socket Transport. In USENIX Security Symposium (USENIX), August 2014.
 R. Jansen, F. Tschorsch, A. Johnson, and B. Scheuermann. The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network. In Network and Distributed System Security Symposium (NDSS), 2014.
 A. Johnson, C. Wacek, R. Jansen, M. Sherr, and P. Syverson. Users Get Routed: Traffic Correlation on Tor By Realistic Adversaries. In ACM Conference on Computer and Communications Security (CCS), November 2013.
 P. Lewis and D. Rushe. http://www.theguardian.com/world/2014/oct/16/-sp-revealed-whisper-app-tracking-users.
 H. Liu, E. Y. Vasserman, and N. Hopper. Improved Group Off-the-record Messaging. In ACM Workshop on Privacy in the Electronic Society (WPES), 2013.
 N. Mathewson. Next-Generation Hidden Service in Tor. Draft 224, Tor Project, 2013. https://gitweb.torproject.org/torspec.git/plain/proposals/224-rend-spec-ng.txt.
 N. Mathewson and R. Dingledine. Tor Rendezvous Specification, 2014. Available at https://gitweb.torproject.org/torspec.git/log/rend-spec.txt?ofs=50.
 D. McCoy, K. Bauer, D. Grunwald, T. Kohno, and D. Sicker. Shining Light in Dark Places: Understanding the Tor Network. In Privacy Enhancing Technologies Symposium (PETS), 2008.
 S. J. Murdoch and G. Danezis. Low-Cost Traffic Analysis of Tor. In IEEE Symposium on Security and Privacy (Oakland), 2005.
 S. J. Murdoch and R. N. M. Watson. Metrics for Security and Performance in Low-Latency Anonymity Systems. In Privacy Enhancing Technologies Symposium (PETS), 2008.
 A. Panchenko, L. Niessen, A. Zinnen, and T. Engel. Website Fingerprinting in Onion Routing Based Anonymization Networks. In ACM Workshop on Privacy in the Electronic Society (WPES), 2011.
 G. Perng, M. K. Reiter, and C. Wang. M2: Multicasting Mixes for Efficient and Anonymous Communication. In International Conference on Distributed Computing Systems (ICDCS), 2006.
 M. Perry. Torflow: Tor network analysis. Proc. 2nd HotPETs, pages 1-14, 2009.
 M. Perry. A Critique of Website Traffic Fingerprinting Attacks, 2014. Available at https://blog.torproject.org/blog/critiquewebsite-traffic-fingerprinting-attacks.
 M. K. Reiter and A. D. Rubin. Crowds: Anonymity for Web Transactions. ACM Transactions on Information and System Security, 1(1):66-92, 1998.
 Rooms. http://www.rooms.me.
 Secret. https://www.secret.ly.
 A. Serjantov and G. Danezis. Towards an Information Theoretic Metric for Anonymity. In Privacy Enhancing Technologies (PET), 2003.
 P. Syverson. Why I’m not an Entropist. In Security Protocols Workshop, 2009.
 Tor Project, Inc. Tor Metrics Portal. https://metrics.torproject.org/.
 Tor Project, Inc. Tor FAQ: What Attacks Remain Against Onion Routing, 2014. Available at https://www.torproject.org/docs/faq.html.en#AttacksOnOnionRouting.