In this paper, we present a rigorous methodology for quantifying the anonymity provided by Tor against a variety of structural attacks, i.e., adversaries that corrupt Tor nodes and thereby perform eavesdropping attacks to deanonymize Tor users. First, we provide an algorithmic approach for computing the anonymity impact of such structural attacks against Tor. The algorithm is parametric in the considered path selection algorithm and is, hence, capable of reasoning about variants of Tor and alternative path selection algorithms as well. Second, we present formalizations of various instantiations of structural attacks against Tor and show that the computed anonymity impact of each of these adversaries indeed constitutes a worst-case anonymity bound for the cryptographic realization of Tor. Third, we use our methodology to conduct a rigorous, largescale evaluation of Tor’s anonymity which establishes worst-case anonymity bounds against various structural attacks for Tor and for alternative path selection algorithms such as DistribuTor, SelekTOR, and LASTor. This yields the first rigorous anonymity comparison between different path selection algorithms. As part of our analysis, we quantify the anonymity impact of a path selection transition phase, i.e., a small number of users decides to run an alternative algorithm while the vast majority still uses the original one. The source code of our implementation is publicly available.
If the inline PDF is not rendering correctly, you can download the PDF file here.
 Ookla’s NetIndex. http://www.netindex.com/value/allcountries/. Accessed July 2015.
 Sourcecode of our analysis tool. https://www.infsec.cs.unisaarland.de/projects/anonymity-guarantees/mator2.html.
 Tails - live operating system focused on privacy and anonymity. https://tails.boum.org/. Accessed February 2015.
 The Tor blog announcing the release of tor 0.2.6.10. https: //blog.torproject.org/blog/tor-02610-released. Accessed August 2015.
 Tor Metrics Portal. https://metrics.torproject.org/. Accessed July 2015.
 Tor’s Specification. https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt. Accessed February 2015.
 M. Akhoondi C. Yu and H. V. Madhyastha. LASTor: A low-latency AS-aware Tor client. In Security and Privacy (SP) 2012 IEEE Symposium on pages 476-490. IEEE 2012.
 M. Backes A. Kate P. Manoharan S. Meiser and E. Mohammadi. AnoA: A Framework for Analyzing Anonymous Communication Protocols. In Computer Security Foundations Symposium (CSF) 2013 IEEE 26th pages 163-178. IEEE 2013.
 M. Backes A. Kate P. Manoharan S. Meiser and E. Mohammadi. AnoA: A Framework For Analyzing Anonymous Communication Protocols - Unified Definitions and Analyses of Anonymity Properties. IACR Cryptology ePrint Archive Report 2014/087 2014. available at http://eprint.iacr.org/2014/087.
 M. Backes A. Kate S. Meiser and E. Mohammadi. (nothing else) MATor(s): Monitoring anonymity in Tors path selection algorithm. In 21st ACM Conference on Computer and Communications Security (CCS’14) CCS ’14 pages 513-524. ACM ACM 2014.
 M. Backes and B. Köpf. Quantifying information flow in cryptographic systems. Mathematical Structures in Computer Science 25(2):457-479 2015.
 M. Backes S. Meiser and M. Slowik. Your choice mator(s): Large-scale quantitative anonymity assessment of tor path selection algorithms against structural attacks. Technical Report A/03/2015 Saarland University December 2015.
 C. Diaz S. Seys J. Claessens and B. Preneel. Towards measuring anonymity. In Privacy Enhancing Technologies pages 54-68. Springer 2003.
 R. Dingledine N. Hopper G. Kadianakis and N. Mathewson. One fast guard for life (or 9 months). In 7th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2014) 2014.
 R. Dingledine N. Mathewson and P. Syverson. Tor: The second-generation onion router. Technical report DTIC Document 2004.
 M. Edman and P. Syverson. As-awareness in Tor path selection. In Proceedings of the 16th ACM conference on Computer and communications security pages 380-389. ACM 2009.
 J. Feigenbaum A. Johnson and P. F. Syverson. Probabilistic Analysis of Onion Routing in a Black-Box Model. ACM Transactions on Information and System Security (TISSEC) 15(3):14 2012.
 N. Gelernter and A. Herzberg. On the limits of provable anonymity. In Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society pages 225-236. ACM 2013.
 A. D. Jaggard A. Johnson P. Syverson and J. Feigenbaum. Representing network trust and using it to improve anonymous communication. In In 7th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2014) 2014.
 A. Johnson C. Wacek R. Jansen M. Sherr and P. Syverson. Users get routed: Traffic correlation on Tor by realistic adversaries. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security pages 337-348. ACM 2013.
 S. J. Murdoch and R. N. M. Watson. Metrics for security and performance in low-latency anonymity networks. In N. Borisov and I. Goldberg editors Proceedings of the Eighth International Symposium on Privacy Enhancing Technologies (PETS 2008) pages 115-132. Springer July 2008.
 A. Neil. SelekTOR - Tor exit node selection made simple. http://www.dazzleships.net/?page_id=71. Accessed February 2015.
 A. Serjantov and G. Danezis. Towards an information theoretic metric for anonymity. In Privacy Enhancing Technologies pages 41-53. Springer 2003.
 Y. Sun A. Edmundson L. Vanbever O. Li J. Rexford M. Chiang and P. Mittal. Raptor: routing attacks on privacy in tor. arXiv preprint arXiv:1503.03940 2015.
 C. Wacek H. Tan K. S. Bauer and M. Sherr. An empirical evaluation of relay selection in Tor. In 20th Annual Network & Distributed System Security Symposium (NDSS) 2013.
 T. Wang K. Bauer C. Forero and I. Goldberg. Congestionaware path selection for Tor. In Financial Cryptography and Data Security pages 98-113. Springer 2012.