Your Choice MATor(s)

Large-scale Quantitative Anonymity Assessment of Tor Path Selection Algorithms Against Structural Attacks

Michael Backes 1 , Sebastian Meiser 2 ,  and Marcin Slowik 2
  • 1 CISPA, Saarland University & MPI-SWS
  • 2 CISPA, Saarland University


In this paper, we present a rigorous methodology for quantifying the anonymity provided by Tor against a variety of structural attacks, i.e., adversaries that corrupt Tor nodes and thereby perform eavesdropping attacks to deanonymize Tor users. First, we provide an algorithmic approach for computing the anonymity impact of such structural attacks against Tor. The algorithm is parametric in the considered path selection algorithm and is, hence, capable of reasoning about variants of Tor and alternative path selection algorithms as well. Second, we present formalizations of various instantiations of structural attacks against Tor and show that the computed anonymity impact of each of these adversaries indeed constitutes a worst-case anonymity bound for the cryptographic realization of Tor. Third, we use our methodology to conduct a rigorous, largescale evaluation of Tor’s anonymity which establishes worst-case anonymity bounds against various structural attacks for Tor and for alternative path selection algorithms such as DistribuTor, SelekTOR, and LASTor. This yields the first rigorous anonymity comparison between different path selection algorithms. As part of our analysis, we quantify the anonymity impact of a path selection transition phase, i.e., a small number of users decides to run an alternative algorithm while the vast majority still uses the original one. The source code of our implementation is publicly available.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] Ookla’s NetIndex. Accessed July, 2015.

  • [2] Sourcecode of our analysis tool.

  • [3] Tails - live operating system focused on privacy and anonymity. Accessed February, 2015.

  • [4] The Tor blog, announcing the release of tor https: // Accessed August, 2015.

  • [5] Tor Metrics Portal. Accessed July, 2015.

  • [6] Tor’s Specification. Accessed February, 2015.

  • [7] M. Akhoondi, C. Yu, and H. V. Madhyastha. LASTor: A low-latency AS-aware Tor client. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 476-490. IEEE, 2012.

  • [8] M. Backes, A. Kate, P. Manoharan, S. Meiser, and E. Mohammadi. AnoA: A Framework for Analyzing Anonymous Communication Protocols. In Computer Security Foundations Symposium (CSF), 2013 IEEE 26th, pages 163-178. IEEE, 2013.

  • [9] M. Backes, A. Kate, P. Manoharan, S. Meiser, and E. Mohammadi. AnoA: A Framework For Analyzing Anonymous Communication Protocols - Unified Definitions and Analyses of Anonymity Properties. IACR Cryptology ePrint Archive, Report 2014/087, 2014. available at

  • [10] M. Backes, A. Kate, S. Meiser, and E. Mohammadi. (nothing else) MATor(s): Monitoring anonymity in Tors path selection algorithm. In 21st ACM Conference on Computer and Communications Security (CCS’14), CCS ’14, pages 513-524. ACM, ACM, 2014.

  • [11] M. Backes and B. Köpf. Quantifying information flow in cryptographic systems. Mathematical Structures in Computer Science, 25(2):457-479, 2015.

  • [12] M. Backes, S. Meiser, and M. Slowik. Your choice mator(s): Large-scale quantitative anonymity assessment of tor path selection algorithms against structural attacks. Technical Report A/03/2015, Saarland University, December 2015.

  • [13] C. Diaz, S. Seys, J. Claessens, and B. Preneel. Towards measuring anonymity. In Privacy Enhancing Technologies, pages 54-68. Springer, 2003.

  • [14] R. Dingledine, N. Hopper, G. Kadianakis, and N. Mathewson. One fast guard for life (or 9 months). In 7th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2014), 2014.

  • [15] R. Dingledine, N. Mathewson, and P. Syverson. Tor: The second-generation onion router. Technical report, DTIC Document, 2004.

  • [16] M. Edman and P. Syverson. As-awareness in Tor path selection. In Proceedings of the 16th ACM conference on Computer and communications security, pages 380-389. ACM, 2009.

  • [17] J. Feigenbaum, A. Johnson, and P. F. Syverson. Probabilistic Analysis of Onion Routing in a Black-Box Model. ACM Transactions on Information and System Security (TISSEC), 15(3):14, 2012.

  • [18] N. Gelernter and A. Herzberg. On the limits of provable anonymity. In Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society, pages 225-236. ACM, 2013.

  • [19] A. D. Jaggard, A. Johnson, P. Syverson, and J. Feigenbaum. Representing network trust and using it to improve anonymous communication. In In 7th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2014), 2014.

  • [20] A. Johnson, C. Wacek, R. Jansen, M. Sherr, and P. Syverson. Users get routed: Traffic correlation on Tor by realistic adversaries. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 337-348. ACM, 2013.

  • [21] S. J. Murdoch and R. N. M. Watson. Metrics for security and performance in low-latency anonymity networks. In N. Borisov and I. Goldberg, editors, Proceedings of the Eighth International Symposium on Privacy Enhancing Technologies (PETS 2008), pages 115-132. Springer, July 2008.

  • [22] A. Neil. SelekTOR - Tor exit node selection made simple. Accessed February, 2015.

  • [23] A. Serjantov and G. Danezis. Towards an information theoretic metric for anonymity. In Privacy Enhancing Technologies, pages 41-53. Springer, 2003.

  • [24] Y. Sun, A. Edmundson, L. Vanbever, O. Li, J. Rexford, M. Chiang, and P. Mittal. Raptor: routing attacks on privacy in tor. arXiv preprint arXiv:1503.03940, 2015.

  • [25] C. Wacek, H. Tan, K. S. Bauer, and M. Sherr. An empirical evaluation of relay selection in Tor. In 20th Annual Network & Distributed System Security Symposium (NDSS), 2013.

  • [26] T. Wang, K. Bauer, C. Forero, and I. Goldberg. Congestionaware path selection for Tor. In Financial Cryptography and Data Security, pages 98-113. Springer, 2012.


Journal + Issues