Recent work has shown that Tor is vulnerable to attacks that manipulate inter-domain routing to compromise user privacy. Proposed solutions such as Counter-RAPTOR  attempt to ameliorate this issue by favoring Tor entry relays that have high resilience to these attacks. However, because these defenses bias Tor path selection on the identity of the client, they invariably leak probabilistic information about client identities. In this work, we make the following contributions. First, we identify a novel means to quantify privacy leakage in guard selection algorithms using the metric of Max-Divergence. Max-Divergence ensures that probabilistic privacy loss is within strict bounds while also providing composability over time. Second, we utilize Max-Divergence and multiple notions of entropy to understand privacy loss in the worst-case for Counter-RAPTOR. Our worst-case analysis provides a fresh perspective to the field, as prior work such as Counter-RAPTOR only analyzed average case-privacy loss. Third, we propose modifications to Counter-RAPTOR that incorporate worst-case Max-Divergence in its design. Specifically, we utilize the exponential mechanism (a mechanism for differential privacy) to guarantee a worst-case bound on Max-Divergence/privacy loss. For the quality function used in the exponential mechanism, we show that a Monte-Carlo sampling-based method for stochastic optimization can be used to improve multi-dimensional trade-offs between security, privacy, and performance. Finally, we demonstrate that compared to Counter-RAPTOR, our approach achieves an 83% decrease in Max-Divergence after one guard selection and a 245% increase in worst-case Shannon entropy after 5 guard selections. Notably, experimental evaluations using the Shadow emulator shows that our approach provides these privacy benefits with minimal impact on system performance.
If the inline PDF is not rendering correctly, you can download the PDF file here.
 Masoud Akhoondi Curtis Yu and Harsha V Madhyastha. LASTor: A low-latency AS-aware Tor client. In Security and Privacy (SP) 2012 IEEE Symposium on pages 476–490. IEEE 2012.
 Michael Backes Aniket Kate Sebastian Meiser and Esfandiar Mohammadi. (nothing else) MATor (s): Monitoring the anonymity of Tor’s path selection. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security pages 513–524. ACM 2014.
 Armon Barton and Matthew Wright. DeNASA: Destination-Naive AS-Awareness in Anonymous Communications. Proceedings on Privacy Enhancing Technologies 2016(4):356–372 2016.
 Alexand Biryukov Ivan Pustogarov and Ralf-Philipp Weinmann. Trawling for tor hidden services: Detection measurement deanonymization. In Security and Privacy 2013 IEEE Symposium on pages 80–94. IEEE 2013.
 CAIDA Internet topology map. https://www.caida.org/research/topology/.
 Ronald R Coifman and M Victor Wickerhauser. Entropy-based algorithms for best basis selection. IEEE Transactions on information theory 38(2):713–718 1992.
 George Danezis and Andrei Serjantov. Statistical disclosure or intersection attacks on anonymity systems. In International Workshop on Information Hiding pages 293–308. Springer 2004.
 George Danezis and Carmela Troncoso. You cannot hide for long: De-anonymization of real-world dynamic behaviour. In Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society pages 49–60. ACM 2013.
 Roger Dingledine Nick Mathewson and Paul Syverson. Tor: The second-generation onion router. Proceedings of the 13th USENIX Security Symposium 2004.
 Cynthia Dwork. Differential privacy: A survey of results. In International Conference on Theory and Applications of Models of Computation pages 1–19. Springer 2008.
 Cynthia Dwork Aaron Roth et al. The Algorithmic Foundations of Differential Privacy. Foundations and Trends® in Theoretical Computer Science 9(3–4):211–407 2014.
 Matthew Edman and Paul Syverson. AS-Awareness in Tor path selection. In Proceedings of the 16th ACM conference on Computer and communications security pages 380–389. ACM 2009.
 Tariq Elahi Kevin Bauer Mashael AlSabah Roger Dingle-dine and Ian Goldberg. Changing of the guards: A framework for understanding and improving entry guard selection in Tor. In Proceedings of the 2012 ACM Workshop on Privacy in the Electronic Society pages 43–54. ACM 2012.
 Nick Feamster and Roger Dingledine. Location diversity in Anonymity Networks. In Proceedings of the 2004 ACM workshop on Privacy in the electronic society pages 66–76. ACM 2004.
 Jamie Hayes and George Danezis. Guard Sets for Onion Routing. Proceedings on Privacy Enhancing Technologies 2015(2):1–16 2015.
 Hijack event today by Indosat. http://www.bgpmon.net/hijack-event-today-by-indosat/.
 Rob Jansen and Nicholas Hooper. Shadow: Running Tor in a box for accurate and efficient experimentation. Network and Distributed System Security Symposium 2012.
 Rob Jansen and Aaron Johnson. Safely measuring Tor. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security pages 1553–1567. ACM 2016.
 Rob Jasen Florian Tschorsch Aaaron Johnson and Bjorn Scheuermann. The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network. In The Network and Distributed System Security Symposium 2014.
 Aaron Johnson Rob Jansen Aaron D Jaggard Joan Feigenbaum and Paul Syverson. Avoiding The Man on the Wire: Improving Tor’s Security with Trust-Aware Path Selection. Network and Distributed System Security Symposium 2017.
 Aaron Johnson Chris Wacek Rob Jansen Micah Sherr and Paul Syverson. Users get routed: Traffic correlation on Tor by realistic adversaries. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications security pages 337–348. ACM 2013.
 Abadi Martin Andy Chu Ian Goodfellow H. Brendan McMahan Ilya Mironov Kunal Talwar and Li Zhang. Deep Learning with Differential Privacy. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security pages 308–318. ACM 2016.
 Sebastian Meiser and Esfandiar Mohammadi. Tight on budget? tight bounds for r-fold approximate differential privacy. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security pages 247–264. ACM 2018.
 Prateek Mittal and Nikita Borisov. Information leaks in structured peer-to-peer anonymous communication systems. ACM Transactions on Information and System Security (TISSEC) 15(1):5 2012.
 Steven J Murdoch and Piotr Zieliński. Sampled traffic analysis by internet-exchange-level adversaries. In International Workshop on Privacy Enhancing Technologies pages 167–183. Springer 2007.
 Rishab Nithyanand Oleksii Starov Adva Zair Phillipa Gill and Michael Schapira. Measuring and mitigating AS-level adversaries against Tor. Network and Distributed System Security Symposium 2016.
 Yixin Sun Anne Edmundson Nick Feamster Mung Chiang and Prateek Mittal. Counter-RAPTOR: Safeguarding Tor Against Active Routing Attacks. In Security and Privacy (SP) 2017 IEEE Symposium on pages 977–992. IEEE 2017.
 Yixin Sun Anne Edmundson Laurent Vanbever Oscar Li Jennifer Rexford Mung Chiang and Prateek Mittal. RAPTOR: Routing Attacks on Privacy in Tor. In USENIX Security Symposium pages 271–286 2015.
 Henry Tan Micah Sherr and Wenchao Zhou. Data-plane Defenses against Routing Attacks on Tor. In 9th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2016) 2016.
 Tor consensus. https://collector.torproject.org/recent/relay-descriptors/consensuses/.
 Tor metrics. https://metrics.torproject.org/.
 Tor Guard Specification. https://gitweb.torproject.org/torspec.git/tree/guard-spec.txt.
 Tor Protocol Specification. https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt.
 Ryan Wails Yixin Sun Aaron Johnson Mung Chiang and Prateek Mittal. Tempest: Temporal Dynamics in Anonymity Systems. Proceedings on Privacy Enhancing Technologies ; 2018 (3):22–42 2018.