aboutsummaryrefslogtreecommitdiff
path: root/doc/design-paper
diff options
context:
space:
mode:
authorPeter Palfrader <peter@palfrader.org>2004-08-06 19:54:29 +0000
committerPeter Palfrader <peter@palfrader.org>2004-08-06 19:54:29 +0000
commit0430b4c5a0cd5dfeeb24515c0f1b8a6193e8a951 (patch)
tree5786a07a772385f5a6dfe4614b3d059f953112fc /doc/design-paper
parent2ff6d6d8b94140a20a8ef6c8a1f7155ef85d275b (diff)
downloadtor-0430b4c5a0cd5dfeeb24515c0f1b8a6193e8a951.tar.gz
tor-0430b4c5a0cd5dfeeb24515c0f1b8a6193e8a951.zip
Move design-paper into its own directory, and ship it and all that is needed to build with it in the tarball
svn:r2163
Diffstat (limited to 'doc/design-paper')
-rw-r--r--doc/design-paper/Makefile.am26
-rw-r--r--doc/design-paper/Makefile.in206
-rw-r--r--doc/design-paper/cell-struct.eps189
-rw-r--r--doc/design-paper/cell-struct.fig49
-rw-r--r--doc/design-paper/cell-struct.pdfbin0 -> 6175 bytes
-rw-r--r--doc/design-paper/cell-struct.pngbin0 -> 6090 bytes
-rw-r--r--doc/design-paper/interaction.eps463
-rw-r--r--doc/design-paper/interaction.fig122
-rw-r--r--doc/design-paper/interaction.pdfbin0 -> 35540 bytes
-rw-r--r--doc/design-paper/interaction.pngbin0 -> 29362 bytes
-rw-r--r--doc/design-paper/latex8.bst1124
-rw-r--r--doc/design-paper/tor-design.bib1093
-rw-r--r--doc/design-paper/tor-design.html2486
-rw-r--r--doc/design-paper/tor-design.pdfbin0 -> 175246 bytes
-rw-r--r--doc/design-paper/tor-design.tex1988
-rw-r--r--doc/design-paper/usenix.sty98
16 files changed, 7844 insertions, 0 deletions
diff --git a/doc/design-paper/Makefile.am b/doc/design-paper/Makefile.am
new file mode 100644
index 0000000000..0fb3d9dd27
--- /dev/null
+++ b/doc/design-paper/Makefile.am
@@ -0,0 +1,26 @@
+
+cell-struct.eps: cell-struct.fig
+ fig2dev -L eps $< $@
+interaction.eps: interaction.fig
+ fig2dev -L eps $< $@
+cell-struct.pdf: cell-struct.fig
+ fig2dev -L pdf $< $@
+interaction.pdf: interaction.fig
+ fig2dev -L pdf $< $@
+
+tor-design.ps: cell-struct.eps interaction.eps tor-design.bib tor-design.tex usenix.sty latex8.bst
+ latex tor-design.tex
+ bibtex tor-design
+ latex tor-design.tex
+ latex tor-design.tex
+ dvips -o $@ tor-design.dvi
+
+tor-design.pdf: cell-struct.pdf interaction.pdf tor-design.bib tor-design.tex usenix.sty latex8.bst
+ pdflatex tor-design.tex
+ bibtex tor-design
+ pdflatex tor-design.tex
+ pdflatex tor-design.tex
+
+EXTRA_DIST = cell-struct.fig interaction.fig tor-design.bib usenix.sty latex8.bst tor-design.tex
+
+DISTCLEANFILES = cell-struct.eps interaction.eps cell-struct.pdf interaction.pdf tor-design.aux tor-design.bbl tor-design.blg tor-design.log tor-design.dvi tor-design.ps
diff --git a/doc/design-paper/Makefile.in b/doc/design-paper/Makefile.in
new file mode 100644
index 0000000000..748af2ddb3
--- /dev/null
+++ b/doc/design-paper/Makefile.in
@@ -0,0 +1,206 @@
+# Makefile.in generated automatically by automake 1.4-p6 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999, 2001 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+BINDIR = @BINDIR@
+CC = @CC@
+CONFDIR = @CONFDIR@
+HAVE_LIB = @HAVE_LIB@
+LIB = @LIB@
+LOCALSTATEDIR = @LOCALSTATEDIR@
+LTLIB = @LTLIB@
+MAKEINFO = @MAKEINFO@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+
+EXTRA_DIST = cell-struct.fig interaction.fig tor-design.bib usenix.sty latex8.bst tor-design.tex
+
+DISTCLEANFILES = cell-struct.eps interaction.eps cell-struct.pdf interaction.pdf tor-design.aux tor-design.bbl tor-design.blg tor-design.log tor-design.dvi tor-design.ps
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../orconfig.h
+CONFIG_CLEAN_FILES =
+DIST_COMMON = Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+all: all-redirect
+.SUFFIXES:
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4)
+ cd $(top_srcdir) && $(AUTOMAKE) --gnu doc/design-paper/Makefile
+
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status $(BUILT_SOURCES)
+ cd $(top_builddir) \
+ && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+tags: TAGS
+TAGS:
+
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = doc/design-paper
+
+distdir: $(DISTFILES)
+ here=`cd $(top_builddir) && pwd`; \
+ top_distdir=`cd $(top_distdir) && pwd`; \
+ distdir=`cd $(distdir) && pwd`; \
+ cd $(top_srcdir) \
+ && $(AUTOMAKE) --include-deps --build-dir=$$here --srcdir-name=$(top_srcdir) --output-dir=$$top_distdir --gnu doc/design-paper/Makefile
+ @for file in $(DISTFILES); do \
+ d=$(srcdir); \
+ if test -d $$d/$$file; then \
+ cp -pr $$d/$$file $(distdir)/$$file; \
+ else \
+ test -f $(distdir)/$$file \
+ || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+ || cp -p $$d/$$file $(distdir)/$$file || :; \
+ fi; \
+ done
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am:
+install-exec: install-exec-am
+
+install-data-am:
+install-data: install-data-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am:
+uninstall: uninstall-am
+all-am: Makefile
+all-redirect: all-am
+install-strip:
+ $(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -rm -f Makefile $(CONFIG_CLEAN_FILES)
+ -rm -f config.cache config.log stamp-h stamp-h[0-9]*
+ -test -z "$(DISTCLEANFILES)" || rm -f $(DISTCLEANFILES)
+
+maintainer-clean-generic:
+mostlyclean-am: mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am: clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am: distclean-generic clean-am
+
+distclean: distclean-am
+
+maintainer-clean-am: maintainer-clean-generic distclean-am
+ @echo "This command is intended for maintainers to use;"
+ @echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: tags distdir info-am info dvi-am dvi check check-am \
+installcheck-am installcheck install-exec-am install-exec \
+install-data-am install-data install-am install uninstall-am uninstall \
+all-redirect all-am all installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+cell-struct.eps: cell-struct.fig
+ fig2dev -L eps $< $@
+interaction.eps: interaction.fig
+ fig2dev -L eps $< $@
+cell-struct.pdf: cell-struct.fig
+ fig2dev -L pdf $< $@
+interaction.pdf: interaction.fig
+ fig2dev -L pdf $< $@
+
+tor-design.ps: cell-struct.eps interaction.eps tor-design.bib tor-design.tex usenix.sty latex8.bst
+ latex tor-design.tex
+ bibtex tor-design
+ latex tor-design.tex
+ latex tor-design.tex
+ dvips -o $@ tor-design.dvi
+
+tor-design.pdf: cell-struct.pdf interaction.pdf tor-design.bib tor-design.tex usenix.sty latex8.bst
+ pdflatex tor-design.tex
+ bibtex tor-design
+ pdflatex tor-design.tex
+ pdflatex tor-design.tex
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/doc/design-paper/cell-struct.eps b/doc/design-paper/cell-struct.eps
new file mode 100644
index 0000000000..eb9fcb8643
--- /dev/null
+++ b/doc/design-paper/cell-struct.eps
@@ -0,0 +1,189 @@
+%!PS-Adobe-2.0 EPSF-2.0
+%%Title: cell-struct.fig
+%%Creator: fig2dev Version 3.2 Patchlevel 4
+%%CreationDate: Mon May 17 00:04:58 2004
+%%For: root@localhost.localdomain (root)
+%%BoundingBox: 0 0 254 73
+%%Magnification: 1.0000
+%%EndComments
+/$F2psDict 200 dict def
+$F2psDict begin
+$F2psDict /mtrx matrix put
+/col-1 {0 setgray} bind def
+/col0 {0.000 0.000 0.000 srgb} bind def
+/col1 {0.000 0.000 1.000 srgb} bind def
+/col2 {0.000 1.000 0.000 srgb} bind def
+/col3 {0.000 1.000 1.000 srgb} bind def
+/col4 {1.000 0.000 0.000 srgb} bind def
+/col5 {1.000 0.000 1.000 srgb} bind def
+/col6 {1.000 1.000 0.000 srgb} bind def
+/col7 {1.000 1.000 1.000 srgb} bind def
+/col8 {0.000 0.000 0.560 srgb} bind def
+/col9 {0.000 0.000 0.690 srgb} bind def
+/col10 {0.000 0.000 0.820 srgb} bind def
+/col11 {0.530 0.810 1.000 srgb} bind def
+/col12 {0.000 0.560 0.000 srgb} bind def
+/col13 {0.000 0.690 0.000 srgb} bind def
+/col14 {0.000 0.820 0.000 srgb} bind def
+/col15 {0.000 0.560 0.560 srgb} bind def
+/col16 {0.000 0.690 0.690 srgb} bind def
+/col17 {0.000 0.820 0.820 srgb} bind def
+/col18 {0.560 0.000 0.000 srgb} bind def
+/col19 {0.690 0.000 0.000 srgb} bind def
+/col20 {0.820 0.000 0.000 srgb} bind def
+/col21 {0.560 0.000 0.560 srgb} bind def
+/col22 {0.690 0.000 0.690 srgb} bind def
+/col23 {0.820 0.000 0.820 srgb} bind def
+/col24 {0.500 0.190 0.000 srgb} bind def
+/col25 {0.630 0.250 0.000 srgb} bind def
+/col26 {0.750 0.380 0.000 srgb} bind def
+/col27 {1.000 0.500 0.500 srgb} bind def
+/col28 {1.000 0.630 0.630 srgb} bind def
+/col29 {1.000 0.750 0.750 srgb} bind def
+/col30 {1.000 0.880 0.880 srgb} bind def
+/col31 {1.000 0.840 0.000 srgb} bind def
+
+end
+save
+newpath 0 73 moveto 0 0 lineto 254 0 lineto 254 73 lineto closepath clip newpath
+-35.3 77.2 translate
+1 -1 scale
+
+/cp {closepath} bind def
+/ef {eofill} bind def
+/gr {grestore} bind def
+/gs {gsave} bind def
+/sa {save} bind def
+/rs {restore} bind def
+/l {lineto} bind def
+/m {moveto} bind def
+/rm {rmoveto} bind def
+/n {newpath} bind def
+/s {stroke} bind def
+/sh {show} bind def
+/slc {setlinecap} bind def
+/slj {setlinejoin} bind def
+/slw {setlinewidth} bind def
+/srgb {setrgbcolor} bind def
+/rot {rotate} bind def
+/sc {scale} bind def
+/sd {setdash} bind def
+/ff {findfont} bind def
+/sf {setfont} bind def
+/scf {scalefont} bind def
+/sw {stringwidth} bind def
+/tr {translate} bind def
+/tnt {dup dup currentrgbcolor
+ 4 -2 roll dup 1 exch sub 3 -1 roll mul add
+ 4 -2 roll dup 1 exch sub 3 -1 roll mul add
+ 4 -2 roll dup 1 exch sub 3 -1 roll mul add srgb}
+ bind def
+/shd {dup dup currentrgbcolor 4 -2 roll mul 4 -2 roll mul
+ 4 -2 roll mul srgb} bind def
+/$F2psBegin {$F2psDict begin /$F2psEnteredState save def} def
+/$F2psEnd {$F2psEnteredState restore end} def
+
+$F2psBegin
+10 setmiterlimit
+0 slj 0 slc
+ 0.06000 0.06000 sc
+%
+% Fig objects follow
+%
+%
+% here starts figure with depth 50
+% Polyline
+7.500 slw
+n 1200 975 m
+ 1200 1275 l gs col0 s gr
+% Polyline
+n 1725 975 m
+ 1725 1275 l gs col0 s gr
+% Polyline
+n 600 975 m 4800 975 l 4800 1275 l 600 1275 l
+ cp gs col0 s gr
+% Polyline
+n 1200 300 m
+ 1200 600 l gs col0 s gr
+% Polyline
+n 1725 300 m
+ 1725 600 l gs col0 s gr
+% Polyline
+n 600 300 m 4800 300 l 4800 600 l 600 600 l
+ cp gs col0 s gr
+% Polyline
+n 2550 975 m
+ 2550 1275 l gs col0 s gr
+% Polyline
+n 3150 975 m
+ 3150 1275 l gs col0 s gr
+% Polyline
+n 3450 975 m
+ 3450 1275 l gs col0 s gr
+% Polyline
+n 3900 975 m
+ 3900 1275 l gs col0 s gr
+/Times-Roman ff 180.00 scf sf
+675 1200 m
+gs 1 -1 sc (CircID) col0 sh gr
+/Times-Roman ff 180.00 scf sf
+900 900 m
+gs 1 -1 sc (2) col0 sh gr
+/Times-Roman ff 180.00 scf sf
+1275 1200 m
+gs 1 -1 sc (Relay) col0 sh gr
+/Times-Roman ff 180.00 scf sf
+1800 1200 m
+gs 1 -1 sc (StreamID) col0 sh gr
+/Times-Roman ff 180.00 scf sf
+2625 1200 m
+gs 1 -1 sc (Digest) col0 sh gr
+/Times-Roman ff 180.00 scf sf
+3150 1200 m
+gs 1 -1 sc (Len) col0 sh gr
+/Times-Roman ff 180.00 scf sf
+4200 1200 m
+gs 1 -1 sc (DATA) col0 sh gr
+/Times-Roman ff 180.00 scf sf
+675 525 m
+gs 1 -1 sc (CircID) col0 sh gr
+/Times-Roman ff 180.00 scf sf
+1275 525 m
+gs 1 -1 sc (CMD) col0 sh gr
+/Times-Roman ff 180.00 scf sf
+900 225 m
+gs 1 -1 sc (2) col0 sh gr
+/Times-Roman ff 180.00 scf sf
+1425 225 m
+gs 1 -1 sc (1) col0 sh gr
+/Times-Roman ff 180.00 scf sf
+3225 525 m
+gs 1 -1 sc (DATA) col0 sh gr
+/Times-Roman ff 180.00 scf sf
+3225 900 m
+gs 1 -1 sc (2) col0 sh gr
+/Times-Roman ff 180.00 scf sf
+3450 1200 m
+gs 1 -1 sc (CMD) col0 sh gr
+/Times-Roman ff 180.00 scf sf
+3600 900 m
+gs 1 -1 sc (1) col0 sh gr
+/Times-Roman ff 180.00 scf sf
+3300 225 m
+gs 1 -1 sc (509 bytes) col0 sh gr
+/Times-Roman ff 180.00 scf sf
+1425 900 m
+gs 1 -1 sc (1) col0 sh gr
+/Times-Roman ff 180.00 scf sf
+2100 900 m
+gs 1 -1 sc (2) col0 sh gr
+/Times-Roman ff 180.00 scf sf
+2850 900 m
+gs 1 -1 sc (6) col0 sh gr
+/Times-Roman ff 180.00 scf sf
+4350 900 m
+gs 1 -1 sc (498) col0 sh gr
+% here ends figure;
+$F2psEnd
+rs
+showpage
diff --git a/doc/design-paper/cell-struct.fig b/doc/design-paper/cell-struct.fig
new file mode 100644
index 0000000000..3490673ca6
--- /dev/null
+++ b/doc/design-paper/cell-struct.fig
@@ -0,0 +1,49 @@
+#FIG 3.2
+Landscape
+Center
+Inches
+Letter
+100.00
+Single
+-2
+1200 2
+2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
+ 1200 975 1200 1275
+2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
+ 1725 975 1725 1275
+2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
+ 600 975 4800 975 4800 1275 600 1275 600 975
+2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
+ 1200 300 1200 600
+2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
+ 1725 300 1725 600
+2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
+ 600 300 4800 300 4800 600 600 600 600 300
+2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
+ 2550 975 2550 1275
+2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
+ 3150 975 3150 1275
+2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
+ 3450 975 3450 1275
+2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
+ 3900 975 3900 1275
+4 0 0 50 -1 0 12 0.0000 4 135 510 675 1200 CircID\001
+4 0 0 50 -1 0 12 0.0000 4 135 90 900 900 2\001
+4 0 0 50 -1 0 12 0.0000 4 180 435 1275 1200 Relay\001
+4 0 0 50 -1 0 12 0.0000 4 135 735 1800 1200 StreamID\001
+4 0 0 50 -1 0 12 0.0000 4 180 510 2625 1200 Digest\001
+4 0 0 50 -1 0 12 0.0000 4 135 285 3150 1200 Len\001
+4 0 0 50 -1 0 12 0.0000 4 135 510 4200 1200 DATA\001
+4 0 0 50 -1 0 12 0.0000 4 135 510 675 525 CircID\001
+4 0 0 50 -1 0 12 0.0000 4 135 420 1275 525 CMD\001
+4 0 0 50 -1 0 12 0.0000 4 135 90 900 225 2\001
+4 0 0 50 -1 0 12 0.0000 4 135 90 1425 225 1\001
+4 0 0 50 -1 0 12 0.0000 4 135 510 3225 525 DATA\001
+4 0 0 50 -1 0 12 0.0000 4 135 90 3225 900 2\001
+4 0 0 50 -1 0 12 0.0000 4 135 420 3450 1200 CMD\001
+4 0 0 50 -1 0 12 0.0000 4 135 90 3600 900 1\001
+4 0 0 50 -1 0 12 0.0000 4 180 735 3300 225 509 bytes\001
+4 0 0 50 -1 0 12 0.0000 4 135 90 1425 900 1\001
+4 0 0 50 -1 0 12 0.0000 4 135 90 2100 900 2\001
+4 0 0 50 -1 0 12 0.0000 4 135 90 2850 900 6\001
+4 0 0 50 -1 0 12 0.0000 4 135 270 4350 900 498\001
diff --git a/doc/design-paper/cell-struct.pdf b/doc/design-paper/cell-struct.pdf
new file mode 100644
index 0000000000..8ca52deeb9
--- /dev/null
+++ b/doc/design-paper/cell-struct.pdf
Binary files differ
diff --git a/doc/design-paper/cell-struct.png b/doc/design-paper/cell-struct.png
new file mode 100644
index 0000000000..799bcc8c18
--- /dev/null
+++ b/doc/design-paper/cell-struct.png
Binary files differ
diff --git a/doc/design-paper/interaction.eps b/doc/design-paper/interaction.eps
new file mode 100644
index 0000000000..9b4e3db619
--- /dev/null
+++ b/doc/design-paper/interaction.eps
@@ -0,0 +1,463 @@
+%!PS-Adobe-2.0 EPSF-2.0
+%%Title: interaction.fig
+%%Creator: fig2dev Version 3.2 Patchlevel 3d
+%%CreationDate: Sat Jan 31 05:25:23 2004
+%%For: nickm@totoro.wangafu.net ()
+%%BoundingBox: 0 0 449 235
+%%Magnification: 1.0000
+%%EndComments
+/$F2psDict 200 dict def
+$F2psDict begin
+$F2psDict /mtrx matrix put
+/col-1 {0 setgray} bind def
+/col0 {0.000 0.000 0.000 srgb} bind def
+/col1 {0.000 0.000 1.000 srgb} bind def
+/col2 {0.000 1.000 0.000 srgb} bind def
+/col3 {0.000 1.000 1.000 srgb} bind def
+/col4 {1.000 0.000 0.000 srgb} bind def
+/col5 {1.000 0.000 1.000 srgb} bind def
+/col6 {1.000 1.000 0.000 srgb} bind def
+/col7 {1.000 1.000 1.000 srgb} bind def
+/col8 {0.000 0.000 0.560 srgb} bind def
+/col9 {0.000 0.000 0.690 srgb} bind def
+/col10 {0.000 0.000 0.820 srgb} bind def
+/col11 {0.530 0.810 1.000 srgb} bind def
+/col12 {0.000 0.560 0.000 srgb} bind def
+/col13 {0.000 0.690 0.000 srgb} bind def
+/col14 {0.000 0.820 0.000 srgb} bind def
+/col15 {0.000 0.560 0.560 srgb} bind def
+/col16 {0.000 0.690 0.690 srgb} bind def
+/col17 {0.000 0.820 0.820 srgb} bind def
+/col18 {0.560 0.000 0.000 srgb} bind def
+/col19 {0.690 0.000 0.000 srgb} bind def
+/col20 {0.820 0.000 0.000 srgb} bind def
+/col21 {0.560 0.000 0.560 srgb} bind def
+/col22 {0.690 0.000 0.690 srgb} bind def
+/col23 {0.820 0.000 0.820 srgb} bind def
+/col24 {0.500 0.190 0.000 srgb} bind def
+/col25 {0.630 0.250 0.000 srgb} bind def
+/col26 {0.750 0.380 0.000 srgb} bind def
+/col27 {1.000 0.500 0.500 srgb} bind def
+/col28 {1.000 0.630 0.630 srgb} bind def
+/col29 {1.000 0.750 0.750 srgb} bind def
+/col30 {1.000 0.880 0.880 srgb} bind def
+/col31 {1.000 0.840 0.000 srgb} bind def
+
+end
+save
+newpath 0 235 moveto 0 0 lineto 449 0 lineto 449 235 lineto closepath clip newpath
+-62.3 239.8 translate
+1 -1 scale
+
+/cp {closepath} bind def
+/ef {eofill} bind def
+/gr {grestore} bind def
+/gs {gsave} bind def
+/sa {save} bind def
+/rs {restore} bind def
+/l {lineto} bind def
+/m {moveto} bind def
+/rm {rmoveto} bind def
+/n {newpath} bind def
+/s {stroke} bind def
+/sh {show} bind def
+/slc {setlinecap} bind def
+/slj {setlinejoin} bind def
+/slw {setlinewidth} bind def
+/srgb {setrgbcolor} bind def
+/rot {rotate} bind def
+/sc {scale} bind def
+/sd {setdash} bind def
+/ff {findfont} bind def
+/sf {setfont} bind def
+/scf {scalefont} bind def
+/sw {stringwidth} bind def
+/tr {translate} bind def
+/tnt {dup dup currentrgbcolor
+ 4 -2 roll dup 1 exch sub 3 -1 roll mul add
+ 4 -2 roll dup 1 exch sub 3 -1 roll mul add
+ 4 -2 roll dup 1 exch sub 3 -1 roll mul add srgb}
+ bind def
+/shd {dup dup currentrgbcolor 4 -2 roll mul 4 -2 roll mul
+ 4 -2 roll mul srgb} bind def
+/reencdict 12 dict def /ReEncode { reencdict begin
+/newcodesandnames exch def /newfontname exch def /basefontname exch def
+/basefontdict basefontname findfont def /newfont basefontdict maxlength dict def
+basefontdict { exch dup /FID ne { dup /Encoding eq
+{ exch dup length array copy newfont 3 1 roll put }
+{ exch newfont 3 1 roll put } ifelse } { pop pop } ifelse } forall
+newfont /FontName newfontname put newcodesandnames aload pop
+128 1 255 { newfont /Encoding get exch /.notdef put } for
+newcodesandnames length 2 idiv { newfont /Encoding get 3 1 roll put } repeat
+newfontname newfont definefont pop end } def
+/isovec [
+8#055 /minus 8#200 /grave 8#201 /acute 8#202 /circumflex 8#203 /tilde
+8#204 /macron 8#205 /breve 8#206 /dotaccent 8#207 /dieresis
+8#210 /ring 8#211 /cedilla 8#212 /hungarumlaut 8#213 /ogonek 8#214 /caron
+8#220 /dotlessi 8#230 /oe 8#231 /OE
+8#240 /space 8#241 /exclamdown 8#242 /cent 8#243 /sterling
+8#244 /currency 8#245 /yen 8#246 /brokenbar 8#247 /section 8#250 /dieresis
+8#251 /copyright 8#252 /ordfeminine 8#253 /guillemotleft 8#254 /logicalnot
+8#255 /hyphen 8#256 /registered 8#257 /macron 8#260 /degree 8#261 /plusminus
+8#262 /twosuperior 8#263 /threesuperior 8#264 /acute 8#265 /mu 8#266 /paragraph
+8#267 /periodcentered 8#270 /cedilla 8#271 /onesuperior 8#272 /ordmasculine
+8#273 /guillemotright 8#274 /onequarter 8#275 /onehalf
+8#276 /threequarters 8#277 /questiondown 8#300 /Agrave 8#301 /Aacute
+8#302 /Acircumflex 8#303 /Atilde 8#304 /Adieresis 8#305 /Aring
+8#306 /AE 8#307 /Ccedilla 8#310 /Egrave 8#311 /Eacute
+8#312 /Ecircumflex 8#313 /Edieresis 8#314 /Igrave 8#315 /Iacute
+8#316 /Icircumflex 8#317 /Idieresis 8#320 /Eth 8#321 /Ntilde 8#322 /Ograve
+8#323 /Oacute 8#324 /Ocircumflex 8#325 /Otilde 8#326 /Odieresis 8#327 /multiply
+8#330 /Oslash 8#331 /Ugrave 8#332 /Uacute 8#333 /Ucircumflex
+8#334 /Udieresis 8#335 /Yacute 8#336 /Thorn 8#337 /germandbls 8#340 /agrave
+8#341 /aacute 8#342 /acircumflex 8#343 /atilde 8#344 /adieresis 8#345 /aring
+8#346 /ae 8#347 /ccedilla 8#350 /egrave 8#351 /eacute
+8#352 /ecircumflex 8#353 /edieresis 8#354 /igrave 8#355 /iacute
+8#356 /icircumflex 8#357 /idieresis 8#360 /eth 8#361 /ntilde 8#362 /ograve
+8#363 /oacute 8#364 /ocircumflex 8#365 /otilde 8#366 /odieresis 8#367 /divide
+8#370 /oslash 8#371 /ugrave 8#372 /uacute 8#373 /ucircumflex
+8#374 /udieresis 8#375 /yacute 8#376 /thorn 8#377 /ydieresis] def
+/Times-Bold /Times-Bold-iso isovec ReEncode
+/Times-Roman /Times-Roman-iso isovec ReEncode
+/$F2psBegin {$F2psDict begin /$F2psEnteredState save def} def
+/$F2psEnd {$F2psEnteredState restore end} def
+
+$F2psBegin
+10 setmiterlimit
+ 0.06000 0.06000 sc
+%
+% Fig objects follow
+%
+% Polyline
+15.000 slw
+n 6000 300 m
+ 6000 3975 l gs col0 s gr
+% Polyline
+7.500 slw
+gs clippath
+3615 555 m 3615 495 l 3464 495 l 3584 525 l 3464 555 l cp
+eoclip
+n 1200 525 m
+ 3600 525 l gs col0 s gr gr
+
+% arrowhead
+n 3464 555 m 3584 525 l 3464 495 l 3464 555 l cp gs 0.00 setgray ef gr col0 s
+% Polyline
+gs clippath
+1185 795 m 1185 855 l 1336 855 l 1216 825 l 1336 795 l cp
+eoclip
+n 3600 825 m
+ 1200 825 l gs col0 s gr gr
+
+% arrowhead
+n 1336 795 m 1216 825 l 1336 855 l 1336 795 l cp gs 0.00 setgray ef gr col0 s
+% Polyline
+15.000 slw
+n 1200 300 m
+ 1200 3975 l gs col0 s gr
+% Polyline
+7.500 slw
+gs clippath
+3615 1155 m 3615 1095 l 3464 1095 l 3584 1125 l 3464 1155 l cp
+eoclip
+n 1200 1125 m
+ 3600 1125 l gs col0 s gr gr
+
+% arrowhead
+n 3464 1155 m 3584 1125 l 3464 1095 l 3464 1155 l cp gs 0.00 setgray ef gr col0 s
+% Polyline
+15.000 slw
+n 3600 300 m
+ 3600 3975 l gs col0 s gr
+% Polyline
+7.500 slw
+gs clippath
+6015 1230 m 6015 1170 l 5864 1170 l 5984 1200 l 5864 1230 l cp
+eoclip
+n 3600 1200 m
+ 6000 1200 l gs col0 s gr gr
+
+% arrowhead
+n 5864 1230 m 5984 1200 l 5864 1170 l 5864 1230 l cp gs 0.00 setgray ef gr col0 s
+% Polyline
+gs clippath
+3585 1470 m 3585 1530 l 3736 1530 l 3616 1500 l 3736 1470 l cp
+eoclip
+n 6000 1500 m
+ 3600 1500 l gs col0 s gr gr
+
+% arrowhead
+n 3736 1470 m 3616 1500 l 3736 1530 l 3736 1470 l cp gs 0.00 setgray ef gr col0 s
+% Polyline
+gs clippath
+1185 1545 m 1185 1605 l 1336 1605 l 1216 1575 l 1336 1545 l cp
+eoclip
+n 3600 1575 m
+ 1200 1575 l gs col0 s gr gr
+
+% arrowhead
+n 1336 1545 m 1216 1575 l 1336 1605 l 1336 1545 l cp gs 0.00 setgray ef gr col0 s
+% Polyline
+ [15 45] 45 sd
+n 1050 1800 m
+ 8325 1800 l gs col0 s gr [] 0 sd
+% Polyline
+gs clippath
+3615 2130 m 3615 2070 l 3464 2070 l 3584 2100 l 3464 2130 l cp
+eoclip
+n 1200 2100 m
+ 3600 2100 l gs col0 s gr gr
+
+% arrowhead
+n 3464 2130 m 3584 2100 l 3464 2070 l 3464 2130 l cp gs 0.00 setgray ef gr col0 s
+% Polyline
+gs clippath
+6015 2205 m 6015 2145 l 5864 2145 l 5984 2175 l 5864 2205 l cp
+eoclip
+n 3600 2175 m
+ 6000 2175 l gs col0 s gr gr
+
+% arrowhead
+n 5864 2205 m 5984 2175 l 5864 2145 l 5864 2205 l cp gs 0.00 setgray ef gr col0 s
+% Polyline
+ [60] 0 sd
+gs clippath
+8190 2430 m 8190 2370 l 8039 2370 l 8159 2400 l 8039 2430 l cp
+5985 2370 m 5985 2430 l 6136 2430 l 6016 2400 l 6136 2370 l cp
+eoclip
+n 6000 2400 m
+ 8175 2400 l gs col0 s gr gr
+ [] 0 sd
+% arrowhead
+n 6136 2370 m 6016 2400 l 6136 2430 l 6136 2370 l cp gs 0.00 setgray ef gr col0 s
+% arrowhead
+n 8039 2430 m 8159 2400 l 8039 2370 l 8039 2430 l cp gs 0.00 setgray ef gr col0 s
+% Polyline
+gs clippath
+3585 2520 m 3585 2580 l 3736 2580 l 3616 2550 l 3736 2520 l cp
+eoclip
+n 6000 2550 m
+ 3600 2550 l gs col0 s gr gr
+
+% arrowhead
+n 3736 2520 m 3616 2550 l 3736 2580 l 3736 2520 l cp gs 0.00 setgray ef gr col0 s
+% Polyline
+gs clippath
+1185 2595 m 1185 2655 l 1336 2655 l 1216 2625 l 1336 2595 l cp
+eoclip
+n 3600 2625 m
+ 1200 2625 l gs col0 s gr gr
+
+% arrowhead
+n 1336 2595 m 1216 2625 l 1336 2655 l 1336 2595 l cp gs 0.00 setgray ef gr col0 s
+% Polyline
+gs clippath
+3615 3030 m 3615 2970 l 3464 2970 l 3584 3000 l 3464 3030 l cp
+eoclip
+n 1200 3000 m
+ 3600 3000 l gs col0 s gr gr
+
+% arrowhead
+n 3464 3030 m 3584 3000 l 3464 2970 l 3464 3030 l cp gs 0.00 setgray ef gr col0 s
+% Polyline
+gs clippath
+6015 3105 m 6015 3045 l 5864 3045 l 5984 3075 l 5864 3105 l cp
+eoclip
+n 3600 3075 m
+ 6000 3075 l gs col0 s gr gr
+
+% arrowhead
+n 5864 3105 m 5984 3075 l 5864 3045 l 5864 3105 l cp gs 0.00 setgray ef gr col0 s
+% Polyline
+gs clippath
+8190 3180 m 8190 3120 l 8039 3120 l 8159 3150 l 8039 3180 l cp
+eoclip
+n 6000 3150 m
+ 8175 3150 l gs col0 s gr gr
+
+% arrowhead
+n 8039 3180 m 8159 3150 l 8039 3120 l 8039 3180 l cp gs 0.00 setgray ef gr col0 s
+% Polyline
+gs clippath
+5985 3420 m 5985 3480 l 6136 3480 l 6016 3450 l 6136 3420 l cp
+eoclip
+n 8175 3450 m
+ 6000 3450 l gs col0 s gr gr
+
+% arrowhead
+n 6136 3420 m 6016 3450 l 6136 3480 l 6136 3420 l cp gs 0.00 setgray ef gr col0 s
+% Polyline
+gs clippath
+5985 3495 m 5985 3555 l 6136 3555 l 6016 3525 l 6136 3495 l cp
+eoclip
+n 8175 3525 m
+ 6000 3525 l gs col0 s gr gr
+
+% arrowhead
+n 6136 3495 m 6016 3525 l 6136 3555 l 6136 3495 l cp gs 0.00 setgray ef gr col0 s
+% Polyline
+gs clippath
+5985 3570 m 5985 3630 l 6136 3630 l 6016 3600 l 6136 3570 l cp
+eoclip
+n 8175 3600 m
+ 6000 3600 l gs col0 s gr gr
+
+% arrowhead
+n 6136 3570 m 6016 3600 l 6136 3630 l 6136 3570 l cp gs 0.00 setgray ef gr col0 s
+% Polyline
+gs clippath
+3585 3495 m 3585 3555 l 3736 3555 l 3616 3525 l 3736 3495 l cp
+eoclip
+n 6000 3525 m
+ 3600 3525 l gs col0 s gr gr
+
+% arrowhead
+n 3736 3495 m 3616 3525 l 3736 3555 l 3736 3495 l cp gs 0.00 setgray ef gr col0 s
+% Polyline
+gs clippath
+3585 3645 m 3585 3705 l 3736 3705 l 3616 3675 l 3736 3645 l cp
+eoclip
+n 6000 3675 m
+ 3600 3675 l gs col0 s gr gr
+
+% arrowhead
+n 3736 3645 m 3616 3675 l 3736 3705 l 3736 3645 l cp gs 0.00 setgray ef gr col0 s
+% Polyline
+gs clippath
+3585 3570 m 3585 3630 l 3736 3630 l 3616 3600 l 3736 3570 l cp
+eoclip
+n 6000 3600 m
+ 3600 3600 l gs col0 s gr gr
+
+% arrowhead
+n 3736 3570 m 3616 3600 l 3736 3630 l 3736 3570 l cp gs 0.00 setgray ef gr col0 s
+% Polyline
+gs clippath
+1185 3645 m 1185 3705 l 1336 3705 l 1216 3675 l 1336 3645 l cp
+eoclip
+n 3600 3675 m
+ 1200 3675 l gs col0 s gr gr
+
+% arrowhead
+n 1336 3645 m 1216 3675 l 1336 3705 l 1336 3645 l cp gs 0.00 setgray ef gr col0 s
+% Polyline
+gs clippath
+1185 3720 m 1185 3780 l 1336 3780 l 1216 3750 l 1336 3720 l cp
+eoclip
+n 3600 3750 m
+ 1200 3750 l gs col0 s gr gr
+
+% arrowhead
+n 1336 3720 m 1216 3750 l 1336 3780 l 1336 3720 l cp gs 0.00 setgray ef gr col0 s
+% Polyline
+gs clippath
+1185 3795 m 1185 3855 l 1336 3855 l 1216 3825 l 1336 3795 l cp
+eoclip
+n 3600 3825 m
+ 1200 3825 l gs col0 s gr gr
+
+% arrowhead
+n 1336 3795 m 1216 3825 l 1336 3855 l 1336 3795 l cp gs 0.00 setgray ef gr col0 s
+% Polyline
+15.000 slw
+n 8175 300 m
+ 8175 3975 l gs col0 s gr
+% Polyline
+7.500 slw
+n 6300 825 m 7950 825 l 7950 1725 l 6300 1725 l
+ cp gs col7 1.00 shd ef gr gs col0 s gr
+/Times-Bold-iso ff 180.00 scf sf
+3375 225 m
+gs 1 -1 sc (OR 1) col0 sh gr
+/Times-Bold-iso ff 180.00 scf sf
+1050 225 m
+gs 1 -1 sc (Alice) col0 sh gr
+/Times-Bold-iso ff 180.00 scf sf
+5775 225 m
+gs 1 -1 sc (OR 2) col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+6075 3075 m
+gs 1 -1 sc ("HTTP GET...") col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+4800 3975 m
+gs 1 -1 sc (. . .) dup sw pop 2 div neg 0 rm col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+7125 3975 m
+gs 1 -1 sc (. . .) dup sw pop 2 div neg 0 rm col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+2400 3975 m
+gs 1 -1 sc (. . .) dup sw pop 2 div neg 0 rm col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+7125 2325 m
+gs 1 -1 sc (\(TCP handshake\)) dup sw pop 2 div neg 0 rm col0 sh gr
+/Times-Bold-iso ff 180.00 scf sf
+7875 225 m
+gs 1 -1 sc (website) col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+7125 1425 m
+gs 1 -1 sc ({X}--AES encryption) dup sw pop 2 div neg 0 rm col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+7125 1200 m
+gs 1 -1 sc (E\(x\)--RSA encryption) dup sw pop 2 div neg 0 rm col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+7125 975 m
+gs 1 -1 sc (Legend:) dup sw pop 2 div neg 0 rm col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+2400 225 m
+gs 1 -1 sc (\(link is TLS-encrypted\)) dup sw pop 2 div neg 0 rm col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+1275 1050 m
+gs 1 -1 sc (Relay c1{Extend, OR2, E\(g^x2\)}) col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+1275 2025 m
+gs 1 -1 sc (Relay c1{{Begin <website>:80}}) col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+3525 1500 m
+gs 1 -1 sc (Relay c1{Extended, g^y2, H\(K2\)}) dup sw pop neg 0 rm col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+3675 2100 m
+gs 1 -1 sc (Relay c2{Begin <website>:80}) col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+3525 2550 m
+gs 1 -1 sc (Relay c1{{Connected}}) dup sw pop neg 0 rm col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+5925 2475 m
+gs 1 -1 sc (Relay c2{Connected}) dup sw pop neg 0 rm col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+1275 2925 m
+gs 1 -1 sc (Relay c1{{Data, "HTTP GET..."}}) col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+3675 3000 m
+gs 1 -1 sc (Relay c2{Data, "HTTP GET..."}) col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+4800 225 m
+gs 1 -1 sc (\(link is TLS-encryped\)) dup sw pop 2 div neg 0 rm col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+7050 225 m
+gs 1 -1 sc (\(unencrypted\)) dup sw pop 2 div neg 0 rm col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+7125 1650 m
+gs 1 -1 sc (cN--a circID) dup sw pop 2 div neg 0 rm col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+3525 3600 m
+gs 1 -1 sc (Relay c1{{Data, \(response\)}}) dup sw pop neg 0 rm col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+8100 3375 m
+gs 1 -1 sc (\(response\)) dup sw pop neg 0 rm col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+5925 3450 m
+gs 1 -1 sc (Relay c2{Data, \(response\)}) dup sw pop neg 0 rm col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+5925 1425 m
+gs 1 -1 sc (Created c2, g^y2, H\(K2\)) dup sw pop neg 0 rm col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+3675 1125 m
+gs 1 -1 sc (Create c2, E\(g^x2\)) col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+1275 450 m
+gs 1 -1 sc (Create c1, E\(g^x1\)) col0 sh gr
+/Times-Roman-iso ff 150.00 scf sf
+3525 750 m
+gs 1 -1 sc (Created c1, g^y1, H\(K1\)) dup sw pop neg 0 rm col0 sh gr
+$F2psEnd
+rs
diff --git a/doc/design-paper/interaction.fig b/doc/design-paper/interaction.fig
new file mode 100644
index 0000000000..a7b49e0a52
--- /dev/null
+++ b/doc/design-paper/interaction.fig
@@ -0,0 +1,122 @@
+#FIG 3.2
+Landscape
+Center
+Inches
+Letter
+100.00
+Single
+-2
+1200 2
+2 1 0 2 0 7 50 0 -1 0.000 0 0 -1 0 0 2
+ 6000 300 6000 3975
+2 1 0 1 0 7 50 0 -1 0.000 0 0 -1 1 0 2
+ 1 1 1.00 60.00 120.00
+ 1200 525 3600 525
+2 1 0 1 0 7 50 0 -1 0.000 0 0 -1 1 0 2
+ 1 1 1.00 60.00 120.00
+ 3600 825 1200 825
+2 1 0 2 0 7 50 0 -1 0.000 0 0 -1 0 0 2
+ 1200 300 1200 3975
+2 1 0 1 0 7 50 0 -1 3.000 0 0 -1 1 0 2
+ 1 1 1.00 60.00 120.00
+ 1200 1125 3600 1125
+2 1 0 2 0 7 50 0 -1 0.000 0 0 -1 0 0 2
+ 3600 300 3600 3975
+2 1 0 1 0 7 50 0 -1 3.000 0 0 -1 1 0 2
+ 1 1 1.00 60.00 120.00
+ 3600 1200 6000 1200
+2 1 0 1 0 7 50 0 -1 3.000 0 0 -1 1 0 2
+ 1 1 1.00 60.00 120.00
+ 6000 1500 3600 1500
+2 1 0 1 0 7 50 0 -1 3.000 0 0 -1 1 0 2
+ 1 1 1.00 60.00 120.00
+ 3600 1575 1200 1575
+2 1 2 1 0 7 50 0 -1 3.000 0 0 -1 0 0 2
+ 1050 1800 8325 1800
+2 1 0 1 0 7 50 0 -1 3.000 0 0 -1 1 0 2
+ 1 1 1.00 60.00 120.00
+ 1200 2100 3600 2100
+2 1 0 1 0 7 50 0 -1 3.000 0 0 -1 1 0 2
+ 1 1 1.00 60.00 120.00
+ 3600 2175 6000 2175
+2 1 1 1 0 7 50 0 -1 4.000 0 0 -1 1 1 2
+ 1 1 1.00 60.00 120.00
+ 1 1 1.00 60.00 120.00
+ 6000 2400 8175 2400
+2 1 0 1 0 7 50 0 -1 3.000 0 0 -1 1 0 2
+ 1 1 1.00 60.00 120.00
+ 6000 2550 3600 2550
+2 1 0 1 0 7 50 0 -1 3.000 0 0 -1 1 0 2
+ 1 1 1.00 60.00 120.00
+ 3600 2625 1200 2625
+2 1 0 1 0 7 50 0 -1 3.000 0 0 -1 1 0 2
+ 1 1 1.00 60.00 120.00
+ 1200 3000 3600 3000
+2 1 0 1 0 7 50 0 -1 3.000 0 0 -1 1 0 2
+ 1 1 1.00 60.00 120.00
+ 3600 3075 6000 3075
+2 1 0 1 0 7 50 0 -1 3.000 0 0 -1 1 0 2
+ 1 1 1.00 60.00 120.00
+ 6000 3150 8175 3150
+2 1 0 1 0 7 50 0 -1 3.000 0 0 -1 1 0 2
+ 1 1 1.00 60.00 120.00
+ 8175 3450 6000 3450
+2 1 0 1 0 7 50 0 -1 3.000 0 0 -1 1 0 2
+ 1 1 1.00 60.00 120.00
+ 8175 3525 6000 3525
+2 1 0 1 0 7 50 0 -1 3.000 0 0 -1 1 0 2
+ 1 1 1.00 60.00 120.00
+ 8175 3600 6000 3600
+2 1 0 1 0 7 50 0 -1 3.000 0 0 -1 1 0 2
+ 1 1 1.00 60.00 120.00
+ 6000 3525 3600 3525
+2 1 0 1 0 7 50 0 -1 3.000 0 0 -1 1 0 2
+ 1 1 1.00 60.00 120.00
+ 6000 3675 3600 3675
+2 1 0 1 0 7 50 0 -1 3.000 0 0 -1 1 0 2
+ 1 1 1.00 60.00 120.00
+ 6000 3600 3600 3600
+2 1 0 1 0 7 50 0 -1 3.000 0 0 -1 1 0 2
+ 1 1 1.00 60.00 120.00
+ 3600 3675 1200 3675
+2 1 0 1 0 7 50 0 -1 3.000 0 0 -1 1 0 2
+ 1 1 1.00 60.00 120.00
+ 3600 3750 1200 3750
+2 1 0 1 0 7 50 0 -1 3.000 0 0 -1 1 0 2
+ 1 1 1.00 60.00 120.00
+ 3600 3825 1200 3825
+2 1 0 2 0 7 50 0 -1 0.000 0 0 -1 0 0 2
+ 8175 300 8175 3975
+2 2 0 1 0 7 50 0 20 3.000 0 0 -1 0 0 5
+ 6300 825 7950 825 7950 1725 6300 1725 6300 825
+4 0 0 50 0 2 12 0.0000 4 135 450 3375 225 OR 1\001
+4 0 0 50 0 2 12 0.0000 4 135 420 1050 225 Alice\001
+4 0 0 50 0 2 12 0.0000 4 135 450 5775 225 OR 2\001
+4 0 0 50 0 0 10 0.0000 4 105 960 6075 3075 "HTTP GET..."\001
+4 1 0 50 0 0 10 0.0000 4 15 135 4800 3975 . . .\001
+4 1 0 50 0 0 10 0.0000 4 15 135 7125 3975 . . .\001
+4 1 0 50 0 0 10 0.0000 4 15 135 2400 3975 . . .\001
+4 1 0 50 0 0 10 0.0000 4 135 1050 7125 2325 (TCP handshake)\001
+4 0 0 50 0 2 12 0.0000 4 135 630 7875 225 website\001
+4 1 0 50 0 0 10 0.0000 4 135 1335 7125 1425 {X}--AES encryption\001
+4 1 0 50 0 0 10 0.0000 4 135 1410 7125 1200 E(x)--RSA encryption\001
+4 1 0 50 0 0 10 0.0000 4 135 480 7125 975 Legend:\001
+4 1 0 50 0 0 10 0.0000 4 135 1455 2400 225 (link is TLS-encrypted)\001
+4 0 0 50 0 0 10 0.0000 4 135 2085 1275 1050 Relay c1{Extend, OR2, E(g^x2)}\001
+4 0 0 50 0 0 10 0.0000 4 135 1965 1275 2025 Relay c1{{Begin <website>:80}}\001
+4 2 0 50 0 0 10 0.0000 4 135 2190 3525 1500 Relay c1{Extended, g^y2, H(K2)}\001
+4 0 0 50 0 0 10 0.0000 4 135 1845 3675 2100 Relay c2{Begin <website>:80}\001
+4 2 0 50 0 0 10 0.0000 4 135 1410 3525 2550 Relay c1{{Connected}}\001
+4 2 0 50 0 0 10 0.0000 4 135 1290 5925 2475 Relay c2{Connected}\001
+4 0 0 50 0 0 10 0.0000 4 135 2085 1275 2925 Relay c1{{Data, "HTTP GET..."}}\001
+4 0 0 50 0 0 10 0.0000 4 135 1965 3675 3000 Relay c2{Data, "HTTP GET..."}\001
+4 1 0 50 0 0 10 0.0000 4 135 1365 4800 225 (link is TLS-encryped)\001
+4 1 0 50 0 0 10 0.0000 4 135 870 7050 225 (unencrypted)\001
+4 1 0 50 0 0 10 0.0000 4 105 780 7125 1650 cN--a circID\001
+4 2 0 50 0 0 10 0.0000 4 135 1860 3525 3600 Relay c1{{Data, (response)}}\001
+4 2 0 50 0 0 10 0.0000 4 135 645 8100 3375 (response)\001
+4 2 0 50 0 0 10 0.0000 4 135 1650 5925 3450 Relay c2{Data, (response)}\001
+4 2 0 50 0 0 10 0.0000 4 135 1545 5925 1425 Created c2, g^y2, H(K2)\001
+4 0 0 50 0 0 10 0.0000 4 135 1170 3675 1125 Create c2, E(g^x2)\001
+4 0 0 50 0 0 10 0.0000 4 135 1170 1275 450 Create c1, E(g^x1)\001
+4 2 0 50 0 0 10 0.0000 4 135 1545 3525 750 Created c1, g^y1, H(K1)\001
diff --git a/doc/design-paper/interaction.pdf b/doc/design-paper/interaction.pdf
new file mode 100644
index 0000000000..8def0add59
--- /dev/null
+++ b/doc/design-paper/interaction.pdf
Binary files differ
diff --git a/doc/design-paper/interaction.png b/doc/design-paper/interaction.png
new file mode 100644
index 0000000000..2bb904fcd9
--- /dev/null
+++ b/doc/design-paper/interaction.png
Binary files differ
diff --git a/doc/design-paper/latex8.bst b/doc/design-paper/latex8.bst
new file mode 100644
index 0000000000..2dd3249633
--- /dev/null
+++ b/doc/design-paper/latex8.bst
@@ -0,0 +1,1124 @@
+
+% ---------------------------------------------------------------
+%
+% $Id$
+%
+% by Paolo.Ienne@di.epfl.ch
+%
+
+% ---------------------------------------------------------------
+%
+% no guarantee is given that the format corresponds perfectly to
+% IEEE 8.5" x 11" Proceedings, but most features should be ok.
+%
+% ---------------------------------------------------------------
+%
+% `latex8' from BibTeX standard bibliography style `abbrv'
+% version 0.99a for BibTeX versions 0.99a or later, LaTeX version 2.09.
+% Copyright (C) 1985, all rights reserved.
+% Copying of this file is authorized only if either
+% (1) you make absolutely no changes to your copy, including name, or
+% (2) if you do make changes, you name it something other than
+% btxbst.doc, plain.bst, unsrt.bst, alpha.bst, and abbrv.bst.
+% This restriction helps ensure that all standard styles are identical.
+% The file btxbst.doc has the documentation for this style.
+
+ENTRY
+ { address
+ author
+ booktitle
+ chapter
+ edition
+ editor
+ howpublished
+ institution
+ journal
+ key
+ month
+ note
+ number
+ organization
+ pages
+ publisher
+ school
+ series
+ title
+ type
+ volume
+ year
+ }
+ {}
+ { label }
+
+INTEGERS { output.state before.all mid.sentence after.sentence after.block }
+
+FUNCTION {init.state.consts}
+{ #0 'before.all :=
+ #1 'mid.sentence :=
+ #2 'after.sentence :=
+ #3 'after.block :=
+}
+
+STRINGS { s t }
+
+FUNCTION {output.nonnull}
+{ 's :=
+ output.state mid.sentence =
+ { ", " * write$ }
+ { output.state after.block =
+ { add.period$ write$
+ newline$
+ "\newblock " write$
+ }
+ { output.state before.all =
+ 'write$
+ { add.period$ " " * write$ }
+ if$
+ }
+ if$
+ mid.sentence 'output.state :=
+ }
+ if$
+ s
+}
+
+FUNCTION {output}
+{ duplicate$ empty$
+ 'pop$
+ 'output.nonnull
+ if$
+}
+
+FUNCTION {output.check}
+{ 't :=
+ duplicate$ empty$
+ { pop$ "empty " t * " in " * cite$ * warning$ }
+ 'output.nonnull
+ if$
+}
+
+FUNCTION {output.bibitem}
+{ newline$
+ "\bibitem{" write$
+ cite$ write$
+ "}" write$
+ newline$
+ ""
+ before.all 'output.state :=
+}
+
+FUNCTION {fin.entry}
+{ add.period$
+ write$
+ newline$
+}
+
+FUNCTION {new.block}
+{ output.state before.all =
+ 'skip$
+ { after.block 'output.state := }
+ if$
+}
+
+FUNCTION {new.sentence}
+{ output.state after.block =
+ 'skip$
+ { output.state before.all =
+ 'skip$
+ { after.sentence 'output.state := }
+ if$
+ }
+ if$
+}
+
+FUNCTION {not}
+{ { #0 }
+ { #1 }
+ if$
+}
+
+FUNCTION {and}
+{ 'skip$
+ { pop$ #0 }
+ if$
+}
+
+FUNCTION {or}
+{ { pop$ #1 }
+ 'skip$
+ if$
+}
+
+FUNCTION {new.block.checka}
+{ empty$
+ 'skip$
+ 'new.block
+ if$
+}
+
+FUNCTION {new.block.checkb}
+{ empty$
+ swap$ empty$
+ and
+ 'skip$
+ 'new.block
+ if$
+}
+
+FUNCTION {new.sentence.checka}
+{ empty$
+ 'skip$
+ 'new.sentence
+ if$
+}
+
+FUNCTION {new.sentence.checkb}
+{ empty$
+ swap$ empty$
+ and
+ 'skip$
+ 'new.sentence
+ if$
+}
+
+FUNCTION {field.or.null}
+{ duplicate$ empty$
+ { pop$ "" }
+ 'skip$
+ if$
+}
+
+FUNCTION {emphasize}
+{ duplicate$ empty$
+ { pop$ "" }
+ { "{\em " swap$ * "}" * }
+ if$
+}
+
+INTEGERS { nameptr namesleft numnames }
+
+FUNCTION {format.names}
+{ 's :=
+ #1 'nameptr :=
+ s num.names$ 'numnames :=
+ numnames 'namesleft :=
+ { namesleft #0 > }
+ { s nameptr "{f.~}{vv~}{ll}{, jj}" format.name$ 't :=
+ nameptr #1 >
+ { namesleft #1 >
+ { ", " * t * }
+ { numnames #2 >
+ { "," * }
+ 'skip$
+ if$
+ t "others" =
+ { " et~al." * }
+ { " and " * t * }
+ if$
+ }
+ if$
+ }
+ 't
+ if$
+ nameptr #1 + 'nameptr :=
+
+ namesleft #1 - 'namesleft :=
+ }
+ while$
+}
+
+FUNCTION {format.authors}
+{ author empty$
+ { "" }
+ { author format.names }
+ if$
+}
+
+FUNCTION {format.editors}
+{ editor empty$
+ { "" }
+ { editor format.names
+ editor num.names$ #1 >
+ { ", editors" * }
+ { ", editor" * }
+ if$
+ }
+ if$
+}
+
+FUNCTION {format.title}
+{ title empty$
+ { "" }
+ { title "t" change.case$ }
+ if$
+}
+
+FUNCTION {n.dashify}
+{ 't :=
+ ""
+ { t empty$ not }
+ { t #1 #1 substring$ "-" =
+ { t #1 #2 substring$ "--" = not
+ { "--" *
+ t #2 global.max$ substring$ 't :=
+ }
+ { { t #1 #1 substring$ "-" = }
+ { "-" *
+ t #2 global.max$ substring$ 't :=
+ }
+ while$
+ }
+ if$
+ }
+ { t #1 #1 substring$ *
+ t #2 global.max$ substring$ 't :=
+ }
+ if$
+ }
+ while$
+}
+
+FUNCTION {format.date}
+{ year empty$
+ { month empty$
+ { "" }
+ { "there's a month but no year in " cite$ * warning$
+ month
+ }
+ if$
+ }
+ { month empty$
+ 'year
+ { month " " * year * }
+ if$
+ }
+ if$
+}
+
+FUNCTION {format.btitle}
+{ title emphasize
+}
+
+FUNCTION {tie.or.space.connect}
+{ duplicate$ text.length$ #3 <
+ { "~" }
+ { " " }
+ if$
+ swap$ * *
+}
+
+FUNCTION {either.or.check}
+{ empty$
+ 'pop$
+ { "can't use both " swap$ * " fields in " * cite$ * warning$ }
+ if$
+}
+
+FUNCTION {format.bvolume}
+{ volume empty$
+ { "" }
+ { "volume" volume tie.or.space.connect
+ series empty$
+ 'skip$
+ { " of " * series emphasize * }
+ if$
+ "volume and number" number either.or.check
+ }
+ if$
+}
+
+FUNCTION {format.number.series}
+{ volume empty$
+ { number empty$
+ { series field.or.null }
+ { output.state mid.sentence =
+ { "number" }
+ { "Number" }
+ if$
+ number tie.or.space.connect
+ series empty$
+ { "there's a number but no series in " cite$ * warning$ }
+ { " in " * series * }
+ if$
+ }
+ if$
+ }
+ { "" }
+ if$
+}
+
+FUNCTION {format.edition}
+{ edition empty$
+ { "" }
+ { output.state mid.sentence =
+ { edition "l" change.case$ " edition" * }
+ { edition "t" change.case$ " edition" * }
+ if$
+ }
+ if$
+}
+
+INTEGERS { multiresult }
+
+FUNCTION {multi.page.check}
+{ 't :=
+ #0 'multiresult :=
+ { multiresult not
+ t empty$ not
+ and
+ }
+ { t #1 #1 substring$
+ duplicate$ "-" =
+ swap$ duplicate$ "," =
+ swap$ "+" =
+ or or
+ { #1 'multiresult := }
+ { t #2 global.max$ substring$ 't := }
+ if$
+ }
+ while$
+ multiresult
+}
+
+FUNCTION {format.pages}
+{ pages empty$
+ { "" }
+ { pages multi.page.check
+ { "pages" pages n.dashify tie.or.space.connect }
+ { "page" pages tie.or.space.connect }
+ if$
+ }
+ if$
+}
+
+FUNCTION {format.vol.num.pages}
+{ volume field.or.null
+ number empty$
+ 'skip$
+ { "(" number * ")" * *
+ volume empty$
+ { "there's a number but no volume in " cite$ * warning$ }
+ 'skip$
+ if$
+ }
+ if$
+ pages empty$
+ 'skip$
+ { duplicate$ empty$
+ { pop$ format.pages }
+ { ":" * pages n.dashify * }
+ if$
+ }
+ if$
+}
+
+FUNCTION {format.chapter.pages}
+{ chapter empty$
+ 'format.pages
+ { type empty$
+ { "chapter" }
+ { type "l" change.case$ }
+ if$
+ chapter tie.or.space.connect
+ pages empty$
+ 'skip$
+ { ", " * format.pages * }
+ if$
+ }
+ if$
+}
+
+FUNCTION {format.in.ed.booktitle}
+{ booktitle empty$
+ { "" }
+ { editor empty$
+ { "In " booktitle emphasize * }
+ { "In " format.editors * ", " * booktitle emphasize * }
+ if$
+ }
+ if$
+}
+
+FUNCTION {empty.misc.check}
+
+{ author empty$ title empty$ howpublished empty$
+ month empty$ year empty$ note empty$
+ and and and and and
+ key empty$ not and
+ { "all relevant fields are empty in " cite$ * warning$ }
+ 'skip$
+ if$
+}
+
+FUNCTION {format.thesis.type}
+{ type empty$
+ 'skip$
+ { pop$
+ type "t" change.case$
+ }
+ if$
+}
+
+FUNCTION {format.tr.number}
+{ type empty$
+ { "Technical Report" }
+ 'type
+ if$
+ number empty$
+ { "t" change.case$ }
+ { number tie.or.space.connect }
+ if$
+}
+
+FUNCTION {format.article.crossref}
+{ key empty$
+ { journal empty$
+ { "need key or journal for " cite$ * " to crossref " * crossref *
+ warning$
+ ""
+ }
+ { "In {\em " journal * "\/}" * }
+ if$
+ }
+ { "In " key * }
+ if$
+ " \cite{" * crossref * "}" *
+}
+
+FUNCTION {format.crossref.editor}
+{ editor #1 "{vv~}{ll}" format.name$
+ editor num.names$ duplicate$
+ #2 >
+ { pop$ " et~al." * }
+ { #2 <
+ 'skip$
+ { editor #2 "{ff }{vv }{ll}{ jj}" format.name$ "others" =
+ { " et~al." * }
+ { " and " * editor #2 "{vv~}{ll}" format.name$ * }
+ if$
+ }
+ if$
+ }
+ if$
+}
+
+FUNCTION {format.book.crossref}
+{ volume empty$
+ { "empty volume in " cite$ * "'s crossref of " * crossref * warning$
+ "In "
+ }
+ { "Volume" volume tie.or.space.connect
+ " of " *
+ }
+ if$
+ editor empty$
+ editor field.or.null author field.or.null =
+ or
+ { key empty$
+ { series empty$
+ { "need editor, key, or series for " cite$ * " to crossref " *
+ crossref * warning$
+ "" *
+ }
+ { "{\em " * series * "\/}" * }
+ if$
+ }
+ { key * }
+ if$
+ }
+ { format.crossref.editor * }
+ if$
+ " \cite{" * crossref * "}" *
+}
+
+FUNCTION {format.incoll.inproc.crossref}
+{ editor empty$
+ editor field.or.null author field.or.null =
+ or
+ { key empty$
+ { booktitle empty$
+ { "need editor, key, or booktitle for " cite$ * " to crossref " *
+ crossref * warning$
+ ""
+ }
+ { "In {\em " booktitle * "\/}" * }
+ if$
+ }
+ { "In " key * }
+ if$
+ }
+ { "In " format.crossref.editor * }
+ if$
+ " \cite{" * crossref * "}" *
+}
+
+FUNCTION {article}
+{ output.bibitem
+ format.authors "author" output.check
+ new.block
+ format.title "title" output.check
+ new.block
+ crossref missing$
+ { journal emphasize "journal" output.check
+ format.vol.num.pages output
+ format.date "year" output.check
+ }
+ { format.article.crossref output.nonnull
+ format.pages output
+ }
+ if$
+ new.block
+ note output
+ fin.entry
+}
+
+FUNCTION {book}
+{ output.bibitem
+ author empty$
+ { format.editors "author and editor" output.check }
+ { format.authors output.nonnull
+ crossref missing$
+ { "author and editor" editor either.or.check }
+ 'skip$
+ if$
+ }
+ if$
+ new.block
+ format.btitle "title" output.check
+ crossref missing$
+ { format.bvolume output
+ new.block
+ format.number.series output
+ new.sentence
+ publisher "publisher" output.check
+ address output
+ }
+ { new.block
+ format.book.crossref output.nonnull
+ }
+ if$
+ format.edition output
+ format.date "year" output.check
+ new.block
+ note output
+ fin.entry
+}
+
+FUNCTION {booklet}
+{ output.bibitem
+ format.authors output
+ new.block
+ format.title "title" output.check
+ howpublished address new.block.checkb
+ howpublished output
+ address output
+ format.date output
+ new.block
+ note output
+ fin.entry
+}
+
+FUNCTION {inbook}
+{ output.bibitem
+ author empty$
+ { format.editors "author and editor" output.check }
+ { format.authors output.nonnull
+
+ crossref missing$
+ { "author and editor" editor either.or.check }
+ 'skip$
+ if$
+ }
+ if$
+ new.block
+ format.btitle "title" output.check
+ crossref missing$
+ { format.bvolume output
+ format.chapter.pages "chapter and pages" output.check
+ new.block
+ format.number.series output
+ new.sentence
+ publisher "publisher" output.check
+ address output
+ }
+ { format.chapter.pages "chapter and pages" output.check
+ new.block
+ format.book.crossref output.nonnull
+ }
+ if$
+ format.edition output
+ format.date "year" output.check
+ new.block
+ note output
+ fin.entry
+}
+
+FUNCTION {incollection}
+{ output.bibitem
+ format.authors "author" output.check
+ new.block
+ format.title "title" output.check
+ new.block
+ crossref missing$
+ { format.in.ed.booktitle "booktitle" output.check
+ format.bvolume output
+ format.number.series output
+ format.chapter.pages output
+ new.sentence
+ publisher "publisher" output.check
+ address output
+ format.edition output
+ format.date "year" output.check
+ }
+ { format.incoll.inproc.crossref output.nonnull
+ format.chapter.pages output
+ }
+ if$
+ new.block
+ note output
+ fin.entry
+}
+
+FUNCTION {inproceedings}
+{ output.bibitem
+ format.authors "author" output.check
+ new.block
+ format.title "title" output.check
+ new.block
+ crossref missing$
+ { format.in.ed.booktitle "booktitle" output.check
+ format.bvolume output
+ format.number.series output
+ format.pages output
+ address empty$
+ { organization publisher new.sentence.checkb
+ organization output
+ publisher output
+ format.date "year" output.check
+ }
+ { address output.nonnull
+ format.date "year" output.check
+ new.sentence
+ organization output
+ publisher output
+ }
+ if$
+ }
+ { format.incoll.inproc.crossref output.nonnull
+ format.pages output
+ }
+ if$
+ new.block
+ note output
+ fin.entry
+}
+
+FUNCTION {conference} { inproceedings }
+
+FUNCTION {manual}
+{ output.bibitem
+ author empty$
+ { organization empty$
+ 'skip$
+ { organization output.nonnull
+ address output
+ }
+ if$
+ }
+ { format.authors output.nonnull }
+ if$
+ new.block
+ format.btitle "title" output.check
+ author empty$
+ { organization empty$
+ { address new.block.checka
+ address output
+ }
+ 'skip$
+ if$
+ }
+ { organization address new.block.checkb
+ organization output
+ address output
+ }
+ if$
+ format.edition output
+ format.date output
+ new.block
+ note output
+ fin.entry
+}
+
+FUNCTION {mastersthesis}
+{ output.bibitem
+ format.authors "author" output.check
+ new.block
+ format.title "title" output.check
+ new.block
+ "Master's thesis" format.thesis.type output.nonnull
+ school "school" output.check
+ address output
+ format.date "year" output.check
+ new.block
+ note output
+ fin.entry
+}
+
+FUNCTION {misc}
+{ output.bibitem
+ format.authors output
+ title howpublished new.block.checkb
+ format.title output
+ howpublished new.block.checka
+ howpublished output
+ format.date output
+ new.block
+ note output
+ fin.entry
+ empty.misc.check
+}
+
+FUNCTION {phdthesis}
+{ output.bibitem
+ format.authors "author" output.check
+ new.block
+ format.btitle "title" output.check
+ new.block
+ "PhD thesis" format.thesis.type output.nonnull
+ school "school" output.check
+ address output
+ format.date "year" output.check
+ new.block
+ note output
+ fin.entry
+}
+
+FUNCTION {proceedings}
+{ output.bibitem
+ editor empty$
+ { organization output }
+ { format.editors output.nonnull }
+
+ if$
+ new.block
+ format.btitle "title" output.check
+ format.bvolume output
+ format.number.series output
+ address empty$
+ { editor empty$
+ { publisher new.sentence.checka }
+ { organization publisher new.sentence.checkb
+ organization output
+ }
+ if$
+ publisher output
+ format.date "year" output.check
+ }
+ { address output.nonnull
+ format.date "year" output.check
+ new.sentence
+ editor empty$
+ 'skip$
+ { organization output }
+ if$
+ publisher output
+ }
+ if$
+ new.block
+ note output
+ fin.entry
+}
+
+FUNCTION {techreport}
+{ output.bibitem
+ format.authors "author" output.check
+ new.block
+ format.title "title" output.check
+ new.block
+ format.tr.number output.nonnull
+ institution "institution" output.check
+ address output
+ format.date "year" output.check
+ new.block
+ note output
+ fin.entry
+}
+
+FUNCTION {unpublished}
+{ output.bibitem
+ format.authors "author" output.check
+ new.block
+ format.title "title" output.check
+ new.block
+ note "note" output.check
+ format.date output
+ fin.entry
+}
+
+FUNCTION {default.type} { misc }
+
+MACRO {jan} {"Jan."}
+
+MACRO {feb} {"Feb."}
+
+MACRO {mar} {"Mar."}
+
+MACRO {apr} {"Apr."}
+
+MACRO {may} {"May"}
+
+MACRO {jun} {"June"}
+
+MACRO {jul} {"July"}
+
+MACRO {aug} {"Aug."}
+
+MACRO {sep} {"Sept."}
+
+MACRO {oct} {"Oct."}
+
+MACRO {nov} {"Nov."}
+
+MACRO {dec} {"Dec."}
+
+MACRO {acmcs} {"ACM Comput. Surv."}
+
+MACRO {acta} {"Acta Inf."}
+
+MACRO {cacm} {"Commun. ACM"}
+
+MACRO {ibmjrd} {"IBM J. Res. Dev."}
+
+MACRO {ibmsj} {"IBM Syst.~J."}
+
+MACRO {ieeese} {"IEEE Trans. Softw. Eng."}
+
+MACRO {ieeetc} {"IEEE Trans. Comput."}
+
+MACRO {ieeetcad}
+ {"IEEE Trans. Comput.-Aided Design Integrated Circuits"}
+
+MACRO {ipl} {"Inf. Process. Lett."}
+
+MACRO {jacm} {"J.~ACM"}
+
+MACRO {jcss} {"J.~Comput. Syst. Sci."}
+
+MACRO {scp} {"Sci. Comput. Programming"}
+
+MACRO {sicomp} {"SIAM J. Comput."}
+
+MACRO {tocs} {"ACM Trans. Comput. Syst."}
+
+MACRO {tods} {"ACM Trans. Database Syst."}
+
+MACRO {tog} {"ACM Trans. Gr."}
+
+MACRO {toms} {"ACM Trans. Math. Softw."}
+
+MACRO {toois} {"ACM Trans. Office Inf. Syst."}
+
+MACRO {toplas} {"ACM Trans. Prog. Lang. Syst."}
+
+MACRO {tcs} {"Theoretical Comput. Sci."}
+
+READ
+
+FUNCTION {sortify}
+{ purify$
+ "l" change.case$
+}
+
+INTEGERS { len }
+
+FUNCTION {chop.word}
+{ 's :=
+ 'len :=
+ s #1 len substring$ =
+ { s len #1 + global.max$ substring$ }
+ 's
+ if$
+}
+
+FUNCTION {sort.format.names}
+{ 's :=
+ #1 'nameptr :=
+ ""
+ s num.names$ 'numnames :=
+ numnames 'namesleft :=
+ { namesleft #0 > }
+ { nameptr #1 >
+ { " " * }
+ 'skip$
+ if$
+ s nameptr "{vv{ } }{ll{ }}{ f{ }}{ jj{ }}" format.name$ 't :=
+ nameptr numnames = t "others" = and
+ { "et al" * }
+ { t sortify * }
+ if$
+ nameptr #1 + 'nameptr :=
+ namesleft #1 - 'namesleft :=
+ }
+ while$
+}
+
+FUNCTION {sort.format.title}
+{ 't :=
+ "A " #2
+ "An " #3
+ "The " #4 t chop.word
+ chop.word
+ chop.word
+ sortify
+ #1 global.max$ substring$
+}
+
+FUNCTION {author.sort}
+{ author empty$
+ { key empty$
+ { "to sort, need author or key in " cite$ * warning$
+ ""
+ }
+ { key sortify }
+ if$
+ }
+ { author sort.format.names }
+ if$
+}
+
+FUNCTION {author.editor.sort}
+{ author empty$
+ { editor empty$
+ { key empty$
+ { "to sort, need author, editor, or key in " cite$ * warning$
+ ""
+ }
+ { key sortify }
+ if$
+ }
+ { editor sort.format.names }
+ if$
+ }
+ { author sort.format.names }
+ if$
+}
+
+FUNCTION {author.organization.sort}
+{ author empty$
+
+ { organization empty$
+ { key empty$
+ { "to sort, need author, organization, or key in " cite$ * warning$
+ ""
+ }
+ { key sortify }
+ if$
+ }
+ { "The " #4 organization chop.word sortify }
+ if$
+ }
+ { author sort.format.names }
+ if$
+}
+
+FUNCTION {editor.organization.sort}
+{ editor empty$
+ { organization empty$
+ { key empty$
+ { "to sort, need editor, organization, or key in " cite$ * warning$
+ ""
+ }
+ { key sortify }
+ if$
+ }
+ { "The " #4 organization chop.word sortify }
+ if$
+ }
+ { editor sort.format.names }
+ if$
+}
+
+FUNCTION {presort}
+{ type$ "book" =
+ type$ "inbook" =
+ or
+ 'author.editor.sort
+ { type$ "proceedings" =
+ 'editor.organization.sort
+ { type$ "manual" =
+ 'author.organization.sort
+ 'author.sort
+ if$
+ }
+ if$
+ }
+ if$
+ " "
+ *
+ year field.or.null sortify
+ *
+ " "
+ *
+ title field.or.null
+ sort.format.title
+ *
+ #1 entry.max$ substring$
+ 'sort.key$ :=
+}
+
+ITERATE {presort}
+
+SORT
+
+STRINGS { longest.label }
+
+INTEGERS { number.label longest.label.width }
+
+FUNCTION {initialize.longest.label}
+{ "" 'longest.label :=
+ #1 'number.label :=
+ #0 'longest.label.width :=
+}
+
+FUNCTION {longest.label.pass}
+{ number.label int.to.str$ 'label :=
+ number.label #1 + 'number.label :=
+ label width$ longest.label.width >
+ { label 'longest.label :=
+ label width$ 'longest.label.width :=
+ }
+ 'skip$
+ if$
+}
+
+EXECUTE {initialize.longest.label}
+
+ITERATE {longest.label.pass}
+
+FUNCTION {begin.bib}
+{ preamble$ empty$
+ 'skip$
+ { preamble$ write$ newline$ }
+ if$
+ "\begin{thebibliography}{" longest.label *
+ "}\setlength{\itemsep}{-1ex}\small" * write$ newline$
+}
+
+EXECUTE {begin.bib}
+
+EXECUTE {init.state.consts}
+
+ITERATE {call.type$}
+
+FUNCTION {end.bib}
+{ newline$
+ "\end{thebibliography}" write$ newline$
+}
+
+EXECUTE {end.bib}
+
+% end of file latex8.bst
+% ---------------------------------------------------------------
+
+
+
diff --git a/doc/design-paper/tor-design.bib b/doc/design-paper/tor-design.bib
new file mode 100644
index 0000000000..cf60f2cd22
--- /dev/null
+++ b/doc/design-paper/tor-design.bib
@@ -0,0 +1,1093 @@
+
+% fix me
+@misc{tannenbaum96,
+ author = "Andrew Tannenbaum",
+ title = "Computer Networks",
+ year = "1996",
+ publisher = "Prentice Hall, 3rd edition",
+}
+
+@article{ meadows96,
+ author = "Catherine Meadows",
+ title = "The {NRL} Protocol Analyzer: An Overview",
+ journal = "Journal of Logic Programming",
+ volume = "26",
+ number = "2",
+ pages = "113--131",
+ year = "1996",
+}
+@inproceedings{kesdogan:pet2002,
+ title = {Unobservable Surfing on the World Wide Web: Is Private Information Retrieval an
+ alternative to the MIX based Approach?},
+ author = {Dogan Kesdogan and Mark Borning and Michael Schmeink},
+ booktitle = {Privacy Enhancing Technologies (PET 2002)},
+ year = {2002},
+ month = {April},
+ editor = {Roger Dingledine and Paul Syverson},
+ publisher = {Springer-Verlag, LNCS 2482},
+}
+
+@inproceedings{statistical-disclosure,
+ title = {Statistical Disclosure Attacks},
+ author = {George Danezis},
+ booktitle = {Security and Privacy in the Age of Uncertainty ({SEC2003})},
+ organization = {{IFIP TC11}},
+ year = {2003},
+ month = {May},
+ address = {Athens},
+ pages = {421--426},
+ publisher = {Kluwer},
+}
+
+@inproceedings{limits-open,
+ title = {Limits of Anonymity in Open Environments},
+ author = {Dogan Kesdogan and Dakshi Agrawal and Stefan Penz},
+ booktitle = {Information Hiding Workshop (IH 2002)},
+ year = {2002},
+ month = {October},
+ editor = {Fabien Petitcolas},
+ publisher = {Springer-Verlag, LNCS 2578},
+}
+
+@inproceedings{isdn-mixes,
+ title = {{ISDN-mixes: Untraceable communication with very small bandwidth overhead}},
+ author = {Andreas Pfitzmann and Birgit Pfitzmann and Michael Waidner},
+ booktitle = {GI/ITG Conference on Communication in Distributed Systems},
+ year = {1991},
+ month = {February},
+ pages = {451-463},
+}
+
+
+@Article{jerichow-jsac98,
+ author = {Anja Jerichow and Jan M\"{u}ller and Andreas
+ Pfitzmann and Birgit Pfitzmann and Michael Waidner},
+ title = {Real-Time Mixes: A Bandwidth-Efficient Anonymity Protocol},
+ journal = {IEEE Journal on Selected Areas in Communications},
+ year = 1998,
+ volume = 16,
+ number = 4,
+ pages = {495--509},
+ month = {May}
+}
+
+@inproceedings{tarzan:ccs02,
+ title = {Tarzan: A Peer-to-Peer Anonymizing Network Layer},
+ author = {Michael J. Freedman and Robert Morris},
+ booktitle = {9th {ACM} {C}onference on {C}omputer and {C}ommunications
+ {S}ecurity ({CCS 2002})},
+ year = {2002},
+ month = {November},
+ address = {Washington, DC},
+}
+
+@inproceedings{cebolla,
+ title = {{Cebolla: Pragmatic IP Anonymity}},
+ author = {Zach Brown},
+ booktitle = {Ottawa Linux Symposium},
+ year = {2002},
+ month = {June},
+}
+
+@inproceedings{eax,
+ author = "M. Bellare and P. Rogaway and D. Wagner",
+ title = {The {EAX} Mode of Operation: A Two-Pass Authenticated-Encryption Scheme Optimized for Simplicity and Efficiency},
+ booktitle = {Fast Software Encryption 2004},
+ month = {February},
+ year = {2004},
+}
+
+@misc{darkside,
+ title = {{The Dark Side of the Web: An Open Proxy's View}},
+ author = {Vivek S. Pai and Limin Wang and KyoungSoo Park and Ruoming Pang and Larry Peterson},
+ note = {\newline \url{http://codeen.cs.princeton.edu/}},
+}
+% note = {Submitted to HotNets-II. \url{http://codeen.cs.princeton.edu/}},
+
+@Misc{anonymizer,
+ key = {anonymizer},
+ title = {The {Anonymizer}},
+ note = {\url{http://anonymizer.com/}}
+}
+
+@Misc{privoxy,
+ key = {privoxy},
+ title = {{Privoxy}},
+ note = {\url{http://www.privoxy.org/}}
+}
+
+@inproceedings{anonnet,
+ title = {{Analysis of an Anonymity Network for Web Browsing}},
+ author = {Marc Rennhard and Sandro Rafaeli and Laurent Mathy and Bernhard Plattner and
+ David Hutchison},
+ booktitle = {{IEEE 7th Intl. Workshop on Enterprise Security (WET ICE
+ 2002)}},
+ year = {2002},
+ month = {June},
+ address = {Pittsburgh, USA},
+}
+% pages = {49--54},
+
+@inproceedings{econymics,
+ title = {On the Economics of Anonymity},
+ author = {Alessandro Acquisti and Roger Dingledine and Paul Syverson},
+ booktitle = {Financial Cryptography},
+ year = {2003},
+ editor = {Rebecca N. Wright},
+ publisher = {Springer-Verlag, LNCS 2742},
+}
+
+@inproceedings{defensive-dropping,
+ title = {Timing Analysis in Low-Latency Mix-Based Systems},
+ author = {Brian N. Levine and Michael K. Reiter and Chenxi Wang and Matthew Wright},
+ booktitle = {Financial Cryptography},
+ year = {2004},
+ editor = {Ari Juels},
+ publisher = {Springer-Verlag, LNCS (forthcoming)},
+}
+
+@inproceedings{morphmix:fc04,
+ title = {Practical Anonymity for the Masses with MorphMix},
+ author = {Marc Rennhard and Bernhard Plattner},
+ booktitle = {Financial Cryptography},
+ year = {2004},
+ editor = {Ari Juels},
+ publisher = {Springer-Verlag, LNCS (forthcoming)},
+}
+
+@inproceedings{eternity,
+ title = {The Eternity Service},
+ author = {Ross Anderson},
+ booktitle = {Pragocrypt '96},
+ year = {1996},
+}
+ %note = {\url{http://www.cl.cam.ac.uk/users/rja14/eternity/eternity.html}},
+
+
+@inproceedings{minion-design,
+ title = {Mixminion: Design of a Type {III} Anonymous Remailer Protocol},
+ author = {George Danezis and Roger Dingledine and Nick Mathewson},
+ booktitle = {2003 IEEE Symposium on Security and Privacy},
+ year = {2003},
+ month = {May},
+ publisher = {IEEE CS},
+ pages = {2--15},
+}
+ %note = {\url{http://mixminion.net/minion-design.pdf}},
+
+@inproceedings{ rao-pseudonymity,
+ author = "Josyula R. Rao and Pankaj Rohatgi",
+ title = "Can Pseudonymity Really Guarantee Privacy?",
+ booktitle = "Proceedings of the Ninth USENIX Security Symposium",
+ year = {2000},
+ month = Aug,
+ publisher = {USENIX},
+ pages = "85--96",
+}
+ %note = {\url{http://www.usenix.org/publications/library/proceedings/sec2000/
+%full_papers/rao/rao.pdf}},
+
+@InProceedings{pfitzmann90how,
+ author = "Birgit Pfitzmann and Andreas Pfitzmann",
+ title = "How to Break the Direct {RSA}-Implementation of {MIXes}",
+ booktitle = {Eurocrypt 89},
+ publisher = {Springer-Verlag, LNCS 434},
+ year = {1990},
+ note = {\url{http://citeseer.nj.nec.com/pfitzmann90how.html}},
+}
+
+@Misc{tor-spec,
+ author = {Roger Dingledine and Nick Mathewson},
+ title = {Tor Protocol Specifications},
+ note = {\url{http://freehaven.net/tor/tor-spec.txt}},
+}
+
+@InProceedings{BM:mixencrypt,
+ author = {M{\"o}ller, Bodo},
+ title = {Provably Secure Public-Key Encryption for Length-Preserving Chaumian Mixes},
+ booktitle = {{CT-RSA} 2003},
+ publisher = {Springer-Verlag, LNCS 2612},
+ year = 2003,
+}
+
+@InProceedings{back01,
+ author = {Adam Back and Ulf M\"oller and Anton Stiglic},
+ title = {Traffic Analysis Attacks and Trade-Offs in Anonymity Providing Systems},
+ booktitle = {Information Hiding (IH 2001)},
+ pages = {245--257},
+ year = 2001,
+ editor = {Ira S. Moskowitz},
+ publisher = {Springer-Verlag, LNCS 2137},
+}
+ %note = {\newline \url{http://www.cypherspace.org/adam/pubs/traffic.pdf}},
+
+@InProceedings{rackoff93cryptographic,
+ author = {Charles Rackoff and Daniel R. Simon},
+ title = {Cryptographic Defense Against Traffic Analysis},
+ booktitle = {{ACM} Symposium on Theory of Computing},
+ pages = {672--681},
+ year = {1993},
+}
+ %note = {\url{http://research.microsoft.com/crypto/dansimon/me.htm}},
+
+@InProceedings{freehaven-berk,
+ author = {Roger Dingledine and Michael J. Freedman and David Molnar},
+ title = {The Free Haven Project: Distributed Anonymous Storage Service},
+ booktitle = {Designing Privacy Enhancing Technologies: Workshop
+ on Design Issue in Anonymity and Unobservability},
+ year = {2000},
+ month = {July},
+ editor = {H. Federrath},
+ publisher = {Springer-Verlag, LNCS 2009},
+}
+ %note = {\url{http://freehaven.net/papers.html}},
+
+@InProceedings{raymond00,
+ author = {J. F. Raymond},
+ title = {{Traffic Analysis: Protocols, Attacks, Design Issues,
+ and Open Problems}},
+ booktitle = {Designing Privacy Enhancing Technologies: Workshop
+ on Design Issue in Anonymity and Unobservability},
+ year = 2000,
+ month = {July},
+ pages = {10-29},
+ editor = {H. Federrath},
+ publisher = {Springer-Verlag, LNCS 2009},
+}
+
+@InProceedings{sybil,
+ author = "John Douceur",
+ title = {{The Sybil Attack}},
+ booktitle = "Proceedings of the 1st International Peer To Peer Systems Workshop (IPTPS)",
+ month = Mar,
+ year = 2002,
+}
+
+@InProceedings{trickle02,
+ author = {Andrei Serjantov and Roger Dingledine and Paul Syverson},
+ title = {From a Trickle to a Flood: Active Attacks on Several
+ Mix Types},
+ booktitle = {Information Hiding (IH 2002)},
+ year = {2002},
+ editor = {Fabien Petitcolas},
+ publisher = {Springer-Verlag, LNCS 2578},
+}
+
+@InProceedings{langos02,
+ author = {Oliver Berthold and Heinrich Langos},
+ title = {Dummy Traffic Against Long Term Intersection Attacks},
+ booktitle = {Privacy Enhancing Technologies (PET 2002)},
+ year = {2002},
+ editor = {Roger Dingledine and Paul Syverson},
+ publisher = {Springer-Verlag, LNCS 2482}
+}
+
+
+@InProceedings{hintz-pet02,
+ author = {Andrew Hintz},
+ title = {Fingerprinting Websites Using Traffic Analysis},
+ booktitle = {Privacy Enhancing Technologies (PET 2002)},
+ pages = {171--178},
+ year = 2002,
+ editor = {Roger Dingledine and Paul Syverson},
+ publisher = {Springer-Verlag, LNCS 2482}
+}
+
+@InProceedings{or-discex00,
+ author = {Paul Syverson and Michael Reed and David Goldschlag},
+ title = {{O}nion {R}outing Access Configurations},
+ booktitle = {DARPA Information Survivability Conference and
+ Exposition (DISCEX 2000)},
+ year = {2000},
+ publisher = {IEEE CS Press},
+ pages = {34--40},
+ volume = {1},
+}
+ %note = {\newline \url{http://www.onion-router.net/Publications.html}},
+
+@Inproceedings{or-pet00,
+ title = {{Towards an Analysis of Onion Routing Security}},
+ author = {Paul Syverson and Gene Tsudik and Michael Reed and
+ Carl Landwehr},
+ booktitle = {Designing Privacy Enhancing Technologies: Workshop
+ on Design Issue in Anonymity and Unobservability},
+ year = 2000,
+ month = {July},
+ pages = {96--114},
+ editor = {H. Federrath},
+ publisher = {Springer-Verlag, LNCS 2009},
+}
+ %note = {\url{http://www.onion-router.net/Publications/WDIAU-2000.ps.gz}},
+
+@Inproceedings{freenet-pets00,
+ title = {Freenet: A Distributed Anonymous Information Storage
+ and Retrieval System},
+ author = {Ian Clarke and Oskar Sandberg and Brandon Wiley and
+ Theodore W. Hong},
+ booktitle = {Designing Privacy Enhancing Technologies: Workshop
+ on Design Issue in Anonymity and Unobservability},
+ year = 2000,
+ month = {July},
+ pages = {46--66},
+ editor = {H. Federrath},
+ publisher = {Springer-Verlag, LNCS 2009},
+}
+ %note = {\url{http://citeseer.nj.nec.com/clarke00freenet.html}},
+
+@InProceedings{or-ih96,
+ author = {David M. Goldschlag and Michael G. Reed and Paul
+ F. Syverson},
+ title = {Hiding Routing Information},
+ booktitle = {Information Hiding, First International Workshop},
+ pages = {137--150},
+ year = 1996,
+ editor = {R. Anderson},
+ month = {May},
+ publisher = {Springer-Verlag, LNCS 1174},
+}
+
+@InProceedings{federrath-ih96,
+ author = {Hannes Federrath and Anja Jerichow and Andreas Pfitzmann},
+ title = {{MIXes} in Mobile Communication Systems: Location
+ Management with Privacy},
+ booktitle = {Information Hiding, First International Workshop},
+ pages = {121--135},
+ year = 1996,
+ editor = {R. Anderson},
+ month = {May},
+ publisher = {Springer-Verlag, LNCS 1174},
+}
+
+
+@InProceedings{reed-protocols97,
+ author = {Michael G. Reed and Paul F. Syverson and David
+ M. Goldschlag},
+ title = {Protocols Using Anonymous Connections: Mobile Applications},
+ booktitle = {Security Protocols: 5th International Workshop},
+ pages = {13--23},
+ year = 1997,
+ editor = {Bruce Christianson and Bruno Crispo and Mark Lomas
+ and Michael Roe},
+ month = {April},
+ publisher = {Springer-Verlag, LNCS 1361}
+}
+
+
+
+@Article{or-jsac98,
+ author = {Michael G. Reed and Paul F. Syverson and David
+ M. Goldschlag},
+ title = {Anonymous Connections and Onion Routing},
+ journal = {IEEE Journal on Selected Areas in Communications},
+ year = 1998,
+ volume = 16,
+ number = 4,
+ pages = {482--494},
+ month = {May},
+}
+ %note = {\url{http://www.onion-router.net/Publications/JSAC-1998.ps.gz}}
+
+@Misc{TLS,
+ author = {T. Dierks and C. Allen},
+ title = {The {TLS} {P}rotocol --- {V}ersion 1.0},
+ howpublished = {IETF RFC 2246},
+ month = {January},
+ year = {1999},
+}
+%note = {\url{http://www.rfc-editor.org/rfc/rfc2246.txt}},
+
+@Misc{SMTP,
+ author = {J. Postel},
+ title = {Simple {M}ail {T}ransfer {P}rotocol},
+ howpublished = {IETF RFC 2821 (also STD0010)},
+ month = {April},
+ year = {2001},
+ note = {\url{http://www.rfc-editor.org/rfc/rfc2821.txt}},
+}
+
+@Misc{IMAP,
+ author = {M. Crispin},
+ title = {Internet {M}essage {A}ccess {P}rotocol --- {V}ersion 4rev1},
+ howpublished = {IETF RFC 2060},
+ month = {December},
+ year = {1996},
+ note = {\url{http://www.rfc-editor.org/rfc/rfc2060.txt}},
+}
+
+@misc{pipenet,
+ title = {PipeNet 1.1},
+ author = {Wei Dai},
+ year = 1996,
+ month = {August},
+ howpublished = {Usenet post},
+ note = {\url{http://www.eskimo.com/~weidai/pipenet.txt} First mentioned
+ in a post to the cypherpunks list, Feb.\ 1995.},
+}
+
+
+@Misc{POP3,
+ author = {J. Myers and M. Rose},
+ title = {Post {O}ffice {P}rotocol --- {V}ersion 3},
+ howpublished = {IETF RFC 1939 (also STD0053)},
+ month = {May},
+ year = {1996},
+ note = {\url{http://www.rfc-editor.org/rfc/rfc1939.txt}},
+}
+
+
+@InProceedings{shuffle,
+ author = {C. Andrew Neff},
+ title = {A Verifiable Secret Shuffle and its Application to E-Voting},
+ booktitle = {8th ACM Conference on Computer and Communications
+ Security (CCS-8)},
+ pages = {116--125},
+ year = 2001,
+ editor = {P. Samarati},
+ month = {November},
+ publisher = {ACM Press},
+}
+ %note = {\url{http://www.votehere.net/ada_compliant/ourtechnology/
+ % technicaldocs/shuffle.pdf}},
+
+@InProceedings{dolev91,
+ author = {Danny Dolev and Cynthia Dwork and Moni Naor},
+ title = {Non-Malleable Cryptography},
+ booktitle = {23rd ACM Symposium on the Theory of Computing (STOC)},
+ pages = {542--552},
+ year = 1991,
+ note = {Updated version at
+ \url{http://citeseer.nj.nec.com/dolev00nonmalleable.html}},
+}
+
+@TechReport{rsw96,
+ author = {Ronald L. Rivest and Adi Shamir and David A. Wagner},
+ title = {Time-lock puzzles and timed-release Crypto},
+ year = 1996,
+ type = {MIT LCS technical memo},
+ number = {MIT/LCS/TR-684},
+ month = {February},
+ note = {\newline \url{http://citeseer.nj.nec.com/rivest96timelock.html}},
+}
+
+@InProceedings{web-mix,
+ author = {Oliver Berthold and Hannes Federrath and Stefan K\"opsell},
+ title = {Web {MIX}es: A system for anonymous and unobservable
+ {I}nternet access},
+ booktitle = {Designing Privacy Enhancing Technologies: Workshop
+ on Design Issue in Anonymity and Unobservability},
+ editor = {H. Federrath},
+ publisher = {Springer-Verlag, LNCS 2009},
+ year = {2000},
+}
+% pages = {115--129},
+
+@InProceedings{disad-free-routes,
+ author = {Oliver Berthold and Andreas Pfitzmann and Ronny Standtke},
+ title = {The disadvantages of free {MIX} routes and how to overcome
+ them},
+ booktitle = {Designing Privacy Enhancing Technologies: Workshop
+ on Design Issue in Anonymity and Unobservability},
+ pages = {30--45},
+ year = 2000,
+ editor = {H. Federrath},
+ publisher = {Springer-Verlag, LNCS 2009},
+}
+ %note = {\url{http://www.tik.ee.ethz.ch/~weiler/lehre/netsec/Unterlagen/anon/
+ % disadvantages_berthold.pdf}},
+
+@InProceedings{boneh00,
+ author = {Dan Boneh and Moni Naor},
+ title = {Timed Commitments},
+ booktitle = {Advances in Cryptology -- {CRYPTO} 2000},
+ pages = {236--254},
+ year = 2000,
+ publisher = {Springer-Verlag, LNCS 1880},
+ note = {\newline \url{http://crypto.stanford.edu/~dabo/abstracts/timedcommit.html}},
+}
+
+@InProceedings{goldschlag98,
+ author = {David M. Goldschlag and Stuart G. Stubblebine},
+ title = {Publicly Verifiable Lotteries: Applications of
+ Delaying Functions},
+ booktitle = {Financial Cryptography},
+ pages = {214--226},
+ year = 1998,
+ publisher = {Springer-Verlag, LNCS 1465},
+ note = {\newline \url{http://citeseer.nj.nec.com/goldschlag98publicly.html}},
+}
+
+@InProceedings{syverson98,
+ author = {Paul Syverson},
+ title = {Weakly Secret Bit Commitment: Applications to
+ Lotteries and Fair Exchange},
+ booktitle = {Computer Security Foundations Workshop (CSFW11)},
+ pages = {2--13},
+ year = 1998,
+ address = {Rockport Massachusetts},
+ month = {June},
+ publisher = {IEEE CS Press},
+ note = {\newline \url{http://chacs.nrl.navy.mil/publications/CHACS/1998/}},
+}
+
+@Misc{shoup-iso,
+ author = {Victor Shoup},
+ title = {A Proposal for an {ISO} {S}tandard for Public Key Encryption (version 2.1)},
+ note = {Revised December 20, 2001. \url{http://www.shoup.net/papers/}},
+}
+
+@Misc{shoup-oaep,
+ author = {Victor Shoup},
+ title = {{OAEP} Reconsidered},
+ howpublished = {{IACR} e-print 2000/060},
+ note = {\newline \url{http://eprint.iacr.org/2000/060/}},
+}
+
+@Misc{oaep-still-alive,
+ author = {E. Fujisaki and D. Pointcheval and T. Okamoto and J. Stern},
+ title = {{RSA}-{OAEP} is Still Alive!},
+ howpublished = {{IACR} e-print 2000/061},
+ note = {\newline \url{http://eprint.iacr.org/2000/061/}},
+}
+
+@misc{echolot,
+ author = {Peter Palfrader},
+ title = {Echolot: a pinger for anonymous remailers},
+ note = {\url{http://www.palfrader.org/echolot/}},
+}
+
+@Misc{mixmaster-attacks,
+ author = {Lance Cottrell},
+ title = {Mixmaster and Remailer Attacks},
+ note = {\url{http://www.obscura.com/~loki/remailer/remailer-essay.html}},
+}
+
+@Misc{mixmaster-spec,
+ author = {Ulf M{\"o}ller and Lance Cottrell and Peter
+ Palfrader and Len Sassaman},
+ title = {Mixmaster {P}rotocol --- {V}ersion 2},
+ year = {2003},
+ month = {July},
+ howpublished = {Draft},
+ note = {\url{http://www.abditum.com/mixmaster-spec.txt}},
+}
+
+@InProceedings{puzzles-tls,
+ author = "Drew Dean and Adam Stubblefield",
+ title = {{Using Client Puzzles to Protect TLS}},
+ booktitle = "Proceedings of the 10th USENIX Security Symposium",
+ year = {2001},
+ month = Aug,
+ publisher = {USENIX},
+}
+
+@InProceedings{breadpudding,
+ author = {Markus Jakobsson and Ari Juels},
+ title = {Proofs of Work and Bread Pudding Protocols},
+ booktitle = {Proceedings of the IFIP TC6 and TC11 Joint Working
+ Conference on Communications and Multimedia Security
+ (CMS '99)},
+ year = 1999,
+ month = {September},
+ publisher = {Kluwer}
+}
+
+@Misc{hashcash,
+ author = {Adam Back},
+ title = {Hash cash},
+ note = {\newline \url{http://www.cypherspace.org/~adam/hashcash/}},
+}
+
+@InProceedings{oreilly-acc,
+ author = {Roger Dingledine and Michael J. Freedman and David Molnar},
+ title = {Accountability},
+ booktitle = {Peer-to-peer: Harnessing the Benefits of a Disruptive
+ Technology},
+ year = {2001},
+ publisher = {O'Reilly and Associates},
+}
+
+
+@InProceedings{han,
+ author = {Yongfei Han},
+ title = {Investigation of non-repudiation protocols},
+ booktitle = {ACISP '96},
+ year = 1996,
+ publisher = {Springer-Verlag},
+}
+
+
+@Misc{socks5,
+ key = {socks5},
+ title = {{SOCKS} {P}rotocol {V}ersion 5},
+ howpublished= {IETF RFC 1928},
+ month = {March},
+ year = 1996,
+ note = {\url{http://www.ietf.org/rfc/rfc1928.txt}}
+}
+
+@InProceedings{abe,
+ author = {Masayuki Abe},
+ title = {Universally Verifiable {MIX} With Verification Work Independent of
+ The Number of {MIX} Servers},
+ booktitle = {{EUROCRYPT} 1998},
+ year = {1998},
+ publisher = {Springer-Verlag, LNCS 1403},
+}
+
+@InProceedings{desmedt,
+ author = {Yvo Desmedt and Kaoru Kurosawa},
+ title = {How To Break a Practical {MIX} and Design a New One},
+ booktitle = {{EUROCRYPT} 2000},
+ year = {2000},
+ publisher = {Springer-Verlag, LNCS 1803},
+ note = {\url{http://citeseer.nj.nec.com/447709.html}},
+}
+
+@InProceedings{mitkuro,
+ author = {M. Mitomo and K. Kurosawa},
+ title = {{Attack for Flash MIX}},
+ booktitle = {{ASIACRYPT} 2000},
+ year = {2000},
+ publisher = {Springer-Verlag, LNCS 1976},
+ note = {\newline \url{http://citeseer.nj.nec.com/450148.html}},
+}
+
+@InProceedings{hybrid-mix,
+ author = {M. Ohkubo and M. Abe},
+ title = {A {L}ength-{I}nvariant {H}ybrid {MIX}},
+ booktitle = {Advances in Cryptology - {ASIACRYPT} 2000},
+ year = {2000},
+ publisher = {Springer-Verlag, LNCS 1976},
+}
+
+@InProceedings{PShuffle,
+ author = {Jun Furukawa and Kazue Sako},
+ title = {An Efficient Scheme for Proving a Shuffle},
+ editor = {Joe Kilian},
+ booktitle = {CRYPTO 2001},
+ year = {2001},
+ publisher = {Springer-Verlag, LNCS 2139},
+}
+
+
+@InProceedings{jakobsson-optimally,
+ author = "Markus Jakobsson and Ari Juels",
+ title = "An Optimally Robust Hybrid Mix Network (Extended Abstract)",
+ booktitle = {Principles of Distributed Computing - {PODC} '01},
+ year = "2001",
+ publisher = {ACM Press},
+ note = {\url{http://citeseer.nj.nec.com/492015.html}},
+}
+
+@InProceedings{kesdogan,
+ author = {D. Kesdogan and M. Egner and T. B\"uschkes},
+ title = {Stop-and-Go {MIX}es Providing Probabilistic Anonymity in an Open
+ System},
+ booktitle = {Information Hiding (IH 1998)},
+ year = {1998},
+ publisher = {Springer-Verlag, LNCS 1525},
+}
+ %note = {\url{http://www.cl.cam.ac.uk/~fapp2/ihw98/ihw98-sgmix.pdf}},
+
+@InProceedings{socks4,
+ author = {David Koblas and Michelle R. Koblas},
+ title = {{SOCKS}},
+ booktitle = {UNIX Security III Symposium (1992 USENIX Security
+ Symposium)},
+ pages = {77--83},
+ year = 1992,
+ publisher = {USENIX},
+}
+
+@InProceedings{flash-mix,
+ author = {Markus Jakobsson},
+ title = {Flash {M}ixing},
+ booktitle = {Principles of Distributed Computing - {PODC} '99},
+ year = {1999},
+ publisher = {ACM Press},
+ note = {\newline \url{http://citeseer.nj.nec.com/jakobsson99flash.html}},
+}
+
+@InProceedings{SK,
+ author = {Joe Kilian and Kazue Sako},
+ title = {Receipt-Free {MIX}-Type Voting Scheme - A Practical Solution to
+ the Implementation of a Voting Booth},
+ booktitle = {EUROCRYPT '95},
+ year = {1995},
+ publisher = {Springer-Verlag},
+}
+
+@InProceedings{OAEP,
+ author = {M. Bellare and P. Rogaway},
+ year = {1994},
+ booktitle = {EUROCRYPT '94},
+ title = {Optimal {A}symmetric {E}ncryption {P}adding : How To Encrypt With
+ {RSA}},
+ publisher = {Springer-Verlag},
+ note = {\newline \url{http://www-cse.ucsd.edu/users/mihir/papers/oaep.html}},
+}
+@inproceedings{babel,
+ title = {Mixing {E}-mail With {B}abel},
+ author = {Ceki G\"ulc\"u and Gene Tsudik},
+ booktitle = {{Network and Distributed Security Symposium (NDSS 96)}},
+ year = 1996,
+ month = {February},
+ pages = {2--16},
+ publisher = {IEEE},
+}
+ %note = {\url{http://citeseer.nj.nec.com/2254.html}},
+
+@Misc{rprocess,
+ author = {RProcess},
+ title = {Selective Denial of Service Attacks},
+ note = {\newline \url{http://www.eff.org/pub/Privacy/Anonymity/1999\_09\_DoS\_remail\_vuln.html}},
+}
+
+@Article{remailer-history,
+ author = {Sameer Parekh},
+ title = {Prospects for Remailers},
+ journal = {First Monday},
+ volume = {1},
+ number = {2},
+ month = {August},
+ year = {1996},
+ note = {\url{http://www.firstmonday.dk/issues/issue2/remailers/}},
+}
+
+@Article{chaum-mix,
+ author = {David Chaum},
+ title = {Untraceable electronic mail, return addresses, and digital pseudo-nyms},
+ journal = {Communications of the ACM},
+ year = {1981},
+ volume = {4},
+ number = {2},
+ month = {February},
+}
+ %note = {\url{http://www.eskimo.com/~weidai/mix-net.txt}},
+
+@InProceedings{nym-alias-net,
+ author = {David Mazi\`{e}res and M. Frans Kaashoek},
+ title = {{The Design, Implementation and Operation of an Email
+ Pseudonym Server}},
+ booktitle = {$5^{th}$ ACM Conference on Computer and
+ Communications Security (CCS'98)},
+ year = 1998,
+ publisher = {ACM Press},
+}
+ %note = {\newline \url{http://www.scs.cs.nyu.edu/~dm/}},
+
+@InProceedings{tangler,
+ author = {Marc Waldman and David Mazi\`{e}res},
+ title = {Tangler: A Censorship-Resistant Publishing System
+ Based on Document Entanglements},
+ booktitle = {$8^{th}$ ACM Conference on Computer and
+ Communications Security (CCS-8)},
+ pages = {86--135},
+ year = 2001,
+ publisher = {ACM Press},
+}
+ %note = {\url{http://www.scs.cs.nyu.edu/~dm/}}
+
+@misc{neochaum,
+ author = {Tim May},
+ title = {Payment mixes for anonymity},
+ howpublished = {E-mail archived at
+ \url{http://\newline www.inet-one.com/cypherpunks/dir.2000.02.28-2000.03.05/msg00334.html}},
+}
+
+@misc{helsingius,
+ author = {J. Helsingius},
+ title = {{\tt anon.penet.fi} press release},
+ note = {\newline \url{http://www.penet.fi/press-english.html}},
+}
+
+@InProceedings{garay97secure,
+ author = {J. Garay and R. Gennaro and C. Jutla and T. Rabin},
+ title = {Secure distributed storage and retrieval},
+ booktitle = {11th International Workshop, WDAG '97},
+ pages = {275--289},
+ year = {1997},
+ publisher = {Springer-Verlag, LNCS 1320},
+ note = {\newline \url{http://citeseer.nj.nec.com/garay97secure.html}},
+}
+
+@InProceedings{PIK,
+ author = {C. Park and K. Itoh and K. Kurosawa},
+ title = {Efficient anonymous channel and all/nothing election scheme},
+ booktitle = {Advances in Cryptology -- {EUROCRYPT} '93},
+ pages = {248--259},
+ publisher = {Springer-Verlag, LNCS 765},
+}
+
+@Misc{pgpfaq,
+ key = {PGP},
+ title = {{PGP} {FAQ}},
+ note = {\newline \url{http://www.faqs.org/faqs/pgp-faq/}},
+}
+
+@Article{riordan-schneier,
+ author = {James Riordan and Bruce Schneier},
+ title = {A Certified E-mail Protocol with No Trusted Third Party},
+ journal = {13th Annual Computer Security Applications Conference},
+ month = {December},
+ year = {1998},
+ note = {\newline \url{http://www.counterpane.com/certified-email.html}},
+}
+
+
+@Article{crowds-tissec,
+ author = {Michael K. Reiter and Aviel D. Rubin},
+ title = {Crowds: Anonymity for Web Transactions},
+ journal = {ACM TISSEC},
+ year = 1998,
+ volume = 1,
+ number = 1,
+ pages = {66--92},
+ month = {June},
+}
+ %note = {\url{http://citeseer.nj.nec.com/284739.html}}
+
+@Article{crowds-dimacs,
+ author = {Michael K. Reiter and Aviel D. Rubin},
+ title = {Crowds: Anonymity for Web Transactions},
+ journal = {{DIMACS} Technical Report (Revised)},
+ volume = {97},
+ number = {15},
+ month = {August},
+ year = {1997},
+}
+
+@Misc{advogato,
+ author = {Raph Levien},
+ title = {Advogato's Trust Metric},
+ note = {\newline \url{http://www.advogato.org/trust-metric.html}},
+}
+
+@InProceedings{publius,
+ author = {Marc Waldman and Aviel Rubin and Lorrie Cranor},
+ title = {Publius: {A} robust, tamper-evident, censorship-resistant and
+ source-anonymous web publishing system},
+ booktitle = {Proc. 9th USENIX Security Symposium},
+ pages = {59--72},
+ year = {2000},
+ month = {August},
+}
+ %note = {\newline \url{http://citeseer.nj.nec.com/waldman00publius.html}},
+
+@Misc{freedom-nyms,
+ author = {Russell Samuels},
+ title = {Untraceable Nym Creation on the {F}reedom {N}etwork},
+ year = {1999},
+ month = {November},
+ day = {21},
+ note = {\newline \url{http://www.freedom.net/products/whitepapers/white11.html}},
+}
+
+@techreport{freedom2-arch,
+ title = {Freedom Systems 2.0 Architecture},
+ author = {Philippe Boucher and Adam Shostack and Ian Goldberg},
+ institution = {Zero Knowledge Systems, {Inc.}},
+ year = {2000},
+ month = {December},
+ type = {White Paper},
+ day = {18},
+}
+
+@techreport{freedom21-security,
+ title = {Freedom Systems 2.1 Security Issues and Analysis},
+ author = {Adam Back and Ian Goldberg and Adam Shostack},
+ institution = {Zero Knowledge Systems, {Inc.}},
+ year = {2001},
+ month = {May},
+ type = {White Paper},
+}
+
+@inproceedings{cfs:sosp01,
+ title = {Wide-area cooperative storage with {CFS}},
+ author = {Frank Dabek and M. Frans Kaashoek and David Karger and Robert Morris and Ion Stoica},
+ booktitle = {18th {ACM} {S}ymposium on {O}perating {S}ystems {P}rinciples ({SOSP} '01)},
+ year = {2001},
+ month = {October},
+ address = {Chateau Lake Louise, Banff, Canada},
+}
+
+@inproceedings{SS03,
+ title = {Passive Attack Analysis for Connection-Based Anonymity Systems},
+ author = {Andrei Serjantov and Peter Sewell},
+ booktitle = {Computer Security -- ESORICS 2003},
+ publisher = {Springer-Verlag, LNCS 2808},
+ year = {2003},
+ month = {October},
+}
+ %note = {\url{http://www.cl.cam.ac.uk/users/aas23/papers_aas/conn_sys.ps}},
+
+@Misc{pk-relations,
+ author = {M. Bellare and A. Desai and D. Pointcheval and P. Rogaway},
+ title = {Relations Among Notions of Security for Public-Key Encryption
+ Schemes},
+ howpublished = {
+ Extended abstract in {\em Advances in Cryptology - CRYPTO '98}, LNCS Vol. 1462.
+ Springer-Verlag, 1998.
+ Full version available from \newline \url{http://www-cse.ucsd.edu/users/mihir/}},
+}
+
+
+@InProceedings{mix-acc,
+ author = {Roger Dingledine and Michael J. Freedman and David
+ Hopwood and David Molnar},
+ title = {{A Reputation System to Increase MIX-net
+ Reliability}},
+ booktitle = {Information Hiding (IH 2001)},
+ pages = {126--141},
+ year = 2001,
+ editor = {Ira S. Moskowitz},
+ publisher = {Springer-Verlag, LNCS 2137},
+}
+ %note = {\url{http://www.freehaven.net/papers.html}},
+
+@InProceedings{casc-rep,
+ author = {Roger Dingledine and Paul Syverson},
+ title = {{Reliable MIX Cascade Networks through Reputation}},
+ booktitle = {Financial Cryptography},
+ year = 2002,
+ editor = {Matt Blaze},
+ publisher = {Springer-Verlag, LNCS 2357},
+}
+ %note = {\newline \url{http://www.freehaven.net/papers.html}},
+
+@InProceedings{zhou96certified,
+ author = {Zhou and Gollmann},
+ title = {Certified Electronic Mail},
+ booktitle = {{ESORICS: European Symposium on Research in Computer
+ Security}},
+ publisher = {Springer-Verlag, LNCS 1146},
+ year = {1996},
+ note = {\newline \url{http://citeseer.nj.nec.com/zhou96certified.html}},
+}
+
+@Misc{realtime-mix,
+ author = {Anja Jerichow and Jan M\"uller and Andreas Pfitzmann and
+ Birgit Pfitzmann and Michael Waidner},
+ title = {{Real-Time MIXes: A Bandwidth-Efficient Anonymity Protocol}},
+ howpublished = {IEEE Journal on Selected Areas in Communications, 1998.},
+ note = {\url{http://www.zurich.ibm.com/security/publications/1998.html}},
+}
+
+@InProceedings{danezis-pets03,
+ author = {George Danezis},
+ title = {Mix-networks with Restricted Routes},
+ booktitle = {Privacy Enhancing Technologies (PET 2003)},
+ year = 2003,
+ editor = {Roger Dingledine},
+ publisher = {Springer-Verlag LNCS 2760}
+}
+
+@InProceedings{gap-pets03,
+ author = {Krista Bennett and Christian Grothoff},
+ title = {{GAP} -- practical anonymous networking},
+ booktitle = {Privacy Enhancing Technologies (PET 2003)},
+ year = 2003,
+ editor = {Roger Dingledine},
+ publisher = {Springer-Verlag LNCS 2760}
+}
+
+@Article{hordes-jcs,
+ author = {Brian Neal Levine and Clay Shields},
+ title = {Hordes: A Multicast-Based Protocol for Anonymity},
+ journal = {Journal of Computer Security},
+ year = 2002,
+ volume = 10,
+ number = 3,
+ pages = {213--240}
+}
+
+@TechReport{herbivore,
+ author = {Sharad Goel and Mark Robson and Milo Polte and Emin G\"{u}n Sirer},
+ title = {Herbivore: A Scalable and Efficient Protocol for Anonymous Communication},
+ institution = {Cornell University Computing and Information Science},
+ year = 2003,
+ type = {Technical Report},
+ number = {TR2003-1890},
+ month = {February}
+}
+
+@InProceedings{p5,
+ author = {Rob Sherwood and Bobby Bhattacharjee and Aravind Srinivasan},
+ title = {$P^5$: A Protocol for Scalable Anonymous Communication},
+ booktitle = {IEEE Symposium on Security and Privacy},
+ pages = {58--70},
+ year = 2002,
+ publisher = {IEEE CS}
+}
+
+@phdthesis{ian-thesis,
+ title = {A Pseudonymous Communications Infrastructure for the Internet},
+ author = {Ian Goldberg},
+ school = {UC Berkeley},
+ year = {2000},
+ month = {Dec},
+}
+
+@Article{taz,
+ author = {Ian Goldberg and David Wagner},
+ title = {TAZ Servers and the Rewebber Network: Enabling
+ Anonymous Publishing on the World Wide Web},
+ journal = {First Monday},
+ year = 1998,
+ volume = 3,
+ number = 4,
+ month = {August},
+ note = {\url{http://www.firstmonday.dk/issues/issue3_4/goldberg/}}
+}
+
+@Misc{tcp-over-tcp-is-bad,
+ key = {tcp-over-tcp-is-bad},
+ title = {Why {TCP} Over {TCP} Is A Bad Idea},
+ author = {Olaf Titz},
+ note = {\url{http://sites.inka.de/sites/bigred/devel/tcp-tcp.html}}
+}
+
+@inproceedings{wright02,
+ title = {An Analysis of the Degradation of Anonymous Protocols},
+ author = {Matthew Wright and Micah Adler and Brian Neil Levine and Clay Shields},
+ booktitle = {{Network and Distributed Security Symposium (NDSS 02)}},
+ year = {2002},
+ month = {February},
+ publisher = {IEEE},
+}
+
+@inproceedings{wright03,
+ title = {Defending Anonymous Communication Against Passive Logging Attacks},
+ author = {Matthew Wright and Micah Adler and Brian Neil Levine and Clay Shields},
+ booktitle = {IEEE Symposium on Security and Privacy},
+ pages= {28--41},
+ year = {2003},
+ month = {May},
+ publisher = {IEEE CS},
+}
+
+@Misc{jap-backdoor,
+ author={{The AN.ON Project}},
+ howpublished={Press release},
+ year={2003},
+ month={September},
+ title={German Police proceeds against anonymity service},
+ note={\url{http://www.datenschutzzentrum.de/material/themen/presse/anon-bka_e.htm}}
+}
+
+@article{shsm03,
+ title = {Using Caching for Browsing Anonymity},
+ author = {Anna Shubina and Sean Smith},
+ journal = {ACM SIGEcom Exchanges},
+ volume = {4},
+ number = {2},
+ year = {2003},
+ month = {Sept},
+ www_pdf_url = {http://www.acm.org/sigs/sigecom/exchanges/volume_4_(03)/4.2-Shubina.pdf},
+ www_section = {Anonymous communication},
+}
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: "tor-design"
+%%% End:
diff --git a/doc/design-paper/tor-design.html b/doc/design-paper/tor-design.html
new file mode 100644
index 0000000000..a02731f174
--- /dev/null
+++ b/doc/design-paper/tor-design.html
@@ -0,0 +1,2486 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta name="GENERATOR" content="TtH 3.59" />
+ <style type="text/css"> div.p { margin-top: 7pt;}</style>
+ <style type="text/css"><!--
+ td div.comp { margin-top: -0.6ex; margin-bottom: -1ex;}
+ td div.comb { margin-top: -0.6ex; margin-bottom: -.6ex;}
+ td div.hrcomp { line-height: 0.9; margin-top: -0.8ex; margin-bottom: -1ex;}
+ td div.norm {line-height:normal;}
+ span.roman {font-family: serif; font-style: normal; font-weight: normal;}
+ span.overacc2 {position: relative; left: .8em; top: -1.2ex;}
+ span.overacc1 {position: relative; left: .6em; top: -1.2ex;} --></style>
+
+
+<title> Tor: The Second-Generation Onion Router </title>
+</head>
+<body>
+
+<h1 align="center">Tor: The Second-Generation Onion Router </h1>
+<div class="p"><!----></div>
+
+<h3 align="center">
+Roger Dingledine, The Free Haven Project, <tt>arma@freehaven.net</tt><br>
+Nick Mathewson, The Free Haven Project, <tt>nickm@freehaven.net</tt><br>
+Paul Syverson, Naval Research Lab, <tt>syverson@itd.nrl.navy.mil</tt> </h3>
+
+<div class="p"><!----></div>
+
+<div class="p"><!----></div>
+
+<h2> Abstract</h2>
+We present Tor, a circuit-based low-latency anonymous communication
+service. This second-generation Onion Routing system addresses limitations
+in the original design by adding perfect forward secrecy, congestion
+control, directory servers, integrity checking, configurable exit policies,
+and a practical design for location-hidden services via rendezvous
+points. Tor works on the real-world
+Internet, requires no special privileges or kernel modifications, requires
+little synchronization or coordination between nodes, and provides a
+reasonable tradeoff between anonymity, usability, and efficiency.
+We briefly describe our experiences with an international network of
+more than 30 nodes. We close with a list of open problems in anonymous communication.
+
+<div class="p"><!----></div>
+
+<div class="p"><!----></div>
+
+<div class="p"><!----></div>
+ <h2><a name="tth_sEc1">
+1</a>&nbsp;&nbsp;Overview</h2>
+<a name="sec:intro">
+</a>
+
+<div class="p"><!----></div>
+Onion Routing is a distributed overlay network designed to anonymize
+TCP-based applications like web browsing, secure shell,
+and instant messaging. Clients choose a path through the network and
+build a <em>circuit</em>, in which each node (or "onion router" or "OR")
+in the path knows its predecessor and successor, but no other nodes in
+the circuit. Traffic flows down the circuit in fixed-size
+<em>cells</em>, which are unwrapped by a symmetric key at each node
+(like the layers of an onion) and relayed downstream. The
+Onion Routing project published several design and analysis
+papers [<a href="#or-ih96" name="CITEor-ih96">27</a>,<a href="#or-jsac98" name="CITEor-jsac98">41</a>,<a href="#or-discex00" name="CITEor-discex00">48</a>,<a href="#or-pet00" name="CITEor-pet00">49</a>]. While a wide area Onion
+Routing network was deployed briefly, the only long-running
+public implementation was a fragile
+proof-of-concept that ran on a single machine. Even this simple deployment
+processed connections from over sixty thousand distinct IP addresses from
+all over the world at a rate of about fifty thousand per day.
+But many critical design and deployment issues were never
+resolved, and the design has not been updated in years. Here
+we describe Tor, a protocol for asynchronous, loosely federated onion
+routers that provides the following improvements over the old Onion
+Routing design:
+
+<div class="p"><!----></div>
+<b>Perfect forward secrecy:</b> In the original Onion Routing design,
+a single hostile node could record traffic and
+later compromise successive nodes in the circuit and force them
+to decrypt it. Rather than using a single multiply encrypted data
+structure (an <em>onion</em>) to lay each circuit,
+Tor now uses an incremental or <em>telescoping</em> path-building design,
+where the initiator negotiates session keys with each successive hop in
+the circuit. Once these keys are deleted, subsequently compromised nodes
+cannot decrypt old traffic. As a side benefit, onion replay detection
+is no longer necessary, and the process of building circuits is more
+reliable, since the initiator knows when a hop fails and can then try
+extending to a new node.
+
+<div class="p"><!----></div>
+<b>Separation of "protocol cleaning" from anonymity:</b>
+Onion Routing originally required a separate "application
+proxy" for each supported application protocol-most of which were
+never written, so many applications were never supported. Tor uses the
+standard and near-ubiquitous SOCKS&nbsp;[<a href="#socks4" name="CITEsocks4">32</a>] proxy interface, allowing
+us to support most TCP-based programs without modification. Tor now
+relies on the filtering features of privacy-enhancing
+application-level proxies such as Privoxy&nbsp;[<a href="#privoxy" name="CITEprivoxy">39</a>], without trying
+to duplicate those features itself.
+
+<div class="p"><!----></div>
+<b>No mixing, padding, or traffic shaping (yet):</b> Onion
+Routing originally called for batching and reordering cells as they arrived,
+assumed padding between ORs, and in
+later designs added padding between onion proxies (users) and
+ORs&nbsp;[<a href="#or-ih96" name="CITEor-ih96">27</a>,<a href="#or-jsac98" name="CITEor-jsac98">41</a>]. Tradeoffs between padding protection
+and cost were discussed, and <em>traffic shaping</em> algorithms were
+theorized&nbsp;[<a href="#or-pet00" name="CITEor-pet00">49</a>] to provide good security without expensive
+padding, but no concrete padding scheme was suggested.
+Recent research&nbsp;[<a href="#econymics" name="CITEeconymics">1</a>]
+and deployment experience&nbsp;[<a href="#freedom21-security" name="CITEfreedom21-security">4</a>] suggest that this
+level of resource use is not practical or economical; and even full
+link padding is still vulnerable&nbsp;[<a href="#defensive-dropping" name="CITEdefensive-dropping">33</a>]. Thus,
+until we have a proven and convenient design for traffic shaping or
+low-latency mixing that improves anonymity against a realistic
+adversary, we leave these strategies out.
+
+<div class="p"><!----></div>
+<b>Many TCP streams can share one circuit:</b> Onion Routing originally
+built a separate circuit for each
+application-level request, but this required
+multiple public key operations for every request, and also presented
+a threat to anonymity from building so many circuits; see
+Section&nbsp;<a href="#sec:maintaining-anonymity">9</a>. Tor multiplexes multiple TCP
+streams along each circuit to improve efficiency and anonymity.
+
+<div class="p"><!----></div>
+<b>Leaky-pipe circuit topology:</b> Through in-band signaling
+within the circuit, Tor initiators can direct traffic to nodes partway
+down the circuit. This novel approach
+allows traffic to exit the circuit from the middle-possibly
+frustrating traffic shape and volume attacks based on observing the end
+of the circuit. (It also allows for long-range padding if
+future research shows this to be worthwhile.)
+
+<div class="p"><!----></div>
+<b>Congestion control:</b> Earlier anonymity designs do not
+address traffic bottlenecks. Unfortunately, typical approaches to
+load balancing and flow control in overlay networks involve inter-node
+control communication and global views of traffic. Tor's decentralized
+congestion control uses end-to-end acks to maintain anonymity
+while allowing nodes at the edges of the network to detect congestion
+or flooding and send less data until the congestion subsides.
+
+<div class="p"><!----></div>
+<b>Directory servers:</b> The earlier Onion Routing design
+planned to flood state information through the network-an approach
+that can be unreliable and complex. Tor takes a simplified view toward distributing this
+information. Certain more trusted nodes act as <em>directory
+servers</em>: they provide signed directories describing known
+routers and their current state. Users periodically download them
+via HTTP.
+
+<div class="p"><!----></div>
+<b>Variable exit policies:</b> Tor provides a consistent mechanism
+for each node to advertise a policy describing the hosts
+and ports to which it will connect. These exit policies are critical
+in a volunteer-based distributed infrastructure, because each operator
+is comfortable with allowing different types of traffic to exit
+from his node.
+
+<div class="p"><!----></div>
+<b>End-to-end integrity checking:</b> The original Onion Routing
+design did no integrity checking on data. Any node on the
+circuit could change the contents of data cells as they passed by-for
+example, to alter a connection request so it would connect
+to a different webserver, or to `tag' encrypted traffic and look for
+corresponding corrupted traffic at the network edges&nbsp;[<a href="#minion-design" name="CITEminion-design">15</a>].
+Tor hampers these attacks by verifying data integrity before it leaves
+the network.
+
+<div class="p"><!----></div>
+
+<div class="p"><!----></div>
+<b>Rendezvous points and hidden services:</b>
+Tor provides an integrated mechanism for responder anonymity via
+location-protected servers. Previous Onion Routing designs included
+long-lived "reply onions" that could be used to build circuits
+to a hidden server, but these reply onions did not provide forward
+security, and became useless if any node in the path went down
+or rotated its keys. In Tor, clients negotiate <i>rendezvous points</i>
+to connect with hidden servers; reply onions are no longer required.
+
+<div class="p"><!----></div>
+Unlike Freedom&nbsp;[<a href="#freedom2-arch" name="CITEfreedom2-arch">8</a>], Tor does not require OS kernel
+patches or network stack support. This prevents us from anonymizing
+non-TCP protocols, but has greatly helped our portability and
+deployability.
+
+<div class="p"><!----></div>
+
+<div class="p"><!----></div>
+We have implemented all of the above features, including rendezvous
+points. Our source code is
+available under a free license, and Tor
+is not covered by the patent that affected distribution and use of
+earlier versions of Onion Routing.
+We have deployed a wide-area alpha network
+to test the design, to get more experience with usability
+and users, and to provide a research platform for experimentation.
+As of this writing, the network stands at 32 nodes spread over two continents.
+
+<div class="p"><!----></div>
+We review previous work in Section&nbsp;<a href="#sec:related-work">2</a>, describe
+our goals and assumptions in Section&nbsp;<a href="#sec:assumptions">3</a>,
+and then address the above list of improvements in
+Sections&nbsp;<a href="#sec:design">4</a>,&nbsp;<a href="#sec:rendezvous">5</a>, and&nbsp;<a href="#sec:other-design">6</a>.
+We summarize
+in Section&nbsp;<a href="#sec:attacks">7</a> how our design stands up to
+known attacks, and talk about our early deployment experiences in
+Section&nbsp;<a href="#sec:in-the-wild">8</a>. We conclude with a list of open problems in
+Section&nbsp;<a href="#sec:maintaining-anonymity">9</a> and future work for the Onion
+Routing project in Section&nbsp;<a href="#sec:conclusion">10</a>.
+
+<div class="p"><!----></div>
+
+<div class="p"><!----></div>
+ <h2><a name="tth_sEc2">
+2</a>&nbsp;&nbsp;Related work</h2>
+<a name="sec:related-work">
+</a>
+
+<div class="p"><!----></div>
+Modern anonymity systems date to Chaum's <b>Mix-Net</b>
+design&nbsp;[<a href="#chaum-mix" name="CITEchaum-mix">10</a>]. Chaum
+proposed hiding the correspondence between sender and recipient by
+wrapping messages in layers of public-key cryptography, and relaying them
+through a path composed of "mixes." Each mix in turn
+decrypts, delays, and re-orders messages before relaying them
+onward.
+
+<div class="p"><!----></div>
+Subsequent relay-based anonymity designs have diverged in two
+main directions. Systems like <b>Babel</b>&nbsp;[<a href="#babel" name="CITEbabel">28</a>],
+<b>Mixmaster</b>&nbsp;[<a href="#mixmaster-spec" name="CITEmixmaster-spec">36</a>],
+and <b>Mixminion</b>&nbsp;[<a href="#minion-design" name="CITEminion-design">15</a>] have tried
+to maximize anonymity at the cost of introducing comparatively large and
+variable latencies. Because of this decision, these <em>high-latency</em>
+networks resist strong global adversaries,
+but introduce too much lag for interactive tasks like web browsing,
+Internet chat, or SSH connections.
+
+<div class="p"><!----></div>
+Tor belongs to the second category: <em>low-latency</em> designs that
+try to anonymize interactive network traffic. These systems handle
+a variety of bidirectional protocols. They also provide more convenient
+mail delivery than the high-latency anonymous email
+networks, because the remote mail server provides explicit and timely
+delivery confirmation. But because these designs typically
+involve many packets that must be delivered quickly, it is
+difficult for them to prevent an attacker who can eavesdrop both ends of the
+communication from correlating the timing and volume
+of traffic entering the anonymity network with traffic leaving it&nbsp;[<a href="#SS03" name="CITESS03">45</a>].
+These
+protocols are similarly vulnerable to an active adversary who introduces
+timing patterns into traffic entering the network and looks
+for correlated patterns among exiting traffic.
+Although some work has been done to frustrate these attacks, most designs
+protect primarily against traffic analysis rather than traffic
+confirmation (see Section&nbsp;<a href="#subsec:threat-model">3.1</a>).
+
+<div class="p"><!----></div>
+The simplest low-latency designs are single-hop proxies such as the
+<b>Anonymizer</b>&nbsp;[<a href="#anonymizer" name="CITEanonymizer">3</a>]: a single trusted server strips the
+data's origin before relaying it. These designs are easy to
+analyze, but users must trust the anonymizing proxy.
+Concentrating the traffic to this single point increases the anonymity set
+(the people a given user is hiding among), but it is vulnerable if the
+adversary can observe all traffic entering and leaving the proxy.
+
+<div class="p"><!----></div>
+More complex are distributed-trust, circuit-based anonymizing systems.
+In these designs, a user establishes one or more medium-term bidirectional
+end-to-end circuits, and tunnels data in fixed-size cells.
+Establishing circuits is computationally expensive and typically
+requires public-key
+cryptography, whereas relaying cells is comparatively inexpensive and
+typically requires only symmetric encryption.
+Because a circuit crosses several servers, and each server only knows
+the adjacent servers in the circuit, no single server can link a
+user to her communication partners.
+
+<div class="p"><!----></div>
+The <b>Java Anon Proxy</b> (also known as JAP or Web MIXes) uses fixed shared
+routes known as <em>cascades</em>. As with a single-hop proxy, this
+approach aggregates users into larger anonymity sets, but again an
+attacker only needs to observe both ends of the cascade to bridge all
+the system's traffic. The Java Anon Proxy's design
+calls for padding between end users and the head of the
+cascade&nbsp;[<a href="#web-mix" name="CITEweb-mix">7</a>]. However, it is not demonstrated whether the current
+implementation's padding policy improves anonymity.
+
+<div class="p"><!----></div>
+<b>PipeNet</b>&nbsp;[<a href="#back01" name="CITEback01">5</a>,<a href="#pipenet" name="CITEpipenet">12</a>], another low-latency design proposed
+around the same time as Onion Routing, gave
+stronger anonymity but allowed a single user to shut
+down the network by not sending. Systems like <b>ISDN
+mixes</b>&nbsp;[<a href="#isdn-mixes" name="CITEisdn-mixes">38</a>] were designed for other environments with
+different assumptions.
+
+<div class="p"><!----></div>
+In P2P designs like <b>Tarzan</b>&nbsp;[<a href="#tarzan:ccs02" name="CITEtarzan:ccs02">24</a>] and
+<b>MorphMix</b>&nbsp;[<a href="#morphmix:fc04" name="CITEmorphmix:fc04">43</a>], all participants both generate
+traffic and relay traffic for others. These systems aim to conceal
+whether a given peer originated a request
+or just relayed it from another peer. While Tarzan and MorphMix use
+layered encryption as above, <b>Crowds</b>&nbsp;[<a href="#crowds-tissec" name="CITEcrowds-tissec">42</a>] simply assumes
+an adversary who cannot observe the initiator: it uses no public-key
+encryption, so any node on a circuit can read users' traffic.
+
+<div class="p"><!----></div>
+<b>Hordes</b>&nbsp;[<a href="#hordes-jcs" name="CITEhordes-jcs">34</a>] is based on Crowds but also uses multicast
+responses to hide the initiator. <b>Herbivore</b>&nbsp;[<a href="#herbivore" name="CITEherbivore">25</a>] and
+<b>P</b><sup><b>5</b></sup>&nbsp;[<a href="#p5" name="CITEp5">46</a>] go even further, requiring broadcast.
+These systems are designed primarily for communication among peers,
+although Herbivore users can make external connections by
+requesting a peer to serve as a proxy.
+
+<div class="p"><!----></div>
+Systems like <b>Freedom</b> and the original Onion Routing build circuits
+all at once, using a layered "onion" of public-key encrypted messages,
+each layer of which provides session keys and the address of the
+next server in the circuit. Tor as described herein, Tarzan, MorphMix,
+<b>Cebolla</b>&nbsp;[<a href="#cebolla" name="CITEcebolla">9</a>], and Rennhard's <b>Anonymity Network</b>&nbsp;[<a href="#anonnet" name="CITEanonnet">44</a>]
+build circuits
+in stages, extending them one hop at a time.
+Section&nbsp;<a href="#subsubsec:constructing-a-circuit">4.2</a> describes how this
+approach enables perfect forward secrecy.
+
+<div class="p"><!----></div>
+Circuit-based designs must choose which protocol layer
+to anonymize. They may intercept IP packets directly, and
+relay them whole (stripping the source address) along the
+circuit&nbsp;[<a href="#freedom2-arch" name="CITEfreedom2-arch">8</a>,<a href="#tarzan:ccs02" name="CITEtarzan:ccs02">24</a>]. Like
+Tor, they may accept TCP streams and relay the data in those streams,
+ignoring the breakdown of that data into TCP
+segments&nbsp;[<a href="#morphmix:fc04" name="CITEmorphmix:fc04">43</a>,<a href="#anonnet" name="CITEanonnet">44</a>]. Finally, like Crowds, they may accept
+application-level protocols such as HTTP and relay the application
+requests themselves.
+Making this protocol-layer decision requires a compromise between flexibility
+and anonymity. For example, a system that understands HTTP
+can strip
+identifying information from requests, can take advantage of caching
+to limit the number of requests that leave the network, and can batch
+or encode requests to minimize the number of connections.
+On the other hand, an IP-level anonymizer can handle nearly any protocol,
+even ones unforeseen by its designers (though these systems require
+kernel-level modifications to some operating systems, and so are more
+complex and less portable). TCP-level anonymity networks like Tor present
+a middle approach: they are application neutral (so long as the
+application supports, or can be tunneled across, TCP), but by treating
+application connections as data streams rather than raw TCP packets,
+they avoid the inefficiencies of tunneling TCP over
+TCP.
+
+<div class="p"><!----></div>
+Distributed-trust anonymizing systems need to prevent attackers from
+adding too many servers and thus compromising user paths.
+Tor relies on a small set of well-known directory servers, run by
+independent parties, to decide which nodes can
+join. Tarzan and MorphMix allow unknown users to run servers, and use
+a limited resource (like IP addresses) to prevent an attacker from
+controlling too much of the network. Crowds suggests requiring
+written, notarized requests from potential crowd members.
+
+<div class="p"><!----></div>
+Anonymous communication is essential for censorship-resistant
+systems like Eternity&nbsp;[<a href="#eternity" name="CITEeternity">2</a>], Free&nbsp;Haven&nbsp;[<a href="#freehaven-berk" name="CITEfreehaven-berk">19</a>],
+Publius&nbsp;[<a href="#publius" name="CITEpublius">53</a>], and Tangler&nbsp;[<a href="#tangler" name="CITEtangler">52</a>]. Tor's rendezvous
+points enable connections between mutually anonymous entities; they
+are a building block for location-hidden servers, which are needed by
+Eternity and Free&nbsp;Haven.
+
+<div class="p"><!----></div>
+
+<div class="p"><!----></div>
+ <h2><a name="tth_sEc3">
+3</a>&nbsp;&nbsp;Design goals and assumptions</h2>
+<a name="sec:assumptions">
+</a>
+
+<div class="p"><!----></div>
+<font size="+1"><b>Goals</b></font><br />
+Like other low-latency anonymity designs, Tor seeks to frustrate
+attackers from linking communication partners, or from linking
+multiple communications to or from a single user. Within this
+main goal, however, several considerations have directed
+Tor's evolution.
+
+<div class="p"><!----></div>
+<b>Deployability:</b> The design must be deployed and used in the
+real world. Thus it
+must not be expensive to run (for example, by requiring more bandwidth
+than volunteers are willing to provide); must not place a heavy
+liability burden on operators (for example, by allowing attackers to
+implicate onion routers in illegal activities); and must not be
+difficult or expensive to implement (for example, by requiring kernel
+patches, or separate proxies for every protocol). We also cannot
+require non-anonymous parties (such as websites)
+to run our software. (Our rendezvous point design does not meet
+this goal for non-anonymous users talking to hidden servers,
+however; see Section&nbsp;<a href="#sec:rendezvous">5</a>.)
+
+<div class="p"><!----></div>
+<b>Usability:</b> A hard-to-use system has fewer users-and because
+anonymity systems hide users among users, a system with fewer users
+provides less anonymity. Usability is thus not only a convenience:
+it is a security requirement&nbsp;[<a href="#econymics" name="CITEeconymics">1</a>,<a href="#back01" name="CITEback01">5</a>]. Tor should
+therefore not
+require modifying familiar applications; should not introduce prohibitive
+delays;
+and should require as few configuration decisions
+as possible. Finally, Tor should be easily implementable on all common
+platforms; we cannot require users to change their operating system
+to be anonymous. (Tor currently runs on Win32, Linux,
+Solaris, BSD-style Unix, MacOS X, and probably others.)
+
+<div class="p"><!----></div>
+<b>Flexibility:</b> The protocol must be flexible and well-specified,
+so Tor can serve as a test-bed for future research.
+Many of the open problems in low-latency anonymity
+networks, such as generating dummy traffic or preventing Sybil
+attacks&nbsp;[<a href="#sybil" name="CITEsybil">22</a>], may be solvable independently from the issues
+solved by
+Tor. Hopefully future systems will not need to reinvent Tor's design.
+
+<div class="p"><!----></div>
+<b>Simple design:</b> The protocol's design and security
+parameters must be well-understood. Additional features impose implementation
+and complexity costs; adding unproven techniques to the design threatens
+deployability, readability, and ease of security analysis. Tor aims to
+deploy a simple and stable system that integrates the best accepted
+approaches to protecting anonymity.<br />
+
+<div class="p"><!----></div>
+<font size="+1"><b>Non-goals</b></font><a name="subsec:non-goals">
+</a><br />
+In favoring simple, deployable designs, we have explicitly deferred
+several possible goals, either because they are solved elsewhere, or because
+they are not yet solved.
+
+<div class="p"><!----></div>
+<b>Not peer-to-peer:</b> Tarzan and MorphMix aim to scale to completely
+decentralized peer-to-peer environments with thousands of short-lived
+servers, many of which may be controlled by an adversary. This approach
+is appealing, but still has many open
+problems&nbsp;[<a href="#tarzan:ccs02" name="CITEtarzan:ccs02">24</a>,<a href="#morphmix:fc04" name="CITEmorphmix:fc04">43</a>].
+
+<div class="p"><!----></div>
+<b>Not secure against end-to-end attacks:</b> Tor does not claim
+to completely solve end-to-end timing or intersection
+attacks. Some approaches, such as having users run their own onion routers,
+may help;
+see Section&nbsp;<a href="#sec:maintaining-anonymity">9</a> for more discussion.
+
+<div class="p"><!----></div>
+<b>No protocol normalization:</b> Tor does not provide <em>protocol
+normalization</em> like Privoxy or the Anonymizer. If senders want anonymity from
+responders while using complex and variable
+protocols like HTTP, Tor must be layered with a filtering proxy such
+as Privoxy to hide differences between clients, and expunge protocol
+features that leak identity.
+Note that by this separation Tor can also provide services that
+are anonymous to the network yet authenticated to the responder, like
+SSH. Similarly, Tor does not integrate
+tunneling for non-stream-based protocols like UDP; this must be
+provided by an external service if appropriate.
+
+<div class="p"><!----></div>
+<b>Not steganographic:</b> Tor does not try to conceal who is connected
+to the network.
+
+<div class="p"><!----></div>
+ <h3><a name="tth_sEc3.1">
+3.1</a>&nbsp;&nbsp;Threat Model</h3>
+<a name="subsec:threat-model">
+</a>
+
+<div class="p"><!----></div>
+A global passive adversary is the most commonly assumed threat when
+analyzing theoretical anonymity designs. But like all practical
+low-latency systems, Tor does not protect against such a strong
+adversary. Instead, we assume an adversary who can observe some fraction
+of network traffic; who can generate, modify, delete, or delay
+traffic; who can operate onion routers of his own; and who can
+compromise some fraction of the onion routers.
+
+<div class="p"><!----></div>
+In low-latency anonymity systems that use layered encryption, the
+adversary's typical goal is to observe both the initiator and the
+responder. By observing both ends, passive attackers can confirm a
+suspicion that Alice is
+talking to Bob if the timing and volume patterns of the traffic on the
+connection are distinct enough; active attackers can induce timing
+signatures on the traffic to force distinct patterns. Rather
+than focusing on these <em>traffic confirmation</em> attacks,
+we aim to prevent <em>traffic
+analysis</em> attacks, where the adversary uses traffic patterns to learn
+which points in the network he should attack.
+
+<div class="p"><!----></div>
+Our adversary might try to link an initiator Alice with her
+communication partners, or try to build a profile of Alice's
+behavior. He might mount passive attacks by observing the network edges
+and correlating traffic entering and leaving the network-by
+relationships in packet timing, volume, or externally visible
+user-selected
+options. The adversary can also mount active attacks by compromising
+routers or keys; by replaying traffic; by selectively denying service
+to trustworthy routers to move users to
+compromised routers, or denying service to users to see if traffic
+elsewhere in the
+network stops; or by introducing patterns into traffic that can later be
+detected. The adversary might subvert the directory servers to give users
+differing views of network state. Additionally, he can try to decrease
+the network's reliability by attacking nodes or by performing antisocial
+activities from reliable nodes and trying to get them taken down-making
+the network unreliable flushes users to other less anonymous
+systems, where they may be easier to attack. We summarize
+in Section&nbsp;<a href="#sec:attacks">7</a> how well the Tor design defends against
+each of these attacks.
+
+<div class="p"><!----></div>
+
+<div class="p"><!----></div>
+ <h2><a name="tth_sEc4">
+4</a>&nbsp;&nbsp;The Tor Design</h2>
+<a name="sec:design">
+</a>
+
+<div class="p"><!----></div>
+The Tor network is an overlay network; each onion router (OR)
+runs as a normal
+user-level process without any special privileges.
+Each onion router maintains a TLS&nbsp;[<a href="#TLS" name="CITETLS">17</a>]
+connection to every other onion router.
+Each user
+runs local software called an onion proxy (OP) to fetch directories,
+establish circuits across the network,
+and handle connections from user applications. These onion proxies accept
+TCP streams and multiplex them across the circuits. The onion
+router on the other side
+of the circuit connects to the requested destinations
+and relays data.
+
+<div class="p"><!----></div>
+Each onion router maintains a long-term identity key and a short-term
+onion key. The identity
+key is used to sign TLS certificates, to sign the OR's <em>router
+descriptor</em> (a summary of its keys, address, bandwidth, exit policy,
+and so on), and (by directory servers) to sign directories. The onion key is used to decrypt requests
+from users to set up a circuit and negotiate ephemeral keys.
+The TLS protocol also establishes a short-term link key when communicating
+between ORs. Short-term keys are rotated periodically and
+independently, to limit the impact of key compromise.
+
+<div class="p"><!----></div>
+Section&nbsp;<a href="#subsec:cells">4.1</a> presents the fixed-size
+<em>cells</em> that are the unit of communication in Tor. We describe
+in Section&nbsp;<a href="#subsec:circuits">4.2</a> how circuits are
+built, extended, truncated, and destroyed. Section&nbsp;<a href="#subsec:tcp">4.3</a>
+describes how TCP streams are routed through the network. We address
+integrity checking in Section&nbsp;<a href="#subsec:integrity-checking">4.4</a>,
+and resource limiting in Section&nbsp;<a href="#subsec:rate-limit">4.5</a>.
+Finally,
+Section&nbsp;<a href="#subsec:congestion">4.6</a> talks about congestion control and
+fairness issues.
+
+<div class="p"><!----></div>
+ <h3><a name="tth_sEc4.1">
+4.1</a>&nbsp;&nbsp;Cells</h3>
+<a name="subsec:cells">
+</a>
+
+<div class="p"><!----></div>
+Onion routers communicate with one another, and with users' OPs, via
+TLS connections with ephemeral keys. Using TLS conceals the data on
+the connection with perfect forward secrecy, and prevents an attacker
+from modifying data on the wire or impersonating an OR.
+
+<div class="p"><!----></div>
+Traffic passes along these connections in fixed-size cells. Each cell
+is 512 bytes, and consists of a header and a payload. The header includes a circuit
+identifier (circID) that specifies which circuit the cell refers to
+(many circuits can be multiplexed over the single TLS connection), and
+a command to describe what to do with the cell's payload. (Circuit
+identifiers are connection-specific: each circuit has a different
+circID on each OP/OR or OR/OR connection it traverses.)
+Based on their command, cells are either <em>control</em> cells, which are
+always interpreted by the node that receives them, or <em>relay</em> cells,
+which carry end-to-end stream data. The control cell commands are:
+<em>padding</em> (currently used for keepalive, but also usable for link
+padding); <em>create</em> or <em>created</em> (used to set up a new circuit);
+and <em>destroy</em> (to tear down a circuit).
+
+<div class="p"><!----></div>
+Relay cells have an additional header (the relay header) at the front
+of the payload, containing a streamID (stream identifier: many streams can
+be multiplexed over a circuit); an end-to-end checksum for integrity
+checking; the length of the relay payload; and a relay command.
+The entire contents of the relay header and the relay cell payload
+are encrypted or decrypted together as the relay cell moves along the
+circuit, using the 128-bit AES cipher in counter mode to generate a
+cipher stream. The relay commands are: <em>relay
+data</em> (for data flowing down the stream), <em>relay begin</em> (to open a
+stream), <em>relay end</em> (to close a stream cleanly), <em>relay
+teardown</em> (to close a broken stream), <em>relay connected</em>
+(to notify the OP that a relay begin has succeeded), <em>relay
+extend</em> and <em>relay extended</em> (to extend the circuit by a hop,
+and to acknowledge), <em>relay truncate</em> and <em>relay truncated</em>
+(to tear down only part of the circuit, and to acknowledge), <em>relay
+sendme</em> (used for congestion control), and <em>relay drop</em> (used to
+implement long-range dummies).
+We give a visual overview of cell structure plus the details of relay
+cell structure, and then describe each of these cell types and commands
+in more detail below.
+
+<div class="p"><!----></div>
+
+<div class="p"><!----></div>
+
+<div class="p"><!----></div>
+<a name="tth_fIg1">
+</a> <center><img src="cell-struct.png" alt="cell-struct.png" />
+</center>
+<div class="p"><!----></div>
+ <h3><a name="tth_sEc4.2">
+4.2</a>&nbsp;&nbsp;Circuits and streams</h3>
+<a name="subsec:circuits">
+</a>
+
+<div class="p"><!----></div>
+Onion Routing originally built one circuit for each
+TCP stream. Because building a circuit can take several tenths of a
+second (due to public-key cryptography and network latency),
+this design imposed high costs on applications like web browsing that
+open many TCP streams.
+
+<div class="p"><!----></div>
+In Tor, each circuit can be shared by many TCP streams. To avoid
+delays, users construct circuits preemptively. To limit linkability
+among their streams, users' OPs build a new circuit
+periodically if the previous ones have been used,
+and expire old used circuits that no longer have any open streams.
+OPs consider rotating to a new circuit once a minute: thus
+even heavy users spend negligible time
+building circuits, but a limited number of requests can be linked
+to each other through a given exit node. Also, because circuits are built
+in the background, OPs can recover from failed circuit creation
+without harming user experience.<br />
+
+<div class="p"><!----></div>
+
+<div class="p"><!----></div>
+<a name="tth_fIg1">
+</a> <center><img src="interaction.png" alt="interaction.png" />
+
+<center>Figure 1: Alice builds a two-hop circuit and begins fetching a web page.</center>
+<a name="fig:interaction">
+</a>
+</center>
+<div class="p"><!----></div>
+<font size="+1"><b>Constructing a circuit</b></font><a name="subsubsec:constructing-a-circuit">
+</a><br />
+A user's OP constructs circuits incrementally, negotiating a
+symmetric key with each OR on the circuit, one hop at a time. To begin
+creating a new circuit, the OP (call her Alice) sends a
+<em>create</em> cell to the first node in her chosen path (call him Bob).
+(She chooses a new
+circID C<sub>AB</sub> not currently used on the connection from her to Bob.)
+The <em>create</em> cell's
+payload contains the first half of the Diffie-Hellman handshake
+(g<sup>x</sup>), encrypted to the onion key of the OR (call him Bob). Bob
+responds with a <em>created</em> cell containing g<sup>y</sup>
+along with a hash of the negotiated key K=g<sup>xy</sup>.
+
+<div class="p"><!----></div>
+Once the circuit has been established, Alice and Bob can send one
+another relay cells encrypted with the negotiated
+key.<a href="#tthFtNtAAB" name="tthFrefAAB"><sup>1</sup></a> More detail is given in
+the next section.
+
+<div class="p"><!----></div>
+To extend the circuit further, Alice sends a <em>relay extend</em> cell
+to Bob, specifying the address of the next OR (call her Carol), and
+an encrypted g<sup>x<sub>2</sub></sup> for her. Bob copies the half-handshake into a
+<em>create</em> cell, and passes it to Carol to extend the circuit.
+(Bob chooses a new circID C<sub>BC</sub> not currently used on the connection
+between him and Carol. Alice never needs to know this circID; only Bob
+associates C<sub>AB</sub> on his connection with Alice to C<sub>BC</sub> on
+his connection with Carol.)
+When Carol responds with a <em>created</em> cell, Bob wraps the payload
+into a <em>relay extended</em> cell and passes it back to Alice. Now
+the circuit is extended to Carol, and Alice and Carol share a common key
+K<sub>2</sub> = g<sup>x<sub>2</sub> y<sub>2</sub></sup>.
+
+<div class="p"><!----></div>
+To extend the circuit to a third node or beyond, Alice
+proceeds as above, always telling the last node in the circuit to
+extend one hop further.
+
+<div class="p"><!----></div>
+This circuit-level handshake protocol achieves unilateral entity
+authentication (Alice knows she's handshaking with the OR, but
+the OR doesn't care who is opening the circuit-Alice uses no public key
+and remains anonymous) and unilateral key authentication
+(Alice and the OR agree on a key, and Alice knows only the OR learns
+it). It also achieves forward
+secrecy and key freshness. More formally, the protocol is as follows
+(where E<sub>PK<sub>Bob</sub></sub>(&#183;) is encryption with Bob's public key,
+H is a secure hash function, and <font face="symbol">|</font
+> is concatenation):
+
+<div class="p"><!----></div>
+<a name="tth_tAb1">
+</a>
+<table>
+<tr><td align="right">Alice </td><td align="center">-&#62; </td><td align="center">Bob </td><td>: E<sub>PK<sub>Bob</sub></sub>(g<sup>x</sup>) </td></tr>
+<tr><td align="right">Bob </td><td align="center">-&#62; </td><td align="center">Alice </td><td>: g<sup>y</sup>, H(K <font face="symbol">|</font
+> "<span class="roman">handshake</span>")
+</td></tr></table>
+
+
+<div class="p"><!----></div>
+ In the second step, Bob proves that it was he who received g<sup>x</sup>,
+and who chose y. We use PK encryption in the first step
+(rather than, say, using the first two steps of STS, which has a
+signature in the second step) because a single cell is too small to
+hold both a public key and a signature. Preliminary analysis with the
+NRL protocol analyzer&nbsp;[<a href="#meadows96" name="CITEmeadows96">35</a>] shows this protocol to be
+secure (including perfect forward secrecy) under the
+traditional Dolev-Yao model.<br />
+
+<div class="p"><!----></div>
+<font size="+1"><b>Relay cells</b></font><br />
+Once Alice has established the circuit (so she shares keys with each
+OR on the circuit), she can send relay cells.
+Upon receiving a relay
+cell, an OR looks up the corresponding circuit, and decrypts the relay
+header and payload with the session key for that circuit.
+If the cell is headed away from Alice the OR then checks whether the
+decrypted cell has a valid digest (as an optimization, the first
+two bytes of the integrity check are zero, so in most cases we can avoid
+computing the hash).
+If valid, it accepts the relay cell and processes it as described
+below. Otherwise,
+the OR looks up the circID and OR for the
+next step in the circuit, replaces the circID as appropriate, and
+sends the decrypted relay cell to the next OR. (If the OR at the end
+of the circuit receives an unrecognized relay cell, an error has
+occurred, and the circuit is torn down.)
+
+<div class="p"><!----></div>
+OPs treat incoming relay cells similarly: they iteratively unwrap the
+relay header and payload with the session keys shared with each
+OR on the circuit, from the closest to farthest.
+If at any stage the digest is valid, the cell must have
+originated at the OR whose encryption has just been removed.
+
+<div class="p"><!----></div>
+To construct a relay cell addressed to a given OR, Alice assigns the
+digest, and then iteratively
+encrypts the cell payload (that is, the relay header and payload) with
+the symmetric key of each hop up to that OR. Because the digest is
+encrypted to a different value at each step, only at the targeted OR
+will it have a meaningful value.<a href="#tthFtNtAAC" name="tthFrefAAC"><sup>2</sup></a>
+This <em>leaky pipe</em> circuit topology
+allows Alice's streams to exit at different ORs on a single circuit.
+Alice may choose different exit points because of their exit policies,
+or to keep the ORs from knowing that two streams
+originate from the same person.
+
+<div class="p"><!----></div>
+When an OR later replies to Alice with a relay cell, it
+encrypts the cell's relay header and payload with the single key it
+shares with Alice, and sends the cell back toward Alice along the
+circuit. Subsequent ORs add further layers of encryption as they
+relay the cell back to Alice.
+
+<div class="p"><!----></div>
+To tear down a circuit, Alice sends a <em>destroy</em> control
+cell. Each OR in the circuit receives the <em>destroy</em> cell, closes
+all streams on that circuit, and passes a new <em>destroy</em> cell
+forward. But just as circuits are built incrementally, they can also
+be torn down incrementally: Alice can send a <em>relay
+truncate</em> cell to a single OR on a circuit. That OR then sends a
+<em>destroy</em> cell forward, and acknowledges with a
+<em>relay truncated</em> cell. Alice can then extend the circuit to
+different nodes, without signaling to the intermediate nodes (or
+a limited observer) that she has changed her circuit.
+Similarly, if a node on the circuit goes down, the adjacent
+node can send a <em>relay truncated</em> cell back to Alice. Thus the
+"break a node and see which circuits go down"
+attack&nbsp;[<a href="#freedom21-security" name="CITEfreedom21-security">4</a>] is weakened.
+
+<div class="p"><!----></div>
+ <h3><a name="tth_sEc4.3">
+4.3</a>&nbsp;&nbsp;Opening and closing streams</h3>
+<a name="subsec:tcp">
+</a>
+
+<div class="p"><!----></div>
+When Alice's application wants a TCP connection to a given
+address and port, it asks the OP (via SOCKS) to make the
+connection. The OP chooses the newest open circuit (or creates one if
+needed), and chooses a suitable OR on that circuit to be the
+exit node (usually the last node, but maybe others due to exit policy
+conflicts; see Section&nbsp;<a href="#subsec:exitpolicies">6.2</a>.) The OP then opens
+the stream by sending a <em>relay begin</em> cell to the exit node,
+using a new random streamID. Once the
+exit node connects to the remote host, it responds
+with a <em>relay connected</em> cell. Upon receipt, the OP sends a
+SOCKS reply to notify the application of its success. The OP
+now accepts data from the application's TCP stream, packaging it into
+<em>relay data</em> cells and sending those cells along the circuit to
+the chosen OR.
+
+<div class="p"><!----></div>
+There's a catch to using SOCKS, however-some applications pass the
+alphanumeric hostname to the Tor client, while others resolve it into
+an IP address first and then pass the IP address to the Tor client. If
+the application does DNS resolution first, Alice thereby reveals her
+destination to the remote DNS server, rather than sending the hostname
+through the Tor network to be resolved at the far end. Common applications
+like Mozilla and SSH have this flaw.
+
+<div class="p"><!----></div>
+With Mozilla, the flaw is easy to address: the filtering HTTP
+proxy called Privoxy gives a hostname to the Tor client, so Alice's
+computer never does DNS resolution.
+But a portable general solution, such as is needed for
+SSH, is
+an open problem. Modifying or replacing the local nameserver
+can be invasive, brittle, and unportable. Forcing the resolver
+library to prefer TCP rather than UDP is hard, and also has
+portability problems. Dynamically intercepting system calls to the
+resolver library seems a promising direction. We could also provide
+a tool similar to <em>dig</em> to perform a private lookup through the
+Tor network. Currently, we encourage the use of privacy-aware proxies
+like Privoxy wherever possible.
+
+<div class="p"><!----></div>
+Closing a Tor stream is analogous to closing a TCP stream: it uses a
+two-step handshake for normal operation, or a one-step handshake for
+errors. If the stream closes abnormally, the adjacent node simply sends a
+<em>relay teardown</em> cell. If the stream closes normally, the node sends
+a <em>relay end</em> cell down the circuit, and the other side responds with
+its own <em>relay end</em> cell. Because
+all relay cells use layered encryption, only the destination OR knows
+that a given relay cell is a request to close a stream. This two-step
+handshake allows Tor to support TCP-based applications that use half-closed
+connections.
+
+<div class="p"><!----></div>
+ <h3><a name="tth_sEc4.4">
+4.4</a>&nbsp;&nbsp;Integrity checking on streams</h3>
+<a name="subsec:integrity-checking">
+</a>
+
+<div class="p"><!----></div>
+Because the old Onion Routing design used a stream cipher without integrity
+checking, traffic was
+vulnerable to a malleability attack: though the attacker could not
+decrypt cells, any changes to encrypted data
+would create corresponding changes to the data leaving the network.
+This weakness allowed an adversary who could guess the encrypted content
+to change a padding cell to a destroy
+cell; change the destination address in a <em>relay begin</em> cell to the
+adversary's webserver; or change an FTP command from
+<tt>dir</tt> to <tt>rm&nbsp;*</tt>. (Even an external
+adversary could do this, because the link encryption similarly used a
+stream cipher.)
+
+<div class="p"><!----></div>
+Because Tor uses TLS on its links, external adversaries cannot modify
+data. Addressing the insider malleability attack, however, is
+more complex.
+
+<div class="p"><!----></div>
+We could do integrity checking of the relay cells at each hop, either
+by including hashes or by using an authenticating cipher mode like
+EAX&nbsp;[<a href="#eax" name="CITEeax">6</a>], but there are some problems. First, these approaches
+impose a message-expansion overhead at each hop, and so we would have to
+either leak the path length or waste bytes by padding to a maximum
+path length. Second, these solutions can only verify traffic coming
+from Alice: ORs would not be able to produce suitable hashes for
+the intermediate hops, since the ORs on a circuit do not know the
+other ORs' session keys. Third, we have already accepted that our design
+is vulnerable to end-to-end timing attacks; so tagging attacks performed
+within the circuit provide no additional information to the attacker.
+
+<div class="p"><!----></div>
+Thus, we check integrity only at the edges of each stream. (Remember that
+in our leaky-pipe circuit topology, a stream's edge could be any hop
+in the circuit.) When Alice
+negotiates a key with a new hop, they each initialize a SHA-1
+digest with a derivative of that key,
+thus beginning with randomness that only the two of them know.
+Then they each incrementally add to the SHA-1 digest the contents of
+all relay cells they create, and include with each relay cell the
+first four bytes of the current digest. Each also keeps a SHA-1
+digest of data received, to verify that the received hashes are correct.
+
+<div class="p"><!----></div>
+To be sure of removing or modifying a cell, the attacker must be able
+to deduce the current digest state (which depends on all
+traffic between Alice and Bob, starting with their negotiated key).
+Attacks on SHA-1 where the adversary can incrementally add to a hash
+to produce a new valid hash don't work, because all hashes are
+end-to-end encrypted across the circuit. The computational overhead
+of computing the digests is minimal compared to doing the AES
+encryption performed at each hop of the circuit. We use only four
+bytes per cell to minimize overhead; the chance that an adversary will
+correctly guess a valid hash
+is
+acceptably low, given that the OP or OR tear down the circuit if they
+receive a bad hash.
+
+<div class="p"><!----></div>
+ <h3><a name="tth_sEc4.5">
+4.5</a>&nbsp;&nbsp;Rate limiting and fairness</h3>
+<a name="subsec:rate-limit">
+</a>
+
+<div class="p"><!----></div>
+Volunteers are more willing to run services that can limit
+their bandwidth usage. To accommodate them, Tor servers use a
+token bucket approach&nbsp;[<a href="#tannenbaum96" name="CITEtannenbaum96">50</a>] to
+enforce a long-term average rate of incoming bytes, while still
+permitting short-term bursts above the allowed bandwidth.
+
+<div class="p"><!----></div>
+
+<div class="p"><!----></div>
+Because the Tor protocol outputs about the same number of bytes as it
+takes in, it is sufficient in practice to limit only incoming bytes.
+With TCP streams, however, the correspondence is not one-to-one:
+relaying a single incoming byte can require an entire 512-byte cell.
+(We can't just wait for more bytes, because the local application may
+be awaiting a reply.) Therefore, we treat this case as if the entire
+cell size had been read, regardless of the cell's fullness.
+
+<div class="p"><!----></div>
+Further, inspired by Rennhard et al's design in&nbsp;[<a href="#anonnet" name="CITEanonnet">44</a>], a
+circuit's edges can heuristically distinguish interactive streams from bulk
+streams by comparing the frequency with which they supply cells. We can
+provide good latency for interactive streams by giving them preferential
+service, while still giving good overall throughput to the bulk
+streams. Such preferential treatment presents a possible end-to-end
+attack, but an adversary observing both
+ends of the stream can already learn this information through timing
+attacks.
+
+<div class="p"><!----></div>
+ <h3><a name="tth_sEc4.6">
+4.6</a>&nbsp;&nbsp;Congestion control</h3>
+<a name="subsec:congestion">
+</a>
+
+<div class="p"><!----></div>
+Even with bandwidth rate limiting, we still need to worry about
+congestion, either accidental or intentional. If enough users choose the
+same OR-to-OR connection for their circuits, that connection can become
+saturated. For example, an attacker could send a large file
+through the Tor network to a webserver he runs, and then
+refuse to read any of the bytes at the webserver end of the
+circuit. Without some congestion control mechanism, these bottlenecks
+can propagate back through the entire network. We don't need to
+reimplement full TCP windows (with sequence numbers,
+the ability to drop cells when we're full and retransmit later, and so
+on),
+because TCP already guarantees in-order delivery of each
+cell.
+We describe our response below.
+
+<div class="p"><!----></div>
+<b>Circuit-level throttling:</b>
+To control a circuit's bandwidth usage, each OR keeps track of two
+windows. The <em>packaging window</em> tracks how many relay data cells the OR is
+allowed to package (from incoming TCP streams) for transmission back to the OP,
+and the <em>delivery window</em> tracks how many relay data cells it is willing
+to deliver to TCP streams outside the network. Each window is initialized
+(say, to 1000 data cells). When a data cell is packaged or delivered,
+the appropriate window is decremented. When an OR has received enough
+data cells (currently 100), it sends a <em>relay sendme</em> cell towards the OP,
+with streamID zero. When an OR receives a <em>relay sendme</em> cell with
+streamID zero, it increments its packaging window. Either of these cells
+increments the corresponding window by 100. If the packaging window
+reaches 0, the OR stops reading from TCP connections for all streams
+on the corresponding circuit, and sends no more relay data cells until
+receiving a <em>relay sendme</em> cell.
+
+<div class="p"><!----></div>
+The OP behaves identically, except that it must track a packaging window
+and a delivery window for every OR in the circuit. If a packaging window
+reaches 0, it stops reading from streams destined for that OR.
+
+<div class="p"><!----></div>
+<b>Stream-level throttling</b>:
+The stream-level congestion control mechanism is similar to the
+circuit-level mechanism. ORs and OPs use <em>relay sendme</em> cells
+to implement end-to-end flow control for individual streams across
+circuits. Each stream begins with a packaging window (currently 500 cells),
+and increments the window by a fixed value (50) upon receiving a <em>relay
+sendme</em> cell. Rather than always returning a <em>relay sendme</em> cell as soon
+as enough cells have arrived, the stream-level congestion control also
+has to check whether data has been successfully flushed onto the TCP
+stream; it sends the <em>relay sendme</em> cell only when the number of bytes pending
+to be flushed is under some threshold (currently 10 cells' worth).
+
+<div class="p"><!----></div>
+
+<div class="p"><!----></div>
+These arbitrarily chosen parameters seem to give tolerable throughput
+and delay; see Section&nbsp;<a href="#sec:in-the-wild">8</a>.
+
+<div class="p"><!----></div>
+ <h2><a name="tth_sEc5">
+5</a>&nbsp;&nbsp;Rendezvous Points and hidden services</h2>
+<a name="sec:rendezvous">
+</a>
+
+<div class="p"><!----></div>
+Rendezvous points are a building block for <em>location-hidden
+services</em> (also known as <em>responder anonymity</em>) in the Tor
+network. Location-hidden services allow Bob to offer a TCP
+service, such as a webserver, without revealing his IP address.
+This type of anonymity protects against distributed DoS attacks:
+attackers are forced to attack the onion routing network
+because they do not know Bob's IP address.
+
+<div class="p"><!----></div>
+Our design for location-hidden servers has the following goals.
+<b>Access-control:</b> Bob needs a way to filter incoming requests,
+so an attacker cannot flood Bob simply by making many connections to him.
+<b>Robustness:</b> Bob should be able to maintain a long-term pseudonymous
+identity even in the presence of router failure. Bob's service must
+not be tied to a single OR, and Bob must be able to migrate his service
+across ORs. <b>Smear-resistance:</b>
+A social attacker
+should not be able to "frame" a rendezvous router by
+offering an illegal or disreputable location-hidden service and
+making observers believe the router created that service.
+<b>Application-transparency:</b> Although we require users
+to run special software to access location-hidden servers, we must not
+require them to modify their applications.
+
+<div class="p"><!----></div>
+We provide location-hiding for Bob by allowing him to advertise
+several onion routers (his <em>introduction points</em>) as contact
+points. He may do this on any robust efficient
+key-value lookup system with authenticated updates, such as a
+distributed hash table (DHT) like CFS&nbsp;[<a href="#cfs:sosp01" name="CITEcfs:sosp01">11</a>].<a href="#tthFtNtAAD" name="tthFrefAAD"><sup>3</sup></a> Alice, the client, chooses an OR as her
+<em>rendezvous point</em>. She connects to one of Bob's introduction
+points, informs him of her rendezvous point, and then waits for him
+to connect to the rendezvous point. This extra level of indirection
+helps Bob's introduction points avoid problems associated with serving
+unpopular files directly (for example, if Bob serves
+material that the introduction point's community finds objectionable,
+or if Bob's service tends to get attacked by network vandals).
+The extra level of indirection also allows Bob to respond to some requests
+and ignore others.
+
+<div class="p"><!----></div>
+ <h3><a name="tth_sEc5.1">
+5.1</a>&nbsp;&nbsp;Rendezvous points in Tor</h3>
+
+<div class="p"><!----></div>
+The following steps are
+performed on behalf of Alice and Bob by their local OPs;
+application integration is described more fully below.
+
+<div class="p"><!----></div>
+
+<dl compact="compact">
+
+ <dt><b></b></dt>
+ <dd><li>Bob generates a long-term public key pair to identify his service.</dd>
+ <dt><b></b></dt>
+ <dd><li>Bob chooses some introduction points, and advertises them on
+ the lookup service, signing the advertisement with his public key. He
+ can add more later.</dd>
+ <dt><b></b></dt>
+ <dd><li>Bob builds a circuit to each of his introduction points, and tells
+ them to wait for requests.</dd>
+ <dt><b></b></dt>
+ <dd><li>Alice learns about Bob's service out of band (perhaps Bob told her,
+ or she found it on a website). She retrieves the details of Bob's
+ service from the lookup service. If Alice wants to access Bob's
+ service anonymously, she must connect to the lookup service via Tor.</dd>
+ <dt><b></b></dt>
+ <dd><li>Alice chooses an OR as the rendezvous point (RP) for her connection to
+ Bob's service. She builds a circuit to the RP, and gives it a
+ randomly chosen "rendezvous cookie" to recognize Bob.</dd>
+ <dt><b></b></dt>
+ <dd><li>Alice opens an anonymous stream to one of Bob's introduction
+ points, and gives it a message (encrypted with Bob's public key)
+ telling it about herself,
+ her RP and rendezvous cookie, and the
+ start of a DH
+ handshake. The introduction point sends the message to Bob.</dd>
+ <dt><b></b></dt>
+ <dd><li>If Bob wants to talk to Alice, he builds a circuit to Alice's
+ RP and sends the rendezvous cookie, the second half of the DH
+ handshake, and a hash of the session
+ key they now share. By the same argument as in
+ Section&nbsp;<a href="#subsubsec:constructing-a-circuit">4.2</a>, Alice knows she
+ shares the key only with Bob.</dd>
+ <dt><b></b></dt>
+ <dd><li>The RP connects Alice's circuit to Bob's. Note that RP can't
+ recognize Alice, Bob, or the data they transmit.</dd>
+ <dt><b></b></dt>
+ <dd><li>Alice sends a <em>relay begin</em> cell along the circuit. It
+ arrives at Bob's OP, which connects to Bob's
+ webserver.</dd>
+ <dt><b></b></dt>
+ <dd><li>An anonymous stream has been established, and Alice and Bob
+ communicate as normal.
+</dd>
+</dl>
+
+<div class="p"><!----></div>
+When establishing an introduction point, Bob provides the onion router
+with the public key identifying his service. Bob signs his
+messages, so others cannot usurp his introduction point
+in the future. He uses the same public key to establish the other
+introduction points for his service, and periodically refreshes his
+entry in the lookup service.
+
+<div class="p"><!----></div>
+The message that Alice gives
+the introduction point includes a hash of Bob's public key and an optional initial authorization token (the
+introduction point can do prescreening, for example to block replays). Her
+message to Bob may include an end-to-end authorization token so Bob
+can choose whether to respond.
+The authorization tokens can be used to provide selective access:
+important users can get uninterrupted access.
+During normal situations, Bob's service might simply be offered
+directly from mirrors, while Bob gives out tokens to high-priority users. If
+the mirrors are knocked down,
+those users can switch to accessing Bob's service via
+the Tor rendezvous system.
+
+<div class="p"><!----></div>
+Bob's introduction points are themselves subject to DoS-he must
+open many introduction points or risk such an attack.
+He can provide selected users with a current list or future schedule of
+unadvertised introduction points;
+this is most practical
+if there is a stable and large group of introduction points
+available. Bob could also give secret public keys
+for consulting the lookup service. All of these approaches
+limit exposure even when
+some selected users collude in the DoS.
+
+<div class="p"><!----></div>
+ <h3><a name="tth_sEc5.2">
+5.2</a>&nbsp;&nbsp;Integration with user applications</h3>
+
+<div class="p"><!----></div>
+Bob configures his onion proxy to know the local IP address and port of his
+service, a strategy for authorizing clients, and his public key. The onion
+proxy anonymously publishes a signed statement of Bob's
+public key, an expiration time, and
+the current introduction points for his service onto the lookup service,
+indexed
+by the hash of his public key. Bob's webserver is unmodified,
+and doesn't even know that it's hidden behind the Tor network.
+
+<div class="p"><!----></div>
+Alice's applications also work unchanged-her client interface
+remains a SOCKS proxy. We encode all of the necessary information
+into the fully qualified domain name (FQDN) Alice uses when establishing her
+connection. Location-hidden services use a virtual top level domain
+called <tt>.onion</tt>: thus hostnames take the form <tt>x.y.onion</tt> where
+<tt>x</tt> is the authorization cookie and <tt>y</tt> encodes the hash of
+the public key. Alice's onion proxy
+examines addresses; if they're destined for a hidden server, it decodes
+the key and starts the rendezvous as described above.
+
+<div class="p"><!----></div>
+ <h3><a name="tth_sEc5.3">
+5.3</a>&nbsp;&nbsp;Previous rendezvous work</h3>
+
+<div class="p"><!----></div>
+Rendezvous points in low-latency anonymity systems were first
+described for use in ISDN telephony&nbsp;[<a href="#jerichow-jsac98" name="CITEjerichow-jsac98">30</a>,<a href="#isdn-mixes" name="CITEisdn-mixes">38</a>].
+Later low-latency designs used rendezvous points for hiding location
+of mobile phones and low-power location
+trackers&nbsp;[<a href="#federrath-ih96" name="CITEfederrath-ih96">23</a>,<a href="#reed-protocols97" name="CITEreed-protocols97">40</a>]. Rendezvous for
+anonymizing low-latency
+Internet connections was suggested in early Onion Routing
+work&nbsp;[<a href="#or-ih96" name="CITEor-ih96">27</a>], but the first published design was by Ian
+Goldberg&nbsp;[<a href="#ian-thesis" name="CITEian-thesis">26</a>]. His design differs from
+ours in three ways. First, Goldberg suggests that Alice should manually
+hunt down a current location of the service via Gnutella; our approach
+makes lookup transparent to the user, as well as faster and more robust.
+Second, in Tor the client and server negotiate session keys
+with Diffie-Hellman, so plaintext is not exposed even at the rendezvous
+point. Third,
+our design minimizes the exposure from running the
+service, to encourage volunteers to offer introduction and rendezvous
+services. Tor's introduction points do not output any bytes to the
+clients; the rendezvous points don't know the client or the server,
+and can't read the data being transmitted. The indirection scheme is
+also designed to include authentication/authorization-if Alice doesn't
+include the right cookie with her request for service, Bob need not even
+acknowledge his existence.
+
+<div class="p"><!----></div>
+ <h2><a name="tth_sEc6">
+6</a>&nbsp;&nbsp;Other design decisions</h2>
+<a name="sec:other-design">
+</a>
+
+<div class="p"><!----></div>
+ <h3><a name="tth_sEc6.1">
+6.1</a>&nbsp;&nbsp;Denial of service</h3>
+<a name="subsec:dos">
+</a>
+
+<div class="p"><!----></div>
+Providing Tor as a public service creates many opportunities for
+denial-of-service attacks against the network. While
+flow control and rate limiting (discussed in
+Section&nbsp;<a href="#subsec:congestion">4.6</a>) prevent users from consuming more
+bandwidth than routers are willing to provide, opportunities remain for
+users to
+consume more network resources than their fair share, or to render the
+network unusable for others.
+
+<div class="p"><!----></div>
+First of all, there are several CPU-consuming denial-of-service
+attacks wherein an attacker can force an OR to perform expensive
+cryptographic operations. For example, an attacker can
+fake the start of a TLS handshake, forcing the OR to carry out its
+(comparatively expensive) half of the handshake at no real computational
+cost to the attacker.
+
+<div class="p"><!----></div>
+We have not yet implemented any defenses for these attacks, but several
+approaches are possible. First, ORs can
+require clients to solve a puzzle&nbsp;[<a href="#puzzles-tls" name="CITEpuzzles-tls">16</a>] while beginning new
+TLS handshakes or accepting <em>create</em> cells. So long as these
+tokens are easy to verify and computationally expensive to produce, this
+approach limits the attack multiplier. Additionally, ORs can limit
+the rate at which they accept <em>create</em> cells and TLS connections,
+so that
+the computational work of processing them does not drown out the
+symmetric cryptography operations that keep cells
+flowing. This rate limiting could, however, allow an attacker
+to slow down other users when they build new circuits.
+
+<div class="p"><!----></div>
+
+<div class="p"><!----></div>
+Adversaries can also attack the Tor network's hosts and network
+links. Disrupting a single circuit or link breaks all streams passing
+along that part of the circuit. Users similarly lose service
+when a router crashes or its operator restarts it. The current
+Tor design treats such attacks as intermittent network failures, and
+depends on users and applications to respond or recover as appropriate. A
+future design could use an end-to-end TCP-like acknowledgment protocol,
+so no streams are lost unless the entry or exit point is
+disrupted. This solution would require more buffering at the network
+edges, however, and the performance and anonymity implications from this
+extra complexity still require investigation.
+
+<div class="p"><!----></div>
+ <h3><a name="tth_sEc6.2">
+6.2</a>&nbsp;&nbsp;Exit policies and abuse</h3>
+<a name="subsec:exitpolicies">
+</a>
+
+<div class="p"><!----></div>
+
+<div class="p"><!----></div>
+Exit abuse is a serious barrier to wide-scale Tor deployment. Anonymity
+presents would-be vandals and abusers with an opportunity to hide
+the origins of their activities. Attackers can harm the Tor network by
+implicating exit servers for their abuse. Also, applications that commonly
+use IP-based authentication (such as institutional mail or webservers)
+can be fooled by the fact that anonymous connections appear to originate
+at the exit OR.
+
+<div class="p"><!----></div>
+We stress that Tor does not enable any new class of abuse. Spammers
+and other attackers already have access to thousands of misconfigured
+systems worldwide, and the Tor network is far from the easiest way
+to launch attacks.
+But because the
+onion routers can be mistaken for the originators of the abuse,
+and the volunteers who run them may not want to deal with the hassle of
+explaining anonymity networks to irate administrators, we must block or limit
+abuse through the Tor network.
+
+<div class="p"><!----></div>
+To mitigate abuse issues, each onion router's <em>exit policy</em>
+describes to which external addresses and ports the router will
+connect. On one end of the spectrum are <em>open exit</em>
+nodes that will connect anywhere. On the other end are <em>middleman</em>
+nodes that only relay traffic to other Tor nodes, and <em>private exit</em>
+nodes that only connect to a local host or network. A private
+exit can allow a client to connect to a given host or
+network more securely-an external adversary cannot eavesdrop traffic
+between the private exit and the final destination, and so is less sure of
+Alice's destination and activities. Most onion routers in the current
+network function as
+<em>restricted exits</em> that permit connections to the world at large,
+but prevent access to certain abuse-prone addresses and services such
+as SMTP.
+The OR might also be able to authenticate clients to
+prevent exit abuse without harming anonymity&nbsp;[<a href="#or-discex00" name="CITEor-discex00">48</a>].
+
+<div class="p"><!----></div>
+
+<div class="p"><!----></div>
+Many administrators use port restrictions to support only a
+limited set of services, such as HTTP, SSH, or AIM.
+This is not a complete solution, of course, since abuse opportunities for these
+protocols are still well known.
+
+<div class="p"><!----></div>
+We have not yet encountered any abuse in the deployed network, but if
+we do we should consider using proxies to clean traffic for certain
+protocols as it leaves the network. For example, much abusive HTTP
+behavior (such as exploiting buffer overflows or well-known script
+vulnerabilities) can be detected in a straightforward manner.
+Similarly, one could run automatic spam filtering software (such as
+SpamAssassin) on email exiting the OR network.
+
+<div class="p"><!----></div>
+ORs may also rewrite exiting traffic to append
+headers or other information indicating that the traffic has passed
+through an anonymity service. This approach is commonly used
+by email-only anonymity systems. ORs can also
+run on servers with hostnames like <tt>anonymous</tt> to further
+alert abuse targets to the nature of the anonymous traffic.
+
+<div class="p"><!----></div>
+A mixture of open and restricted exit nodes allows the most
+flexibility for volunteers running servers. But while having many
+middleman nodes provides a large and robust network,
+having only a few exit nodes reduces the number of points
+an adversary needs to monitor for traffic analysis, and places a
+greater burden on the exit nodes. This tension can be seen in the
+Java Anon Proxy
+cascade model, wherein only one node in each cascade needs to handle
+abuse complaints-but an adversary only needs to observe the entry
+and exit of a cascade to perform traffic analysis on all that
+cascade's users. The hydra model (many entries, few exits) presents a
+different compromise: only a few exit nodes are needed, but an
+adversary needs to work harder to watch all the clients; see
+Section&nbsp;<a href="#sec:conclusion">10</a>.
+
+<div class="p"><!----></div>
+Finally, we note that exit abuse must not be dismissed as a peripheral
+issue: when a system's public image suffers, it can reduce the number
+and diversity of that system's users, and thereby reduce the anonymity
+of the system itself. Like usability, public perception is a
+security parameter. Sadly, preventing abuse of open exit nodes is an
+unsolved problem, and will probably remain an arms race for the
+foreseeable future. The abuse problems faced by Princeton's CoDeeN
+project&nbsp;[<a href="#darkside" name="CITEdarkside">37</a>] give us a glimpse of likely issues.
+
+<div class="p"><!----></div>
+ <h3><a name="tth_sEc6.3">
+6.3</a>&nbsp;&nbsp;Directory Servers</h3>
+<a name="subsec:dirservers">
+</a>
+
+<div class="p"><!----></div>
+First-generation Onion Routing designs&nbsp;[<a href="#freedom2-arch" name="CITEfreedom2-arch">8</a>,<a href="#or-jsac98" name="CITEor-jsac98">41</a>] used
+in-band network status updates: each router flooded a signed statement
+to its neighbors, which propagated it onward. But anonymizing networks
+have different security goals than typical link-state routing protocols.
+For example, delays (accidental or intentional)
+that can cause different parts of the network to have different views
+of link-state and topology are not only inconvenient: they give
+attackers an opportunity to exploit differences in client knowledge.
+We also worry about attacks to deceive a
+client about the router membership list, topology, or current network
+state. Such <em>partitioning attacks</em> on client knowledge help an
+adversary to efficiently deploy resources
+against a target&nbsp;[<a href="#minion-design" name="CITEminion-design">15</a>].
+
+<div class="p"><!----></div>
+Tor uses a small group of redundant, well-known onion routers to
+track changes in network topology and node state, including keys and
+exit policies. Each such <em>directory server</em> acts as an HTTP
+server, so clients can fetch current network state
+and router lists, and so other ORs can upload
+state information. Onion routers periodically publish signed
+statements of their state to each directory server. The directory servers
+combine this information with their own views of network liveness,
+and generate a signed description (a <em>directory</em>) of the entire
+network state. Client software is
+pre-loaded with a list of the directory servers and their keys,
+to bootstrap each client's view of the network.
+
+<div class="p"><!----></div>
+When a directory server receives a signed statement for an OR, it
+checks whether the OR's identity key is recognized. Directory
+servers do not advertise unrecognized ORs-if they did,
+an adversary could take over the network by creating many
+servers&nbsp;[<a href="#sybil" name="CITEsybil">22</a>]. Instead, new nodes must be approved by the
+directory
+server administrator before they are included. Mechanisms for automated
+node approval are an area of active research, and are discussed more
+in Section&nbsp;<a href="#sec:maintaining-anonymity">9</a>.
+
+<div class="p"><!----></div>
+Of course, a variety of attacks remain. An adversary who controls
+a directory server can track clients by providing them different
+information-perhaps by listing only nodes under its control, or by
+informing only certain clients about a given node. Even an external
+adversary can exploit differences in client knowledge: clients who use
+a node listed on one directory server but not the others are vulnerable.
+
+<div class="p"><!----></div>
+Thus these directory servers must be synchronized and redundant, so
+that they can agree on a common directory. Clients should only trust
+this directory if it is signed by a threshold of the directory
+servers.
+
+<div class="p"><!----></div>
+The directory servers in Tor are modeled after those in
+Mixminion&nbsp;[<a href="#minion-design" name="CITEminion-design">15</a>], but our situation is easier. First,
+we make the
+simplifying assumption that all participants agree on the set of
+directory servers. Second, while Mixminion needs to predict node
+behavior, Tor only needs a threshold consensus of the current
+state of the network. Third, we assume that we can fall back to the
+human administrators to discover and resolve problems when a consensus
+directory cannot be reached. Since there are relatively few directory
+servers (currently 3, but we expect as many as 9 as the network scales),
+we can afford operations like broadcast to simplify the consensus-building
+protocol.
+
+<div class="p"><!----></div>
+To avoid attacks where a router connects to all the directory servers
+but refuses to relay traffic from other routers, the directory servers
+must also build circuits and use them to anonymously test router
+reliability&nbsp;[<a href="#mix-acc" name="CITEmix-acc">18</a>]. Unfortunately, this defense is not yet
+designed or
+implemented.
+
+<div class="p"><!----></div>
+Using directory servers is simpler and more flexible than flooding.
+Flooding is expensive, and complicates the analysis when we
+start experimenting with non-clique network topologies. Signed
+directories can be cached by other
+onion routers,
+so directory servers are not a performance
+bottleneck when we have many users, and do not aid traffic analysis by
+forcing clients to announce their existence to any
+central point.
+
+<div class="p"><!----></div>
+ <h2><a name="tth_sEc7">
+7</a>&nbsp;&nbsp;Attacks and Defenses</h2>
+<a name="sec:attacks">
+</a>
+
+<div class="p"><!----></div>
+Below we summarize a variety of attacks, and discuss how well our
+design withstands them.<br />
+
+<div class="p"><!----></div>
+<font size="+1"><b>Passive attacks</b></font><br />
+<em>Observing user traffic patterns.</em> Observing a user's connection
+will not reveal her destination or data, but it will
+reveal traffic patterns (both sent and received). Profiling via user
+connection patterns requires further processing, because multiple
+application streams may be operating simultaneously or in series over
+a single circuit.
+
+<div class="p"><!----></div>
+<em>Observing user content.</em> While content at the user end is encrypted,
+connections to responders may not be (indeed, the responding website
+itself may be hostile). While filtering content is not a primary goal
+of Onion Routing, Tor can directly use Privoxy and related
+filtering services to anonymize application data streams.
+
+<div class="p"><!----></div>
+<em>Option distinguishability.</em> We allow clients to choose
+configuration options. For example, clients concerned about request
+linkability should rotate circuits more often than those concerned
+about traceability. Allowing choice may attract users with different
+needs; but clients who are
+in the minority may lose more anonymity by appearing distinct than they
+gain by optimizing their behavior&nbsp;[<a href="#econymics" name="CITEeconymics">1</a>].
+
+<div class="p"><!----></div>
+<em>End-to-end timing correlation.</em> Tor only minimally hides
+such correlations. An attacker watching patterns of
+traffic at the initiator and the responder will be
+able to confirm the correspondence with high probability. The
+greatest protection currently available against such confirmation is to hide
+the connection between the onion proxy and the first Tor node,
+by running the OP on the Tor node or behind a firewall. This approach
+requires an observer to separate traffic originating at the onion
+router from traffic passing through it: a global observer can do this,
+but it might be beyond a limited observer's capabilities.
+
+<div class="p"><!----></div>
+<em>End-to-end size correlation.</em> Simple packet counting
+will also be effective in confirming
+endpoints of a stream. However, even without padding, we may have some
+limited protection: the leaky pipe topology means different numbers
+of packets may enter one end of a circuit than exit at the other.
+
+<div class="p"><!----></div>
+<em>Website fingerprinting.</em> All the effective passive
+attacks above are traffic confirmation attacks,
+which puts them outside our design goals. There is also
+a passive traffic analysis attack that is potentially effective.
+Rather than searching exit connections for timing and volume
+correlations, the adversary may build up a database of
+"fingerprints" containing file sizes and access patterns for
+targeted websites. He can later confirm a user's connection to a given
+site simply by consulting the database. This attack has
+been shown to be effective against SafeWeb&nbsp;[<a href="#hintz-pet02" name="CITEhintz-pet02">29</a>].
+It may be less effective against Tor, since
+streams are multiplexed within the same circuit, and
+fingerprinting will be limited to
+the granularity of cells (currently 512 bytes). Additional
+defenses could include
+larger cell sizes, padding schemes to group websites
+into large sets, and link
+padding or long-range dummies.<a href="#tthFtNtAAE" name="tthFrefAAE"><sup>4</sup></a><br />
+
+<div class="p"><!----></div>
+<font size="+1"><b>Active attacks</b></font><br />
+<em>Compromise keys.</em> An attacker who learns the TLS session key can
+see control cells and encrypted relay cells on every circuit on that
+connection; learning a circuit
+session key lets him unwrap one layer of the encryption. An attacker
+who learns an OR's TLS private key can impersonate that OR for the TLS
+key's lifetime, but he must
+also learn the onion key to decrypt <em>create</em> cells (and because of
+perfect forward secrecy, he cannot hijack already established circuits
+without also compromising their session keys). Periodic key rotation
+limits the window of opportunity for these attacks. On the other hand,
+an attacker who learns a node's identity key can replace that node
+indefinitely by sending new forged descriptors to the directory servers.
+
+<div class="p"><!----></div>
+<em>Iterated compromise.</em> A roving adversary who can
+compromise ORs (by system intrusion, legal coercion, or extralegal
+coercion) could march down the circuit compromising the
+nodes until he reaches the end. Unless the adversary can complete
+this attack within the lifetime of the circuit, however, the ORs
+will have discarded the necessary information before the attack can
+be completed. (Thanks to the perfect forward secrecy of session
+keys, the attacker cannot force nodes to decrypt recorded
+traffic once the circuits have been closed.) Additionally, building
+circuits that cross jurisdictions can make legal coercion
+harder-this phenomenon is commonly called "jurisdictional
+arbitrage." The Java Anon Proxy project recently experienced the
+need for this approach, when
+a German court forced them to add a backdoor to
+their nodes&nbsp;[<a href="#jap-backdoor" name="CITEjap-backdoor">51</a>].
+
+<div class="p"><!----></div>
+<em>Run a recipient.</em> An adversary running a webserver
+trivially learns the timing patterns of users connecting to it, and
+can introduce arbitrary patterns in its responses.
+End-to-end attacks become easier: if the adversary can induce
+users to connect to his webserver (perhaps by advertising
+content targeted to those users), he now holds one end of their
+connection. There is also a danger that application
+protocols and associated programs can be induced to reveal information
+about the initiator. Tor depends on Privoxy and similar protocol cleaners
+to solve this latter problem.
+
+<div class="p"><!----></div>
+<em>Run an onion proxy.</em> It is expected that end users will
+nearly always run their own local onion proxy. However, in some
+settings, it may be necessary for the proxy to run
+remotely-typically, in institutions that want
+to monitor the activity of those connecting to the proxy.
+Compromising an onion proxy compromises all future connections
+through it.
+
+<div class="p"><!----></div>
+<em>DoS non-observed nodes.</em> An observer who can only watch some
+of the Tor network can increase the value of this traffic
+by attacking non-observed nodes to shut them down, reduce
+their reliability, or persuade users that they are not trustworthy.
+The best defense here is robustness.
+
+<div class="p"><!----></div>
+<em>Run a hostile OR.</em> In addition to being a local observer,
+an isolated hostile node can create circuits through itself, or alter
+traffic patterns to affect traffic at other nodes. Nonetheless, a hostile
+node must be immediately adjacent to both endpoints to compromise the
+anonymity of a circuit. If an adversary can
+run multiple ORs, and can persuade the directory servers
+that those ORs are trustworthy and independent, then occasionally
+some user will choose one of those ORs for the start and another
+as the end of a circuit. If an adversary
+controls m &gt; 1 of N nodes, he can correlate at most
+([m/N])<sup>2</sup> of the traffic-although an
+adversary
+could still attract a disproportionately large amount of traffic
+by running an OR with a permissive exit policy, or by
+degrading the reliability of other routers.
+
+<div class="p"><!----></div>
+<em>Introduce timing into messages.</em> This is simply a stronger
+version of passive timing attacks already discussed earlier.
+
+<div class="p"><!----></div>
+<em>Tagging attacks.</em> A hostile node could "tag" a
+cell by altering it. If the
+stream were, for example, an unencrypted request to a Web site,
+the garbled content coming out at the appropriate time would confirm
+the association. However, integrity checks on cells prevent
+this attack.
+
+<div class="p"><!----></div>
+<em>Replace contents of unauthenticated protocols.</em> When
+relaying an unauthenticated protocol like HTTP, a hostile exit node
+can impersonate the target server. Clients
+should prefer protocols with end-to-end authentication.
+
+<div class="p"><!----></div>
+<em>Replay attacks.</em> Some anonymity protocols are vulnerable
+to replay attacks. Tor is not; replaying one side of a handshake
+will result in a different negotiated session key, and so the rest
+of the recorded session can't be used.
+
+<div class="p"><!----></div>
+<em>Smear attacks.</em> An attacker could use the Tor network for
+socially disapproved acts, to bring the
+network into disrepute and get its operators to shut it down.
+Exit policies reduce the possibilities for abuse, but
+ultimately the network requires volunteers who can tolerate
+some political heat.
+
+<div class="p"><!----></div>
+<em>Distribute hostile code.</em> An attacker could trick users
+into running subverted Tor software that did not, in fact, anonymize
+their connections-or worse, could trick ORs into running weakened
+software that provided users with less anonymity. We address this
+problem (but do not solve it completely) by signing all Tor releases
+with an official public key, and including an entry in the directory
+that lists which versions are currently believed to be secure. To
+prevent an attacker from subverting the official release itself
+(through threats, bribery, or insider attacks), we provide all
+releases in source code form, encourage source audits, and
+frequently warn our users never to trust any software (even from
+us) that comes without source.<br />
+
+<div class="p"><!----></div>
+<font size="+1"><b>Directory attacks</b></font><br />
+<em>Destroy directory servers.</em> If a few directory
+servers disappear, the others still decide on a valid
+directory. So long as any directory servers remain in operation,
+they will still broadcast their views of the network and generate a
+consensus directory. (If more than half are destroyed, this
+directory will not, however, have enough signatures for clients to
+use it automatically; human intervention will be necessary for
+clients to decide whether to trust the resulting directory.)
+
+<div class="p"><!----></div>
+<em>Subvert a directory server.</em> By taking over a directory server,
+an attacker can partially influence the final directory. Since ORs
+are included or excluded by majority vote, the corrupt directory can
+at worst cast a tie-breaking vote to decide whether to include
+marginal ORs. It remains to be seen how often such marginal cases
+occur in practice.
+
+<div class="p"><!----></div>
+<em>Subvert a majority of directory servers.</em> An adversary who controls
+more than half the directory servers can include as many compromised
+ORs in the final directory as he wishes. We must ensure that directory
+server operators are independent and attack-resistant.
+
+<div class="p"><!----></div>
+<em>Encourage directory server dissent.</em> The directory
+agreement protocol assumes that directory server operators agree on
+the set of directory servers. An adversary who can persuade some
+of the directory server operators to distrust one another could
+split the quorum into mutually hostile camps, thus partitioning
+users based on which directory they use. Tor does not address
+this attack.
+
+<div class="p"><!----></div>
+<em>Trick the directory servers into listing a hostile OR.</em>
+Our threat model explicitly assumes directory server operators will
+be able to filter out most hostile ORs.
+
+<div class="p"><!----></div>
+<em>Convince the directories that a malfunctioning OR is
+working.</em> In the current Tor implementation, directory servers
+assume that an OR is running correctly if they can start a TLS
+connection to it. A hostile OR could easily subvert this test by
+accepting TLS connections from ORs but ignoring all cells. Directory
+servers must actively test ORs by building circuits and streams as
+appropriate. The tradeoffs of a similar approach are discussed
+in&nbsp;[<a href="#mix-acc" name="CITEmix-acc">18</a>].<br />
+
+<div class="p"><!----></div>
+<font size="+1"><b>Attacks against rendezvous points</b></font><br />
+<em>Make many introduction requests.</em> An attacker could
+try to deny Bob service by flooding his introduction points with
+requests. Because the introduction points can block requests that
+lack authorization tokens, however, Bob can restrict the volume of
+requests he receives, or require a certain amount of computation for
+every request he receives.
+
+<div class="p"><!----></div>
+<em>Attack an introduction point.</em> An attacker could
+disrupt a location-hidden service by disabling its introduction
+points. But because a service's identity is attached to its public
+key, the service can simply re-advertise
+itself at a different introduction point. Advertisements can also be
+done secretly so that only high-priority clients know the address of
+Bob's introduction points or so that different clients know of different
+introduction points. This forces the attacker to disable all possible
+introduction points.
+
+<div class="p"><!----></div>
+<em>Compromise an introduction point.</em> An attacker who controls
+Bob's introduction point can flood Bob with
+introduction requests, or prevent valid introduction requests from
+reaching him. Bob can notice a flood, and close the circuit. To notice
+blocking of valid requests, however, he should periodically test the
+introduction point by sending rendezvous requests and making
+sure he receives them.
+
+<div class="p"><!----></div>
+<em>Compromise a rendezvous point.</em> A rendezvous
+point is no more sensitive than any other OR on
+a circuit, since all data passing through the rendezvous is encrypted
+with a session key shared by Alice and Bob.
+
+<div class="p"><!----></div>
+ <h2><a name="tth_sEc8">
+8</a>&nbsp;&nbsp;Early experiences: Tor in the Wild</h2>
+<a name="sec:in-the-wild">
+</a>
+
+<div class="p"><!----></div>
+As of mid-May 2004, the Tor network consists of 32 nodes
+(24 in the US, 8 in Europe), and more are joining each week as the code
+matures. (For comparison, the current remailer network
+has about 40 nodes.) Each node has at least a 768Kb/768Kb connection, and
+many have 10Mb. The number of users varies (and of course, it's hard to
+tell for sure), but we sometimes have several hundred users-administrators at
+several companies have begun sending their entire departments' web
+traffic through Tor, to block other divisions of
+their company from reading their traffic. Tor users have reported using
+the network for web browsing, FTP, IRC, AIM, Kazaa, SSH, and
+recipient-anonymous email via rendezvous points. One user has anonymously
+set up a Wiki as a hidden service, where other users anonymously publish
+the addresses of their hidden services.
+
+<div class="p"><!----></div>
+Each Tor node currently processes roughly 800,000 relay
+cells (a bit under half a gigabyte) per week. On average, about 80%
+of each 498-byte payload is full for cells going back to the client,
+whereas about 40% is full for cells coming from the client. (The difference
+arises because most of the network's traffic is web browsing.) Interactive
+traffic like SSH brings down the average a lot-once we have more
+experience, and assuming we can resolve the anonymity issues, we may
+partition traffic into two relay cell sizes: one to handle
+bulk traffic and one for interactive traffic.
+
+<div class="p"><!----></div>
+Based in part on our restrictive default exit policy (we
+reject SMTP requests) and our low profile, we have had no abuse
+issues since the network was deployed in October
+2003. Our slow growth rate gives us time to add features,
+resolve bugs, and get a feel for what users actually want from an
+anonymity system. Even though having more users would bolster our
+anonymity sets, we are not eager to attract the Kazaa or warez
+communities-we feel that we must build a reputation for privacy, human
+rights, research, and other socially laudable activities.
+
+<div class="p"><!----></div>
+As for performance, profiling shows that Tor spends almost
+all its CPU time in AES, which is fast. Current latency is attributable
+to two factors. First, network latency is critical: we are
+intentionally bouncing traffic around the world several times. Second,
+our end-to-end congestion control algorithm focuses on protecting
+volunteer servers from accidental DoS rather than on optimizing
+performance. To quantify these effects, we did some informal tests using a network of 4
+nodes on the same machine (a heavily loaded 1GHz Athlon). We downloaded a 60
+megabyte file from <tt>debian.org</tt> every 30 minutes for 54 hours (108 sample
+points). It arrived in about 300 seconds on average, compared to 210s for a
+direct download. We ran a similar test on the production Tor network,
+fetching the front page of <tt>cnn.com</tt> (55 kilobytes):
+while a direct
+download consistently took about 0.3s, the performance through Tor varied.
+Some downloads were as fast as 0.4s, with a median at 2.8s, and
+90% finishing within 5.3s. It seems that as the network expands, the chance
+of building a slow circuit (one that includes a slow or heavily loaded node
+or link) is increasing. On the other hand, as our users remain satisfied
+with this increased latency, we can address our performance incrementally as we
+proceed with development.
+<div class="p"><!----></div>
+
+<div class="p"><!----></div>
+
+<div class="p"><!----></div>
+Although Tor's clique topology and full-visibility directories present
+scaling problems, we still expect the network to support a few hundred
+nodes and maybe 10,000 users before we're forced to become
+more distributed. With luck, the experience we gain running the current
+topology will help us choose among alternatives when the time comes.
+
+<div class="p"><!----></div>
+ <h2><a name="tth_sEc9">
+9</a>&nbsp;&nbsp;Open Questions in Low-latency Anonymity</h2>
+<a name="sec:maintaining-anonymity">
+</a>
+
+<div class="p"><!----></div>
+In addition to the non-goals in
+Section&nbsp;<a href="#subsec:non-goals">3</a>, many questions must be solved
+before we can be confident of Tor's security.
+
+<div class="p"><!----></div>
+Many of these open issues are questions of balance. For example,
+how often should users rotate to fresh circuits? Frequent rotation
+is inefficient, expensive, and may lead to intersection attacks and
+predecessor attacks&nbsp;[<a href="#wright03" name="CITEwright03">54</a>], but infrequent rotation makes the
+user's traffic linkable. Besides opening fresh circuits, clients can
+also exit from the middle of the circuit,
+or truncate and re-extend the circuit. More analysis is
+needed to determine the proper tradeoff.
+
+<div class="p"><!----></div>
+
+<div class="p"><!----></div>
+How should we choose path lengths? If Alice always uses two hops,
+then both ORs can be certain that by colluding they will learn about
+Alice and Bob. In our current approach, Alice always chooses at least
+three nodes unrelated to herself and her destination.
+Should Alice choose a random path length (e.g.&nbsp;from a geometric
+distribution) to foil an attacker who
+uses timing to learn that he is the fifth hop and thus concludes that
+both Alice and the responder are running ORs?
+
+<div class="p"><!----></div>
+Throughout this paper, we have assumed that end-to-end traffic
+confirmation will immediately and automatically defeat a low-latency
+anonymity system. Even high-latency anonymity systems can be
+vulnerable to end-to-end traffic confirmation, if the traffic volumes
+are high enough, and if users' habits are sufficiently
+distinct&nbsp;[<a href="#statistical-disclosure" name="CITEstatistical-disclosure">14</a>,<a href="#limits-open" name="CITElimits-open">31</a>]. Can anything be
+done to
+make low-latency systems resist these attacks as well as high-latency
+systems? Tor already makes some effort to conceal the starts and ends of
+streams by wrapping long-range control commands in identical-looking
+relay cells. Link padding could frustrate passive observers who count
+packets; long-range padding could work against observers who own the
+first hop in a circuit. But more research remains to find an efficient
+and practical approach. Volunteers prefer not to run constant-bandwidth
+padding; but no convincing traffic shaping approach has been
+specified. Recent work on long-range padding&nbsp;[<a href="#defensive-dropping" name="CITEdefensive-dropping">33</a>]
+shows promise. One could also try to reduce correlation in packet timing
+by batching and re-ordering packets, but it is unclear whether this could
+improve anonymity without introducing so much latency as to render the
+network unusable.
+
+<div class="p"><!----></div>
+A cascade topology may better defend against traffic confirmation by
+aggregating users, and making padding and
+mixing more affordable. Does the hydra topology (many input nodes,
+few output nodes) work better against some adversaries? Are we going
+to get a hydra anyway because most nodes will be middleman nodes?
+
+<div class="p"><!----></div>
+Common wisdom suggests that Alice should run her own OR for best
+anonymity, because traffic coming from her node could plausibly have
+come from elsewhere. How much mixing does this approach need? Is it
+immediately beneficial because of real-world adversaries that can't
+observe Alice's router, but can run routers of their own?
+
+<div class="p"><!----></div>
+To scale to many users, and to prevent an attacker from observing the
+whole network, it may be necessary
+to support far more servers than Tor currently anticipates.
+This introduces several issues. First, if approval by a central set
+of directory servers is no longer feasible, what mechanism should be used
+to prevent adversaries from signing up many colluding servers? Second,
+if clients can no longer have a complete picture of the network,
+how can they perform discovery while preventing attackers from
+manipulating or exploiting gaps in their knowledge? Third, if there
+are too many servers for every server to constantly communicate with
+every other, which non-clique topology should the network use?
+(Restricted-route topologies promise comparable anonymity with better
+scalability&nbsp;[<a href="#danezis-pets03" name="CITEdanezis-pets03">13</a>], but whatever topology we choose, we
+need some way to keep attackers from manipulating their position within
+it&nbsp;[<a href="#casc-rep" name="CITEcasc-rep">21</a>].) Fourth, if no central authority is tracking
+server reliability, how do we stop unreliable servers from making
+the network unusable? Fifth, do clients receive so much anonymity
+from running their own ORs that we should expect them all to do
+so&nbsp;[<a href="#econymics" name="CITEeconymics">1</a>], or do we need another incentive structure to
+motivate them? Tarzan and MorphMix present possible solutions.
+
+<div class="p"><!----></div>
+
+<div class="p"><!----></div>
+When a Tor node goes down, all its circuits (and thus streams) must break.
+Will users abandon the system because of this brittleness? How well
+does the method in Section&nbsp;<a href="#subsec:dos">6.1</a> allow streams to survive
+node failure? If affected users rebuild circuits immediately, how much
+anonymity is lost? It seems the problem is even worse in a peer-to-peer
+environment-such systems don't yet provide an incentive for peers to
+stay connected when they're done retrieving content, so we would expect
+a higher churn rate.
+
+<div class="p"><!----></div>
+
+<div class="p"><!----></div>
+ <h2><a name="tth_sEc10">
+10</a>&nbsp;&nbsp;Future Directions</h2>
+<a name="sec:conclusion">
+</a>
+
+<div class="p"><!----></div>
+Tor brings together many innovations into a unified deployable system. The
+next immediate steps include:
+
+<div class="p"><!----></div>
+<em>Scalability:</em> Tor's emphasis on deployability and design simplicity
+has led us to adopt a clique topology, semi-centralized
+directories, and a full-network-visibility model for client
+knowledge. These properties will not scale past a few hundred servers.
+Section&nbsp;<a href="#sec:maintaining-anonymity">9</a> describes some promising
+approaches, but more deployment experience will be helpful in learning
+the relative importance of these bottlenecks.
+
+<div class="p"><!----></div>
+<em>Bandwidth classes:</em> This paper assumes that all ORs have
+good bandwidth and latency. We should instead adopt the MorphMix model,
+where nodes advertise their bandwidth level (DSL, T1, T3), and
+Alice avoids bottlenecks by choosing nodes that match or
+exceed her bandwidth. In this way DSL users can usefully join the Tor
+network.
+
+<div class="p"><!----></div>
+<em>Incentives:</em> Volunteers who run nodes are rewarded with publicity
+and possibly better anonymity&nbsp;[<a href="#econymics" name="CITEeconymics">1</a>]. More nodes means increased
+scalability, and more users can mean more anonymity. We need to continue
+examining the incentive structures for participating in Tor. Further,
+we need to explore more approaches to limiting abuse, and understand
+why most people don't bother using privacy systems.
+
+<div class="p"><!----></div>
+<em>Cover traffic:</em> Currently Tor omits cover traffic-its costs
+in performance and bandwidth are clear but its security benefits are
+not well understood. We must pursue more research on link-level cover
+traffic and long-range cover traffic to determine whether some simple padding
+method offers provable protection against our chosen adversary.
+
+<div class="p"><!----></div>
+
+<div class="p"><!----></div>
+<em>Caching at exit nodes:</em> Perhaps each exit node should run a
+caching web proxy&nbsp;[<a href="#shsm03" name="CITEshsm03">47</a>], to improve anonymity for cached pages
+(Alice's request never
+leaves the Tor network), to improve speed, and to reduce bandwidth cost.
+On the other hand, forward security is weakened because caches
+constitute a record of retrieved files. We must find the right
+balance between usability and security.
+
+<div class="p"><!----></div>
+<em>Better directory distribution:</em>
+Clients currently download a description of
+the entire network every 15 minutes. As the state grows larger
+and clients more numerous, we may need a solution in which
+clients receive incremental updates to directory state.
+More generally, we must find more
+scalable yet practical ways to distribute up-to-date snapshots of
+network status without introducing new attacks.
+
+<div class="p"><!----></div>
+<em>Further specification review:</em> Our public
+byte-level specification&nbsp;[<a href="#tor-spec" name="CITEtor-spec">20</a>] needs
+external review. We hope that as Tor
+is deployed, more people will examine its
+specification.
+
+<div class="p"><!----></div>
+<em>Multisystem interoperability:</em> We are currently working with the
+designer of MorphMix to unify the specification and implementation of
+the common elements of our two systems. So far, this seems
+to be relatively straightforward. Interoperability will allow testing
+and direct comparison of the two designs for trust and scalability.
+
+<div class="p"><!----></div>
+<em>Wider-scale deployment:</em> The original goal of Tor was to
+gain experience in deploying an anonymizing overlay network, and
+learn from having actual users. We are now at a point in design
+and development where we can start deploying a wider network. Once
+we have many actual users, we will doubtlessly be better
+able to evaluate some of our design decisions, including our
+robustness/latency tradeoffs, our performance tradeoffs (including
+cell size), our abuse-prevention mechanisms, and
+our overall usability.
+
+<div class="p"><!----></div>
+
+<div class="p"><!----></div>
+
+<h2>Acknowledgments</h2>
+ We thank Peter Palfrader, Geoff Goodell, Adam Shostack, Joseph Sokol-Margolis,
+ John Bashinski, and Zack Brown
+ for editing and comments;
+ Matej Pfajfar, Andrei Serjantov, Marc Rennhard for design discussions;
+ Bram Cohen for congestion control discussions;
+ Adam Back for suggesting telescoping circuits; and
+ Cathy Meadows for formal analysis of the <em>extend</em> protocol.
+ This work has been supported by ONR and DARPA.
+
+<div class="p"><!----></div>
+
+<div class="p"><!----></div>
+
+<div class="p"><!----></div>
+<h2>References</h2>
+
+<dl compact="compact">
+<font size="-1"></font> <dt><a href="#CITEeconymics" name="econymics">[1]</a></dt><dd>
+A.&nbsp;Acquisti, R.&nbsp;Dingledine, and P.&nbsp;Syverson.
+ On the economics of anonymity.
+ In R.&nbsp;N. Wright, editor, <em>Financial Cryptography</em>.
+ Springer-Verlag, LNCS 2742, 2003.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEeternity" name="eternity">[2]</a></dt><dd>
+R.&nbsp;Anderson.
+ The eternity service.
+ In <em>Pragocrypt '96</em>, 1996.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEanonymizer" name="anonymizer">[3]</a></dt><dd>
+The Anonymizer.
+ <tt>&lt;http://anonymizer.com/&#62;.
+
+<div class="p"><!----></div>
+</tt></dd>
+ <dt><a href="#CITEfreedom21-security" name="freedom21-security">[4]</a></dt><dd>
+A.&nbsp;Back, I.&nbsp;Goldberg, and A.&nbsp;Shostack.
+ Freedom systems 2.1 security issues and analysis.
+ White paper, Zero Knowledge Systems, Inc., May 2001.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEback01" name="back01">[5]</a></dt><dd>
+A.&nbsp;Back, U.&nbsp;M&#246;ller, and A.&nbsp;Stiglic.
+ Traffic analysis attacks and trade-offs in anonymity providing
+ systems.
+ In I.&nbsp;S. Moskowitz, editor, <em>Information Hiding (IH 2001)</em>, pages
+ 245-257. Springer-Verlag, LNCS 2137, 2001.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEeax" name="eax">[6]</a></dt><dd>
+M.&nbsp;Bellare, P.&nbsp;Rogaway, and D.&nbsp;Wagner.
+ The EAX mode of operation: A two-pass authenticated-encryption
+ scheme optimized for simplicity and efficiency.
+ In <em>Fast Software Encryption 2004</em>, February 2004.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEweb-mix" name="web-mix">[7]</a></dt><dd>
+O.&nbsp;Berthold, H.&nbsp;Federrath, and S.&nbsp;K&#246;psell.
+ Web MIXes: A system for anonymous and unobservable Internet
+ access.
+ In H.&nbsp;Federrath, editor, <em>Designing Privacy Enhancing
+ Technologies: Workshop on Design Issue in Anonymity and Unobservability</em>.
+ Springer-Verlag, LNCS 2009, 2000.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEfreedom2-arch" name="freedom2-arch">[8]</a></dt><dd>
+P.&nbsp;Boucher, A.&nbsp;Shostack, and I.&nbsp;Goldberg.
+ Freedom systems 2.0 architecture.
+ White paper, Zero Knowledge Systems, Inc., December 2000.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEcebolla" name="cebolla">[9]</a></dt><dd>
+Z.&nbsp;Brown.
+ Cebolla: Pragmatic IP Anonymity.
+ In <em>Ottawa Linux Symposium</em>, June 2002.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEchaum-mix" name="chaum-mix">[10]</a></dt><dd>
+D.&nbsp;Chaum.
+ Untraceable electronic mail, return addresses, and digital
+ pseudo-nyms.
+ <em>Communications of the ACM</em>, 4(2), February 1981.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEcfs:sosp01" name="cfs:sosp01">[11]</a></dt><dd>
+F.&nbsp;Dabek, M.&nbsp;F. Kaashoek, D.&nbsp;Karger, R.&nbsp;Morris, and I.&nbsp;Stoica.
+ Wide-area cooperative storage with CFS.
+ In <em>18th ACM Symposium on Operating Systems Principles
+ (SOSP '01)</em>, Chateau Lake Louise, Banff, Canada, October 2001.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEpipenet" name="pipenet">[12]</a></dt><dd>
+W.&nbsp;Dai.
+ Pipenet 1.1.
+ Usenet post, August 1996.
+ <tt>&lt;http://www.eskimo.com/&nbsp;weidai/pipenet.txt&#62; First mentioned in a
+ post to the cypherpunks list, Feb.&nbsp;1995.
+
+<div class="p"><!----></div>
+</tt></dd>
+ <dt><a href="#CITEdanezis-pets03" name="danezis-pets03">[13]</a></dt><dd>
+G.&nbsp;Danezis.
+ Mix-networks with restricted routes.
+ In R.&nbsp;Dingledine, editor, <em>Privacy Enhancing Technologies (PET
+ 2003)</em>. Springer-Verlag LNCS 2760, 2003.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEstatistical-disclosure" name="statistical-disclosure">[14]</a></dt><dd>
+G.&nbsp;Danezis.
+ Statistical disclosure attacks.
+ In <em>Security and Privacy in the Age of Uncertainty (SEC2003)</em>,
+ pages 421-426, Athens, May 2003. IFIP TC11, Kluwer.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEminion-design" name="minion-design">[15]</a></dt><dd>
+G.&nbsp;Danezis, R.&nbsp;Dingledine, and N.&nbsp;Mathewson.
+ Mixminion: Design of a type III anonymous remailer protocol.
+ In <em>2003 IEEE Symposium on Security and Privacy</em>, pages 2-15.
+ IEEE CS, May 2003.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEpuzzles-tls" name="puzzles-tls">[16]</a></dt><dd>
+D.&nbsp;Dean and A.&nbsp;Stubblefield.
+ Using Client Puzzles to Protect TLS.
+ In <em>Proceedings of the 10th USENIX Security Symposium</em>. USENIX,
+ Aug. 2001.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITETLS" name="TLS">[17]</a></dt><dd>
+T.&nbsp;Dierks and C.&nbsp;Allen.
+ The TLS Protocol - Version 1.0.
+ IETF RFC 2246, January 1999.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEmix-acc" name="mix-acc">[18]</a></dt><dd>
+R.&nbsp;Dingledine, M.&nbsp;J. Freedman, D.&nbsp;Hopwood, and D.&nbsp;Molnar.
+ A Reputation System to Increase MIX-net Reliability.
+ In I.&nbsp;S. Moskowitz, editor, <em>Information Hiding (IH 2001)</em>, pages
+ 126-141. Springer-Verlag, LNCS 2137, 2001.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEfreehaven-berk" name="freehaven-berk">[19]</a></dt><dd>
+R.&nbsp;Dingledine, M.&nbsp;J. Freedman, and D.&nbsp;Molnar.
+ The free haven project: Distributed anonymous storage service.
+ In H.&nbsp;Federrath, editor, <em>Designing Privacy Enhancing
+ Technologies: Workshop on Design Issue in Anonymity and Unobservability</em>.
+ Springer-Verlag, LNCS 2009, July 2000.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEtor-spec" name="tor-spec">[20]</a></dt><dd>
+R.&nbsp;Dingledine and N.&nbsp;Mathewson.
+ Tor protocol specifications.
+ <tt>&lt;http://freehaven.net/tor/tor-spec.txt&#62;.
+
+<div class="p"><!----></div>
+</tt></dd>
+ <dt><a href="#CITEcasc-rep" name="casc-rep">[21]</a></dt><dd>
+R.&nbsp;Dingledine and P.&nbsp;Syverson.
+ Reliable MIX Cascade Networks through Reputation.
+ In M.&nbsp;Blaze, editor, <em>Financial Cryptography</em>. Springer-Verlag,
+ LNCS 2357, 2002.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEsybil" name="sybil">[22]</a></dt><dd>
+J.&nbsp;Douceur.
+ The Sybil Attack.
+ In <em>Proceedings of the 1st International Peer To Peer Systems
+ Workshop (IPTPS)</em>, Mar. 2002.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEfederrath-ih96" name="federrath-ih96">[23]</a></dt><dd>
+H.&nbsp;Federrath, A.&nbsp;Jerichow, and A.&nbsp;Pfitzmann.
+ MIXes in mobile communication systems: Location management with
+ privacy.
+ In R.&nbsp;Anderson, editor, <em>Information Hiding, First International
+ Workshop</em>, pages 121-135. Springer-Verlag, LNCS 1174, May 1996.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEtarzan:ccs02" name="tarzan:ccs02">[24]</a></dt><dd>
+M.&nbsp;J. Freedman and R.&nbsp;Morris.
+ Tarzan: A peer-to-peer anonymizing network layer.
+ In <em>9th ACM Conference on Computer and Communications
+ Security (CCS 2002)</em>, Washington, DC, November 2002.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEherbivore" name="herbivore">[25]</a></dt><dd>
+S.&nbsp;Goel, M.&nbsp;Robson, M.&nbsp;Polte, and E.&nbsp;G. Sirer.
+ Herbivore: A scalable and efficient protocol for anonymous
+ communication.
+ Technical Report TR2003-1890, Cornell University Computing and
+ Information Science, February 2003.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEian-thesis" name="ian-thesis">[26]</a></dt><dd>
+I.&nbsp;Goldberg.
+ <em>A Pseudonymous Communications Infrastructure for the Internet</em>.
+ PhD thesis, UC Berkeley, Dec 2000.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEor-ih96" name="or-ih96">[27]</a></dt><dd>
+D.&nbsp;M. Goldschlag, M.&nbsp;G. Reed, and P.&nbsp;F. Syverson.
+ Hiding routing information.
+ In R.&nbsp;Anderson, editor, <em>Information Hiding, First International
+ Workshop</em>, pages 137-150. Springer-Verlag, LNCS 1174, May 1996.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEbabel" name="babel">[28]</a></dt><dd>
+C.&nbsp;G&#252;lc&#252; and G.&nbsp;Tsudik.
+ Mixing E-mail with Babel.
+ In <em>Network and Distributed Security Symposium (NDSS 96)</em>,
+ pages 2-16. IEEE, February 1996.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEhintz-pet02" name="hintz-pet02">[29]</a></dt><dd>
+A.&nbsp;Hintz.
+ Fingerprinting websites using traffic analysis.
+ In R.&nbsp;Dingledine and P.&nbsp;Syverson, editors, <em>Privacy Enhancing
+ Technologies (PET 2002)</em>, pages 171-178. Springer-Verlag, LNCS 2482, 2002.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEjerichow-jsac98" name="jerichow-jsac98">[30]</a></dt><dd>
+A.&nbsp;Jerichow, J.&nbsp;M&#252;ller, A.&nbsp;Pfitzmann, B.&nbsp;Pfitzmann, and M.&nbsp;Waidner.
+ Real-time mixes: A bandwidth-efficient anonymity protocol.
+ <em>IEEE Journal on Selected Areas in Communications</em>,
+ 16(4):495-509, May 1998.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITElimits-open" name="limits-open">[31]</a></dt><dd>
+D.&nbsp;Kesdogan, D.&nbsp;Agrawal, and S.&nbsp;Penz.
+ Limits of anonymity in open environments.
+ In F.&nbsp;Petitcolas, editor, <em>Information Hiding Workshop (IH
+ 2002)</em>. Springer-Verlag, LNCS 2578, October 2002.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEsocks4" name="socks4">[32]</a></dt><dd>
+D.&nbsp;Koblas and M.&nbsp;R. Koblas.
+ SOCKS.
+ In <em>UNIX Security III Symposium (1992 USENIX Security
+ Symposium)</em>, pages 77-83. USENIX, 1992.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEdefensive-dropping" name="defensive-dropping">[33]</a></dt><dd>
+B.&nbsp;N. Levine, M.&nbsp;K. Reiter, C.&nbsp;Wang, and M.&nbsp;Wright.
+ Timing analysis in low-latency mix-based systems.
+ In A.&nbsp;Juels, editor, <em>Financial Cryptography</em>. Springer-Verlag,
+ LNCS (forthcoming), 2004.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEhordes-jcs" name="hordes-jcs">[34]</a></dt><dd>
+B.&nbsp;N. Levine and C.&nbsp;Shields.
+ Hordes: A multicast-based protocol for anonymity.
+ <em>Journal of Computer Security</em>, 10(3):213-240, 2002.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEmeadows96" name="meadows96">[35]</a></dt><dd>
+C.&nbsp;Meadows.
+ The NRL protocol analyzer: An overview.
+ <em>Journal of Logic Programming</em>, 26(2):113-131, 1996.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEmixmaster-spec" name="mixmaster-spec">[36]</a></dt><dd>
+U.&nbsp;M&#246;ller, L.&nbsp;Cottrell, P.&nbsp;Palfrader, and L.&nbsp;Sassaman.
+ Mixmaster Protocol - Version 2.
+ Draft, July 2003.
+ <tt>&lt;http://www.abditum.com/mixmaster-spec.txt&#62;.
+
+<div class="p"><!----></div>
+</tt></dd>
+ <dt><a href="#CITEdarkside" name="darkside">[37]</a></dt><dd>
+V.&nbsp;S. Pai, L.&nbsp;Wang, K.&nbsp;Park, R.&nbsp;Pang, and L.&nbsp;Peterson.
+ The Dark Side of the Web: An Open Proxy's View.
+ <tt>&lt;http://codeen.cs.princeton.edu/&#62;.
+
+<div class="p"><!----></div>
+</tt></dd>
+ <dt><a href="#CITEisdn-mixes" name="isdn-mixes">[38]</a></dt><dd>
+A.&nbsp;Pfitzmann, B.&nbsp;Pfitzmann, and M.&nbsp;Waidner.
+ ISDN-mixes: Untraceable communication with very small bandwidth
+ overhead.
+ In <em>GI/ITG Conference on Communication in Distributed Systems</em>,
+ pages 451-463, February 1991.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEprivoxy" name="privoxy">[39]</a></dt><dd>
+Privoxy.
+ <tt>&lt;http://www.privoxy.org/&#62;.
+
+<div class="p"><!----></div>
+</tt></dd>
+ <dt><a href="#CITEreed-protocols97" name="reed-protocols97">[40]</a></dt><dd>
+M.&nbsp;G. Reed, P.&nbsp;F. Syverson, and D.&nbsp;M. Goldschlag.
+ Protocols using anonymous connections: Mobile applications.
+ In B.&nbsp;Christianson, B.&nbsp;Crispo, M.&nbsp;Lomas, and M.&nbsp;Roe, editors, <em>
+ Security Protocols: 5th International Workshop</em>, pages 13-23.
+ Springer-Verlag, LNCS 1361, April 1997.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEor-jsac98" name="or-jsac98">[41]</a></dt><dd>
+M.&nbsp;G. Reed, P.&nbsp;F. Syverson, and D.&nbsp;M. Goldschlag.
+ Anonymous connections and onion routing.
+ <em>IEEE Journal on Selected Areas in Communications</em>,
+ 16(4):482-494, May 1998.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEcrowds-tissec" name="crowds-tissec">[42]</a></dt><dd>
+M.&nbsp;K. Reiter and A.&nbsp;D. Rubin.
+ Crowds: Anonymity for web transactions.
+ <em>ACM TISSEC</em>, 1(1):66-92, June 1998.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEmorphmix:fc04" name="morphmix:fc04">[43]</a></dt><dd>
+M.&nbsp;Rennhard and B.&nbsp;Plattner.
+ Practical anonymity for the masses with morphmix.
+ In A.&nbsp;Juels, editor, <em>Financial Cryptography</em>. Springer-Verlag,
+ LNCS (forthcoming), 2004.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEanonnet" name="anonnet">[44]</a></dt><dd>
+M.&nbsp;Rennhard, S.&nbsp;Rafaeli, L.&nbsp;Mathy, B.&nbsp;Plattner, and D.&nbsp;Hutchison.
+ Analysis of an Anonymity Network for Web Browsing.
+ In <em>IEEE 7th Intl. Workshop on Enterprise Security (WET ICE
+ 2002)</em>, Pittsburgh, USA, June 2002.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITESS03" name="SS03">[45]</a></dt><dd>
+A.&nbsp;Serjantov and P.&nbsp;Sewell.
+ Passive attack analysis for connection-based anonymity systems.
+ In <em>Computer Security - ESORICS 2003</em>. Springer-Verlag, LNCS
+ 2808, October 2003.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEp5" name="p5">[46]</a></dt><dd>
+R.&nbsp;Sherwood, B.&nbsp;Bhattacharjee, and A.&nbsp;Srinivasan.
+ p<sup>5</sup>: A protocol for scalable anonymous communication.
+ In <em>IEEE Symposium on Security and Privacy</em>, pages 58-70. IEEE
+ CS, 2002.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEshsm03" name="shsm03">[47]</a></dt><dd>
+A.&nbsp;Shubina and S.&nbsp;Smith.
+ Using caching for browsing anonymity.
+ <em>ACM SIGEcom Exchanges</em>, 4(2), Sept 2003.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEor-discex00" name="or-discex00">[48]</a></dt><dd>
+P.&nbsp;Syverson, M.&nbsp;Reed, and D.&nbsp;Goldschlag.
+ Onion Routing access configurations.
+ In <em>DARPA Information Survivability Conference and Exposition
+ (DISCEX 2000)</em>, volume&nbsp;1, pages 34-40. IEEE CS Press, 2000.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEor-pet00" name="or-pet00">[49]</a></dt><dd>
+P.&nbsp;Syverson, G.&nbsp;Tsudik, M.&nbsp;Reed, and C.&nbsp;Landwehr.
+ Towards an Analysis of Onion Routing Security.
+ In H.&nbsp;Federrath, editor, <em>Designing Privacy Enhancing
+ Technologies: Workshop on Design Issue in Anonymity and Unobservability</em>,
+ pages 96-114. Springer-Verlag, LNCS 2009, July 2000.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEtannenbaum96" name="tannenbaum96">[50]</a></dt><dd>
+A.&nbsp;Tannenbaum.
+ Computer networks, 1996.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEjap-backdoor" name="jap-backdoor">[51]</a></dt><dd>
+The AN.ON Project.
+ German police proceeds against anonymity service.
+ Press release, September 2003.
+
+ <tt>&lt;http://www.datenschutzzentrum.de/material/themen/presse/anon-bka_e.htm&#62;.
+
+<div class="p"><!----></div>
+</tt></dd>
+ <dt><a href="#CITEtangler" name="tangler">[52]</a></dt><dd>
+M.&nbsp;Waldman and D.&nbsp;Mazi&#232;res.
+ Tangler: A censorship-resistant publishing system based on document
+ entanglements.
+ In <em>8<sup>th</sup> ACM Conference on Computer and Communications
+ Security (CCS-8)</em>, pages 86-135. ACM Press, 2001.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEpublius" name="publius">[53]</a></dt><dd>
+M.&nbsp;Waldman, A.&nbsp;Rubin, and L.&nbsp;Cranor.
+ Publius: A robust, tamper-evident, censorship-resistant and
+ source-anonymous web publishing system.
+ In <em>Proc. 9th USENIX Security Symposium</em>, pages 59-72, August
+ 2000.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEwright03" name="wright03">[54]</a></dt><dd>
+M.&nbsp;Wright, M.&nbsp;Adler, B.&nbsp;N. Levine, and C.&nbsp;Shields.
+ Defending anonymous communication against passive logging attacks.
+ In <em>IEEE Symposium on Security and Privacy</em>, pages 28-41. IEEE
+ CS, May 2003.</dd>
+</dl>
+
+
+<div class="p"><!----></div>
+<hr /><h3>Footnotes:</h3>
+
+<div class="p"><!----></div>
+<a name="tthFtNtAAB"></a><a href="#tthFrefAAB"><sup>1</sup></a>Actually, the negotiated key is used to derive two
+ symmetric keys: one for each direction.
+<div class="p"><!----></div>
+<a name="tthFtNtAAC"></a><a href="#tthFrefAAC"><sup>2</sup></a>
+ With 48 bits of digest per cell, the probability of an accidental
+collision is far lower than the chance of hardware failure.
+<div class="p"><!----></div>
+<a name="tthFtNtAAD"></a><a href="#tthFrefAAD"><sup>3</sup></a>
+Rather than rely on an external infrastructure, the Onion Routing network
+can run the lookup service itself. Our current implementation provides a
+simple lookup system on the
+directory servers.
+<div class="p"><!----></div>
+<a name="tthFtNtAAE"></a><a href="#tthFrefAAE"><sup>4</sup></a>Note that this fingerprinting
+attack should not be confused with the much more complicated latency
+attacks of&nbsp;[<a href="#back01" name="CITEback01">5</a>], which require a fingerprint of the latencies
+of all circuits through the network, combined with those from the
+network edges to the target user and the responder website.
+<br /><br /><hr /><small>File translated from
+T<sub><font size="-1">E</font></sub>X
+by <a href="http://hutchinson.belmont.ma.us/tth/">
+T<sub><font size="-1">T</font></sub>H</a>,
+version 3.59.<br />On 18 May 2004, 10:45.</small>
+</body></html>
diff --git a/doc/design-paper/tor-design.pdf b/doc/design-paper/tor-design.pdf
new file mode 100644
index 0000000000..76a2265153
--- /dev/null
+++ b/doc/design-paper/tor-design.pdf
Binary files differ
diff --git a/doc/design-paper/tor-design.tex b/doc/design-paper/tor-design.tex
new file mode 100644
index 0000000000..0a27a92525
--- /dev/null
+++ b/doc/design-paper/tor-design.tex
@@ -0,0 +1,1988 @@
+\documentclass[twocolumn]{article}
+\usepackage{usenix}
+
+%\documentclass[times,10pt,twocolumn]{article}
+%\usepackage{latex8}
+%\usepackage{times}
+\usepackage{url}
+\usepackage{graphics}
+\usepackage{amsmath}
+\usepackage{epsfig}
+
+\pagestyle{empty}
+
+\renewcommand\url{\begingroup \def\UrlLeft{<}\def\UrlRight{>}\urlstyle{tt}\Url}
+\newcommand\emailaddr{\begingroup \def\UrlLeft{<}\def\UrlRight{>}\urlstyle{tt}\Url}
+
+\newcommand{\workingnote}[1]{} % The version that hides the note.
+%\newcommand{\workingnote}[1]{(**#1)} % The version that makes the note visible.
+
+% If an URL ends up with '%'s in it, that's because the line *in the .bib/.tex
+% file* is too long, so break it there (it doesn't matter if the next line is
+% indented with spaces). -DH
+
+%\newif\ifpdf
+%\ifx\pdfoutput\undefined
+% \pdffalse
+%\else
+% \pdfoutput=1
+% \pdftrue
+%\fi
+
+\newenvironment{tightlist}{\begin{list}{$\bullet$}{
+ \setlength{\itemsep}{0mm}
+ \setlength{\parsep}{0mm}
+ % \setlength{\labelsep}{0mm}
+ % \setlength{\labelwidth}{0mm}
+ % \setlength{\topsep}{0mm}
+ }}{\end{list}}
+
+% Cut down on whitespace above and below figures displayed at head/foot of
+% page.
+\setlength{\textfloatsep}{3mm}
+% Cut down on whitespace above and below figures displayed in middle of page
+\setlength{\intextsep}{3mm}
+
+\begin{document}
+
+%% Use dvipdfm instead. --DH
+%\ifpdf
+% \pdfcompresslevel=9
+% \pdfpagewidth=\the\paperwidth
+% \pdfpageheight=\the\paperheight
+%\fi
+
+\title{Tor: The Second-Generation Onion Router} %\\DRAFT VERSION}
+% Putting the 'Private' back in 'Virtual Private Network'
+
+\author{Roger Dingledine \\ The Free Haven Project \\ arma@freehaven.net \and
+Nick Mathewson \\ The Free Haven Project \\ nickm@freehaven.net \and
+Paul Syverson \\ Naval Research Lab \\ syverson@itd.nrl.navy.mil}
+
+\maketitle
+\thispagestyle{empty}
+
+\begin{abstract}
+We present Tor, a circuit-based low-latency anonymous communication
+service. This second-generation Onion Routing system addresses limitations
+in the original design by adding perfect forward secrecy, congestion
+control, directory servers, integrity checking, configurable exit policies,
+and a practical design for location-hidden services via rendezvous
+points. Tor works on the real-world
+Internet, requires no special privileges or kernel modifications, requires
+little synchronization or coordination between nodes, and provides a
+reasonable tradeoff between anonymity, usability, and efficiency.
+We briefly describe our experiences with an international network of
+more than 30 nodes. % that has been running for several months.
+We close with a list of open problems in anonymous communication.
+\end{abstract}
+
+%\begin{center}
+%\textbf{Keywords:} anonymity, peer-to-peer, remailer, nymserver, reply block
+%\end{center}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\section{Overview}
+\label{sec:intro}
+
+Onion Routing is a distributed overlay network designed to anonymize
+TCP-based applications like web browsing, secure shell,
+and instant messaging. Clients choose a path through the network and
+build a \emph{circuit}, in which each node (or ``onion router'' or ``OR'')
+in the path knows its predecessor and successor, but no other nodes in
+the circuit. Traffic flows down the circuit in fixed-size
+\emph{cells}, which are unwrapped by a symmetric key at each node
+(like the layers of an onion) and relayed downstream. The
+Onion Routing project published several design and analysis
+papers \cite{or-ih96,or-jsac98,or-discex00,or-pet00}. While a wide area Onion
+Routing network was deployed briefly, the only long-running
+public implementation was a fragile
+proof-of-concept that ran on a single machine. Even this simple deployment
+processed connections from over sixty thousand distinct IP addresses from
+all over the world at a rate of about fifty thousand per day.
+But many critical design and deployment issues were never
+resolved, and the design has not been updated in years. Here
+we describe Tor, a protocol for asynchronous, loosely federated onion
+routers that provides the following improvements over the old Onion
+Routing design:
+
+\textbf{Perfect forward secrecy:} In the original Onion Routing design,
+a single hostile node could record traffic and
+later compromise successive nodes in the circuit and force them
+to decrypt it. Rather than using a single multiply encrypted data
+structure (an \emph{onion}) to lay each circuit,
+Tor now uses an incremental or \emph{telescoping} path-building design,
+where the initiator negotiates session keys with each successive hop in
+the circuit. Once these keys are deleted, subsequently compromised nodes
+cannot decrypt old traffic. As a side benefit, onion replay detection
+is no longer necessary, and the process of building circuits is more
+reliable, since the initiator knows when a hop fails and can then try
+extending to a new node.
+
+\textbf{Separation of ``protocol cleaning'' from anonymity:}
+Onion Routing originally required a separate ``application
+proxy'' for each supported application protocol---most of which were
+never written, so many applications were never supported. Tor uses the
+standard and near-ubiquitous SOCKS~\cite{socks4} proxy interface, allowing
+us to support most TCP-based programs without modification. Tor now
+relies on the filtering features of privacy-enhancing
+application-level proxies such as Privoxy~\cite{privoxy}, without trying
+to duplicate those features itself.
+
+\textbf{No mixing, padding, or traffic shaping (yet):} Onion
+Routing originally called for batching and reordering cells as they arrived,
+assumed padding between ORs, and in
+later designs added padding between onion proxies (users) and
+ORs~\cite{or-ih96,or-jsac98}. Tradeoffs between padding protection
+and cost were discussed, and \emph{traffic shaping} algorithms were
+theorized~\cite{or-pet00} to provide good security without expensive
+padding, but no concrete padding scheme was suggested.
+Recent research~\cite{econymics}
+and deployment experience~\cite{freedom21-security} suggest that this
+level of resource use is not practical or economical; and even full
+link padding is still vulnerable~\cite{defensive-dropping}. Thus,
+until we have a proven and convenient design for traffic shaping or
+low-latency mixing that improves anonymity against a realistic
+adversary, we leave these strategies out.
+
+\textbf{Many TCP streams can share one circuit:} Onion Routing originally
+built a separate circuit for each
+application-level request, but this required
+multiple public key operations for every request, and also presented
+a threat to anonymity from building so many circuits; see
+Section~\ref{sec:maintaining-anonymity}. Tor multiplexes multiple TCP
+streams along each circuit to improve efficiency and anonymity.
+
+\textbf{Leaky-pipe circuit topology:} Through in-band signaling
+within the circuit, Tor initiators can direct traffic to nodes partway
+down the circuit. This novel approach
+allows traffic to exit the circuit from the middle---possibly
+frustrating traffic shape and volume attacks based on observing the end
+of the circuit. (It also allows for long-range padding if
+future research shows this to be worthwhile.)
+
+\textbf{Congestion control:} Earlier anonymity designs do not
+address traffic bottlenecks. Unfortunately, typical approaches to
+load balancing and flow control in overlay networks involve inter-node
+control communication and global views of traffic. Tor's decentralized
+congestion control uses end-to-end acks to maintain anonymity
+while allowing nodes at the edges of the network to detect congestion
+or flooding and send less data until the congestion subsides.
+
+\textbf{Directory servers:} The earlier Onion Routing design
+planned to flood state information through the network---an approach
+that can be unreliable and complex. % open to partitioning attacks.
+Tor takes a simplified view toward distributing this
+information. Certain more trusted nodes act as \emph{directory
+servers}: they provide signed directories describing known
+routers and their current state. Users periodically download them
+via HTTP.
+
+\textbf{Variable exit policies:} Tor provides a consistent mechanism
+for each node to advertise a policy describing the hosts
+and ports to which it will connect. These exit policies are critical
+in a volunteer-based distributed infrastructure, because each operator
+is comfortable with allowing different types of traffic to exit
+from his node.
+
+\textbf{End-to-end integrity checking:} The original Onion Routing
+design did no integrity checking on data. Any node on the
+circuit could change the contents of data cells as they passed by---for
+example, to alter a connection request so it would connect
+to a different webserver, or to `tag' encrypted traffic and look for
+corresponding corrupted traffic at the network edges~\cite{minion-design}.
+Tor hampers these attacks by verifying data integrity before it leaves
+the network.
+
+%\textbf{Improved robustness to failed nodes:} A failed node
+%in the old design meant that circuit building failed, but thanks to
+%Tor's step-by-step circuit building, users notice failed nodes
+%while building circuits and route around them. Additionally, liveness
+%information from directories allows users to avoid unreliable nodes in
+%the first place.
+%% Can't really claim this, now that we've found so many variants of
+%% attack on partial-circuit-building. -RD
+
+\textbf{Rendezvous points and hidden services:}
+Tor provides an integrated mechanism for responder anonymity via
+location-protected servers. Previous Onion Routing designs included
+long-lived ``reply onions'' that could be used to build circuits
+to a hidden server, but these reply onions did not provide forward
+security, and became useless if any node in the path went down
+or rotated its keys. In Tor, clients negotiate {\it rendezvous points}
+to connect with hidden servers; reply onions are no longer required.
+
+Unlike Freedom~\cite{freedom2-arch}, Tor does not require OS kernel
+patches or network stack support. This prevents us from anonymizing
+non-TCP protocols, but has greatly helped our portability and
+deployability.
+
+%Unlike Freedom~\cite{freedom2-arch}, Tor only anonymizes
+%TCP-based protocols---not requiring patches (or built-in support) in an
+%operating system's network stack has been valuable to Tor's
+%portability and deployability.
+
+We have implemented all of the above features, including rendezvous
+points. Our source code is
+available under a free license, and Tor
+%, as far as we know, is unencumbered by patents.
+is not covered by the patent that affected distribution and use of
+earlier versions of Onion Routing.
+We have deployed a wide-area alpha network
+to test the design, to get more experience with usability
+and users, and to provide a research platform for experimentation.
+As of this writing, the network stands at 32 nodes %in thirteen
+%distinct administrative domains
+spread over two continents.
+
+We review previous work in Section~\ref{sec:related-work}, describe
+our goals and assumptions in Section~\ref{sec:assumptions},
+and then address the above list of improvements in
+Sections~\ref{sec:design},~\ref{sec:rendezvous}, and~\ref{sec:other-design}.
+We summarize
+in Section~\ref{sec:attacks} how our design stands up to
+known attacks, and talk about our early deployment experiences in
+Section~\ref{sec:in-the-wild}. We conclude with a list of open problems in
+Section~\ref{sec:maintaining-anonymity} and future work for the Onion
+Routing project in Section~\ref{sec:conclusion}.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\section{Related work}
+\label{sec:related-work}
+
+Modern anonymity systems date to Chaum's {\bf Mix-Net}
+design~\cite{chaum-mix}. Chaum
+proposed hiding the correspondence between sender and recipient by
+wrapping messages in layers of public-key cryptography, and relaying them
+through a path composed of ``mixes.'' Each mix in turn
+decrypts, delays, and re-orders messages before relaying them
+onward.
+%toward their destinations.
+
+Subsequent relay-based anonymity designs have diverged in two
+main directions. Systems like {\bf Babel}~\cite{babel},
+{\bf Mixmaster}~\cite{mixmaster-spec},
+and {\bf Mixminion}~\cite{minion-design} have tried
+to maximize anonymity at the cost of introducing comparatively large and
+variable latencies. Because of this decision, these \emph{high-latency}
+networks resist strong global adversaries,
+but introduce too much lag for interactive tasks like web browsing,
+Internet chat, or SSH connections.
+
+Tor belongs to the second category: \emph{low-latency} designs that
+try to anonymize interactive network traffic. These systems handle
+a variety of bidirectional protocols. They also provide more convenient
+mail delivery than the high-latency anonymous email
+networks, because the remote mail server provides explicit and timely
+delivery confirmation. But because these designs typically
+involve many packets that must be delivered quickly, it is
+difficult for them to prevent an attacker who can eavesdrop both ends of the
+communication from correlating the timing and volume
+of traffic entering the anonymity network with traffic leaving it~\cite{SS03}.
+These
+protocols are similarly vulnerable to an active adversary who introduces
+timing patterns into traffic entering the network and looks
+for correlated patterns among exiting traffic.
+Although some work has been done to frustrate these attacks, most designs
+protect primarily against traffic analysis rather than traffic
+confirmation (see Section~\ref{subsec:threat-model}).
+
+The simplest low-latency designs are single-hop proxies such as the
+{\bf Anonymizer}~\cite{anonymizer}: a single trusted server strips the
+data's origin before relaying it. These designs are easy to
+analyze, but users must trust the anonymizing proxy.
+Concentrating the traffic to this single point increases the anonymity set
+(the people a given user is hiding among), but it is vulnerable if the
+adversary can observe all traffic entering and leaving the proxy.
+
+More complex are distributed-trust, circuit-based anonymizing systems.
+In these designs, a user establishes one or more medium-term bidirectional
+end-to-end circuits, and tunnels data in fixed-size cells.
+Establishing circuits is computationally expensive and typically
+requires public-key
+cryptography, whereas relaying cells is comparatively inexpensive and
+typically requires only symmetric encryption.
+Because a circuit crosses several servers, and each server only knows
+the adjacent servers in the circuit, no single server can link a
+user to her communication partners.
+
+The {\bf Java Anon Proxy} (also known as JAP or Web MIXes) uses fixed shared
+routes known as \emph{cascades}. As with a single-hop proxy, this
+approach aggregates users into larger anonymity sets, but again an
+attacker only needs to observe both ends of the cascade to bridge all
+the system's traffic. The Java Anon Proxy's design
+calls for padding between end users and the head of the
+cascade~\cite{web-mix}. However, it is not demonstrated whether the current
+implementation's padding policy improves anonymity.
+
+{\bf PipeNet}~\cite{back01, pipenet}, another low-latency design proposed
+around the same time as Onion Routing, gave
+stronger anonymity but allowed a single user to shut
+down the network by not sending. Systems like {\bf ISDN
+mixes}~\cite{isdn-mixes} were designed for other environments with
+different assumptions.
+%XXX please can we fix this sentence to something less demeaning
+
+In P2P designs like {\bf Tarzan}~\cite{tarzan:ccs02} and
+{\bf MorphMix}~\cite{morphmix:fc04}, all participants both generate
+traffic and relay traffic for others. These systems aim to conceal
+whether a given peer originated a request
+or just relayed it from another peer. While Tarzan and MorphMix use
+layered encryption as above, {\bf Crowds}~\cite{crowds-tissec} simply assumes
+an adversary who cannot observe the initiator: it uses no public-key
+encryption, so any node on a circuit can read users' traffic.
+
+{\bf Hordes}~\cite{hordes-jcs} is based on Crowds but also uses multicast
+responses to hide the initiator. {\bf Herbivore}~\cite{herbivore} and
+$\mbox{\bf P}^{\mathbf 5}$~\cite{p5} go even further, requiring broadcast.
+These systems are designed primarily for communication among peers,
+although Herbivore users can make external connections by
+requesting a peer to serve as a proxy.
+
+Systems like {\bf Freedom} and the original Onion Routing build circuits
+all at once, using a layered ``onion'' of public-key encrypted messages,
+each layer of which provides session keys and the address of the
+next server in the circuit. Tor as described herein, Tarzan, MorphMix,
+{\bf Cebolla}~\cite{cebolla}, and Rennhard's {\bf Anonymity Network}~\cite{anonnet}
+build circuits
+in stages, extending them one hop at a time.
+Section~\ref{subsubsec:constructing-a-circuit} describes how this
+approach enables perfect forward secrecy.
+
+Circuit-based designs must choose which protocol layer
+to anonymize. They may intercept IP packets directly, and
+relay them whole (stripping the source address) along the
+circuit~\cite{freedom2-arch,tarzan:ccs02}. Like
+Tor, they may accept TCP streams and relay the data in those streams,
+ignoring the breakdown of that data into TCP
+segments~\cite{morphmix:fc04,anonnet}. Finally, like Crowds, they may accept
+application-level protocols such as HTTP and relay the application
+requests themselves.
+Making this protocol-layer decision requires a compromise between flexibility
+and anonymity. For example, a system that understands HTTP
+can strip
+identifying information from requests, can take advantage of caching
+to limit the number of requests that leave the network, and can batch
+or encode requests to minimize the number of connections.
+On the other hand, an IP-level anonymizer can handle nearly any protocol,
+even ones unforeseen by its designers (though these systems require
+kernel-level modifications to some operating systems, and so are more
+complex and less portable). TCP-level anonymity networks like Tor present
+a middle approach: they are application neutral (so long as the
+application supports, or can be tunneled across, TCP), but by treating
+application connections as data streams rather than raw TCP packets,
+they avoid the inefficiencies of tunneling TCP over
+TCP.
+
+Distributed-trust anonymizing systems need to prevent attackers from
+adding too many servers and thus compromising user paths.
+Tor relies on a small set of well-known directory servers, run by
+independent parties, to decide which nodes can
+join. Tarzan and MorphMix allow unknown users to run servers, and use
+a limited resource (like IP addresses) to prevent an attacker from
+controlling too much of the network. Crowds suggests requiring
+written, notarized requests from potential crowd members.
+
+Anonymous communication is essential for censorship-resistant
+systems like Eternity~\cite{eternity}, Free~Haven~\cite{freehaven-berk},
+Publius~\cite{publius}, and Tangler~\cite{tangler}. Tor's rendezvous
+points enable connections between mutually anonymous entities; they
+are a building block for location-hidden servers, which are needed by
+Eternity and Free~Haven.
+
+% didn't include rewebbers. No clear place to put them, so I'll leave
+% them out for now. -RD
+
+\section{Design goals and assumptions}
+\label{sec:assumptions}
+
+\noindent{\large\bf Goals}\\
+Like other low-latency anonymity designs, Tor seeks to frustrate
+attackers from linking communication partners, or from linking
+multiple communications to or from a single user. Within this
+main goal, however, several considerations have directed
+Tor's evolution.
+
+\textbf{Deployability:} The design must be deployed and used in the
+real world. Thus it
+must not be expensive to run (for example, by requiring more bandwidth
+than volunteers are willing to provide); must not place a heavy
+liability burden on operators (for example, by allowing attackers to
+implicate onion routers in illegal activities); and must not be
+difficult or expensive to implement (for example, by requiring kernel
+patches, or separate proxies for every protocol). We also cannot
+require non-anonymous parties (such as websites)
+to run our software. (Our rendezvous point design does not meet
+this goal for non-anonymous users talking to hidden servers,
+however; see Section~\ref{sec:rendezvous}.)
+
+\textbf{Usability:} A hard-to-use system has fewer users---and because
+anonymity systems hide users among users, a system with fewer users
+provides less anonymity. Usability is thus not only a convenience:
+it is a security requirement~\cite{econymics,back01}. Tor should
+therefore not
+require modifying familiar applications; should not introduce prohibitive
+delays;
+and should require as few configuration decisions
+as possible. Finally, Tor should be easily implementable on all common
+platforms; we cannot require users to change their operating system
+to be anonymous. (Tor currently runs on Win32, Linux,
+Solaris, BSD-style Unix, MacOS X, and probably others.)
+
+\textbf{Flexibility:} The protocol must be flexible and well-specified,
+so Tor can serve as a test-bed for future research.
+Many of the open problems in low-latency anonymity
+networks, such as generating dummy traffic or preventing Sybil
+attacks~\cite{sybil}, may be solvable independently from the issues
+solved by
+Tor. Hopefully future systems will not need to reinvent Tor's design.
+%(But note that while a flexible design benefits researchers,
+%there is a danger that differing choices of extensions will make users
+%distinguishable. Experiments should be run on a separate network.)
+
+\textbf{Simple design:} The protocol's design and security
+parameters must be well-understood. Additional features impose implementation
+and complexity costs; adding unproven techniques to the design threatens
+deployability, readability, and ease of security analysis. Tor aims to
+deploy a simple and stable system that integrates the best accepted
+approaches to protecting anonymity.\\
+
+\noindent{\large\bf Non-goals}\label{subsec:non-goals}\\
+In favoring simple, deployable designs, we have explicitly deferred
+several possible goals, either because they are solved elsewhere, or because
+they are not yet solved.
+
+\textbf{Not peer-to-peer:} Tarzan and MorphMix aim to scale to completely
+decentralized peer-to-peer environments with thousands of short-lived
+servers, many of which may be controlled by an adversary. This approach
+is appealing, but still has many open
+problems~\cite{tarzan:ccs02,morphmix:fc04}.
+
+\textbf{Not secure against end-to-end attacks:} Tor does not claim
+to completely solve end-to-end timing or intersection
+attacks. Some approaches, such as having users run their own onion routers,
+may help;
+see Section~\ref{sec:maintaining-anonymity} for more discussion.
+
+\textbf{No protocol normalization:} Tor does not provide \emph{protocol
+normalization} like Privoxy or the Anonymizer. If senders want anonymity from
+responders while using complex and variable
+protocols like HTTP, Tor must be layered with a filtering proxy such
+as Privoxy to hide differences between clients, and expunge protocol
+features that leak identity.
+Note that by this separation Tor can also provide services that
+are anonymous to the network yet authenticated to the responder, like
+SSH. Similarly, Tor does not integrate
+tunneling for non-stream-based protocols like UDP; this must be
+provided by an external service if appropriate.
+
+\textbf{Not steganographic:} Tor does not try to conceal who is connected
+to the network.
+
+\subsection{Threat Model}
+\label{subsec:threat-model}
+
+A global passive adversary is the most commonly assumed threat when
+analyzing theoretical anonymity designs. But like all practical
+low-latency systems, Tor does not protect against such a strong
+adversary. Instead, we assume an adversary who can observe some fraction
+of network traffic; who can generate, modify, delete, or delay
+traffic; who can operate onion routers of his own; and who can
+compromise some fraction of the onion routers.
+
+In low-latency anonymity systems that use layered encryption, the
+adversary's typical goal is to observe both the initiator and the
+responder. By observing both ends, passive attackers can confirm a
+suspicion that Alice is
+talking to Bob if the timing and volume patterns of the traffic on the
+connection are distinct enough; active attackers can induce timing
+signatures on the traffic to force distinct patterns. Rather
+than focusing on these \emph{traffic confirmation} attacks,
+we aim to prevent \emph{traffic
+analysis} attacks, where the adversary uses traffic patterns to learn
+which points in the network he should attack.
+
+Our adversary might try to link an initiator Alice with her
+communication partners, or try to build a profile of Alice's
+behavior. He might mount passive attacks by observing the network edges
+and correlating traffic entering and leaving the network---by
+relationships in packet timing, volume, or externally visible
+user-selected
+options. The adversary can also mount active attacks by compromising
+routers or keys; by replaying traffic; by selectively denying service
+to trustworthy routers to move users to
+compromised routers, or denying service to users to see if traffic
+elsewhere in the
+network stops; or by introducing patterns into traffic that can later be
+detected. The adversary might subvert the directory servers to give users
+differing views of network state. Additionally, he can try to decrease
+the network's reliability by attacking nodes or by performing antisocial
+activities from reliable nodes and trying to get them taken down---making
+the network unreliable flushes users to other less anonymous
+systems, where they may be easier to attack. We summarize
+in Section~\ref{sec:attacks} how well the Tor design defends against
+each of these attacks.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\section{The Tor Design}
+\label{sec:design}
+
+The Tor network is an overlay network; each onion router (OR)
+runs as a normal
+user-level process without any special privileges.
+Each onion router maintains a TLS~\cite{TLS}
+connection to every other onion router.
+%(We discuss alternatives to this clique-topology assumption in
+%Section~\ref{sec:maintaining-anonymity}.)
+% A subset of the ORs also act as
+%directory servers, tracking which routers are in the network;
+%see Section~\ref{subsec:dirservers} for directory server details.
+Each user
+runs local software called an onion proxy (OP) to fetch directories,
+establish circuits across the network,
+and handle connections from user applications. These onion proxies accept
+TCP streams and multiplex them across the circuits. The onion
+router on the other side
+of the circuit connects to the requested destinations
+and relays data.
+
+Each onion router maintains a long-term identity key and a short-term
+onion key. The identity
+key is used to sign TLS certificates, to sign the OR's \emph{router
+descriptor} (a summary of its keys, address, bandwidth, exit policy,
+and so on), and (by directory servers) to sign directories. %Changing
+%the identity key of a router is considered equivalent to creating a
+%new router.
+The onion key is used to decrypt requests
+from users to set up a circuit and negotiate ephemeral keys.
+The TLS protocol also establishes a short-term link key when communicating
+between ORs. Short-term keys are rotated periodically and
+independently, to limit the impact of key compromise.
+
+Section~\ref{subsec:cells} presents the fixed-size
+\emph{cells} that are the unit of communication in Tor. We describe
+in Section~\ref{subsec:circuits} how circuits are
+built, extended, truncated, and destroyed. Section~\ref{subsec:tcp}
+describes how TCP streams are routed through the network. We address
+integrity checking in Section~\ref{subsec:integrity-checking},
+and resource limiting in Section~\ref{subsec:rate-limit}.
+Finally,
+Section~\ref{subsec:congestion} talks about congestion control and
+fairness issues.
+
+\subsection{Cells}
+\label{subsec:cells}
+
+Onion routers communicate with one another, and with users' OPs, via
+TLS connections with ephemeral keys. Using TLS conceals the data on
+the connection with perfect forward secrecy, and prevents an attacker
+from modifying data on the wire or impersonating an OR.
+
+Traffic passes along these connections in fixed-size cells. Each cell
+is 512 bytes, %(but see Section~\ref{sec:conclusion} for a discussion of
+%allowing large cells and small cells on the same network),
+and consists of a header and a payload. The header includes a circuit
+identifier (circID) that specifies which circuit the cell refers to
+(many circuits can be multiplexed over the single TLS connection), and
+a command to describe what to do with the cell's payload. (Circuit
+identifiers are connection-specific: each circuit has a different
+circID on each OP/OR or OR/OR connection it traverses.)
+Based on their command, cells are either \emph{control} cells, which are
+always interpreted by the node that receives them, or \emph{relay} cells,
+which carry end-to-end stream data. The control cell commands are:
+\emph{padding} (currently used for keepalive, but also usable for link
+padding); \emph{create} or \emph{created} (used to set up a new circuit);
+and \emph{destroy} (to tear down a circuit).
+
+Relay cells have an additional header (the relay header) at the front
+of the payload, containing a streamID (stream identifier: many streams can
+be multiplexed over a circuit); an end-to-end checksum for integrity
+checking; the length of the relay payload; and a relay command.
+The entire contents of the relay header and the relay cell payload
+are encrypted or decrypted together as the relay cell moves along the
+circuit, using the 128-bit AES cipher in counter mode to generate a
+cipher stream. The relay commands are: \emph{relay
+data} (for data flowing down the stream), \emph{relay begin} (to open a
+stream), \emph{relay end} (to close a stream cleanly), \emph{relay
+teardown} (to close a broken stream), \emph{relay connected}
+(to notify the OP that a relay begin has succeeded), \emph{relay
+extend} and \emph{relay extended} (to extend the circuit by a hop,
+and to acknowledge), \emph{relay truncate} and \emph{relay truncated}
+(to tear down only part of the circuit, and to acknowledge), \emph{relay
+sendme} (used for congestion control), and \emph{relay drop} (used to
+implement long-range dummies).
+We give a visual overview of cell structure plus the details of relay
+cell structure, and then describe each of these cell types and commands
+in more detail below.
+
+%\begin{figure}[h]
+%\unitlength=1cm
+%\centering
+%\begin{picture}(8.0,1.5)
+%\put(4,.5){\makebox(0,0)[c]{\epsfig{file=cell-struct,width=7cm}}}
+%\end{picture}
+%\end{figure}
+
+\begin{figure}[h]
+\centering
+\mbox{\epsfig{figure=cell-struct,width=7cm}}
+\end{figure}
+
+\subsection{Circuits and streams}
+\label{subsec:circuits}
+
+Onion Routing originally built one circuit for each
+TCP stream. Because building a circuit can take several tenths of a
+second (due to public-key cryptography and network latency),
+this design imposed high costs on applications like web browsing that
+open many TCP streams.
+
+In Tor, each circuit can be shared by many TCP streams. To avoid
+delays, users construct circuits preemptively. To limit linkability
+among their streams, users' OPs build a new circuit
+periodically if the previous ones have been used,
+and expire old used circuits that no longer have any open streams.
+OPs consider rotating to a new circuit once a minute: thus
+even heavy users spend negligible time
+building circuits, but a limited number of requests can be linked
+to each other through a given exit node. Also, because circuits are built
+in the background, OPs can recover from failed circuit creation
+without harming user experience.\\
+
+\begin{figure}[h]
+\centering
+\mbox{\epsfig{figure=interaction,width=8.75cm}}
+\caption{Alice builds a two-hop circuit and begins fetching a web page.}
+\label{fig:interaction}
+\end{figure}
+
+\noindent{\large\bf Constructing a circuit}\label{subsubsec:constructing-a-circuit}\\
+%\subsubsection{Constructing a circuit}
+A user's OP constructs circuits incrementally, negotiating a
+symmetric key with each OR on the circuit, one hop at a time. To begin
+creating a new circuit, the OP (call her Alice) sends a
+\emph{create} cell to the first node in her chosen path (call him Bob).
+(She chooses a new
+circID $C_{AB}$ not currently used on the connection from her to Bob.)
+The \emph{create} cell's
+payload contains the first half of the Diffie-Hellman handshake
+($g^x$), encrypted to the onion key of the OR (call him Bob). Bob
+responds with a \emph{created} cell containing $g^y$
+along with a hash of the negotiated key $K=g^{xy}$.
+
+Once the circuit has been established, Alice and Bob can send one
+another relay cells encrypted with the negotiated
+key.\footnote{Actually, the negotiated key is used to derive two
+ symmetric keys: one for each direction.} More detail is given in
+the next section.
+
+To extend the circuit further, Alice sends a \emph{relay extend} cell
+to Bob, specifying the address of the next OR (call her Carol), and
+an encrypted $g^{x_2}$ for her. Bob copies the half-handshake into a
+\emph{create} cell, and passes it to Carol to extend the circuit.
+(Bob chooses a new circID $C_{BC}$ not currently used on the connection
+between him and Carol. Alice never needs to know this circID; only Bob
+associates $C_{AB}$ on his connection with Alice to $C_{BC}$ on
+his connection with Carol.)
+When Carol responds with a \emph{created} cell, Bob wraps the payload
+into a \emph{relay extended} cell and passes it back to Alice. Now
+the circuit is extended to Carol, and Alice and Carol share a common key
+$K_2 = g^{x_2 y_2}$.
+
+To extend the circuit to a third node or beyond, Alice
+proceeds as above, always telling the last node in the circuit to
+extend one hop further.
+
+This circuit-level handshake protocol achieves unilateral entity
+authentication (Alice knows she's handshaking with the OR, but
+the OR doesn't care who is opening the circuit---Alice uses no public key
+and remains anonymous) and unilateral key authentication
+(Alice and the OR agree on a key, and Alice knows only the OR learns
+it). It also achieves forward
+secrecy and key freshness. More formally, the protocol is as follows
+(where $E_{PK_{Bob}}(\cdot)$ is encryption with Bob's public key,
+$H$ is a secure hash function, and $|$ is concatenation):
+\begin{equation*}
+\begin{aligned}
+\mathrm{Alice} \rightarrow \mathrm{Bob}&: E_{PK_{Bob}}(g^x) \\
+\mathrm{Bob} \rightarrow \mathrm{Alice}&: g^y, H(K | \mathrm{``handshake"}) \\
+\end{aligned}
+\end{equation*}
+
+\noindent In the second step, Bob proves that it was he who received $g^x$,
+and who chose $y$. We use PK encryption in the first step
+(rather than, say, using the first two steps of STS, which has a
+signature in the second step) because a single cell is too small to
+hold both a public key and a signature. Preliminary analysis with the
+NRL protocol analyzer~\cite{meadows96} shows this protocol to be
+secure (including perfect forward secrecy) under the
+traditional Dolev-Yao model.\\
+
+\noindent{\large\bf Relay cells}\\
+%\subsubsection{Relay cells}
+%
+Once Alice has established the circuit (so she shares keys with each
+OR on the circuit), she can send relay cells.
+%Recall that every relay cell has a streamID that indicates to which
+%stream the cell belongs. %This streamID allows a relay cell to be
+%addressed to any OR on the circuit.
+Upon receiving a relay
+cell, an OR looks up the corresponding circuit, and decrypts the relay
+header and payload with the session key for that circuit.
+If the cell is headed away from Alice the OR then checks whether the
+decrypted cell has a valid digest (as an optimization, the first
+two bytes of the integrity check are zero, so in most cases we can avoid
+computing the hash).
+%is recognized---either because it
+%corresponds to an open stream at this OR for the given circuit, or because
+%it is the control streamID (zero).
+If valid, it accepts the relay cell and processes it as described
+below. Otherwise,
+the OR looks up the circID and OR for the
+next step in the circuit, replaces the circID as appropriate, and
+sends the decrypted relay cell to the next OR. (If the OR at the end
+of the circuit receives an unrecognized relay cell, an error has
+occurred, and the circuit is torn down.)
+
+OPs treat incoming relay cells similarly: they iteratively unwrap the
+relay header and payload with the session keys shared with each
+OR on the circuit, from the closest to farthest.
+If at any stage the digest is valid, the cell must have
+originated at the OR whose encryption has just been removed.
+
+To construct a relay cell addressed to a given OR, Alice assigns the
+digest, and then iteratively
+encrypts the cell payload (that is, the relay header and payload) with
+the symmetric key of each hop up to that OR. Because the digest is
+encrypted to a different value at each step, only at the targeted OR
+will it have a meaningful value.\footnote{
+ % Should we just say that 2^56 is itself negligible?
+ % Assuming 4-hop circuits with 10 streams per hop, there are 33
+ % possible bad streamIDs before the last circuit. This still
+ % gives an error only once every 2 million terabytes (approx).
+With 48 bits of digest per cell, the probability of an accidental
+collision is far lower than the chance of hardware failure.}
+This \emph{leaky pipe} circuit topology
+allows Alice's streams to exit at different ORs on a single circuit.
+Alice may choose different exit points because of their exit policies,
+or to keep the ORs from knowing that two streams
+originate from the same person.
+
+When an OR later replies to Alice with a relay cell, it
+encrypts the cell's relay header and payload with the single key it
+shares with Alice, and sends the cell back toward Alice along the
+circuit. Subsequent ORs add further layers of encryption as they
+relay the cell back to Alice.
+
+To tear down a circuit, Alice sends a \emph{destroy} control
+cell. Each OR in the circuit receives the \emph{destroy} cell, closes
+all streams on that circuit, and passes a new \emph{destroy} cell
+forward. But just as circuits are built incrementally, they can also
+be torn down incrementally: Alice can send a \emph{relay
+truncate} cell to a single OR on a circuit. That OR then sends a
+\emph{destroy} cell forward, and acknowledges with a
+\emph{relay truncated} cell. Alice can then extend the circuit to
+different nodes, without signaling to the intermediate nodes (or
+a limited observer) that she has changed her circuit.
+Similarly, if a node on the circuit goes down, the adjacent
+node can send a \emph{relay truncated} cell back to Alice. Thus the
+``break a node and see which circuits go down''
+attack~\cite{freedom21-security} is weakened.
+
+\subsection{Opening and closing streams}
+\label{subsec:tcp}
+
+When Alice's application wants a TCP connection to a given
+address and port, it asks the OP (via SOCKS) to make the
+connection. The OP chooses the newest open circuit (or creates one if
+needed), and chooses a suitable OR on that circuit to be the
+exit node (usually the last node, but maybe others due to exit policy
+conflicts; see Section~\ref{subsec:exitpolicies}.) The OP then opens
+the stream by sending a \emph{relay begin} cell to the exit node,
+using a new random streamID. Once the
+exit node connects to the remote host, it responds
+with a \emph{relay connected} cell. Upon receipt, the OP sends a
+SOCKS reply to notify the application of its success. The OP
+now accepts data from the application's TCP stream, packaging it into
+\emph{relay data} cells and sending those cells along the circuit to
+the chosen OR.
+
+There's a catch to using SOCKS, however---some applications pass the
+alphanumeric hostname to the Tor client, while others resolve it into
+an IP address first and then pass the IP address to the Tor client. If
+the application does DNS resolution first, Alice thereby reveals her
+destination to the remote DNS server, rather than sending the hostname
+through the Tor network to be resolved at the far end. Common applications
+like Mozilla and SSH have this flaw.
+
+With Mozilla, the flaw is easy to address: the filtering HTTP
+proxy called Privoxy gives a hostname to the Tor client, so Alice's
+computer never does DNS resolution.
+But a portable general solution, such as is needed for
+SSH, is
+an open problem. Modifying or replacing the local nameserver
+can be invasive, brittle, and unportable. Forcing the resolver
+library to prefer TCP rather than UDP is hard, and also has
+portability problems. Dynamically intercepting system calls to the
+resolver library seems a promising direction. We could also provide
+a tool similar to \emph{dig} to perform a private lookup through the
+Tor network. Currently, we encourage the use of privacy-aware proxies
+like Privoxy wherever possible.
+
+Closing a Tor stream is analogous to closing a TCP stream: it uses a
+two-step handshake for normal operation, or a one-step handshake for
+errors. If the stream closes abnormally, the adjacent node simply sends a
+\emph{relay teardown} cell. If the stream closes normally, the node sends
+a \emph{relay end} cell down the circuit, and the other side responds with
+its own \emph{relay end} cell. Because
+all relay cells use layered encryption, only the destination OR knows
+that a given relay cell is a request to close a stream. This two-step
+handshake allows Tor to support TCP-based applications that use half-closed
+connections.
+% such as broken HTTP clients that close their side of the
+%stream after writing but are still willing to read.
+
+\subsection{Integrity checking on streams}
+\label{subsec:integrity-checking}
+
+Because the old Onion Routing design used a stream cipher without integrity
+checking, traffic was
+vulnerable to a malleability attack: though the attacker could not
+decrypt cells, any changes to encrypted data
+would create corresponding changes to the data leaving the network.
+This weakness allowed an adversary who could guess the encrypted content
+to change a padding cell to a destroy
+cell; change the destination address in a \emph{relay begin} cell to the
+adversary's webserver; or change an FTP command from
+{\tt dir} to {\tt rm~*}. (Even an external
+adversary could do this, because the link encryption similarly used a
+stream cipher.)
+
+Because Tor uses TLS on its links, external adversaries cannot modify
+data. Addressing the insider malleability attack, however, is
+more complex.
+
+We could do integrity checking of the relay cells at each hop, either
+by including hashes or by using an authenticating cipher mode like
+EAX~\cite{eax}, but there are some problems. First, these approaches
+impose a message-expansion overhead at each hop, and so we would have to
+either leak the path length or waste bytes by padding to a maximum
+path length. Second, these solutions can only verify traffic coming
+from Alice: ORs would not be able to produce suitable hashes for
+the intermediate hops, since the ORs on a circuit do not know the
+other ORs' session keys. Third, we have already accepted that our design
+is vulnerable to end-to-end timing attacks; so tagging attacks performed
+within the circuit provide no additional information to the attacker.
+
+Thus, we check integrity only at the edges of each stream. (Remember that
+in our leaky-pipe circuit topology, a stream's edge could be any hop
+in the circuit.) When Alice
+negotiates a key with a new hop, they each initialize a SHA-1
+digest with a derivative of that key,
+thus beginning with randomness that only the two of them know.
+Then they each incrementally add to the SHA-1 digest the contents of
+all relay cells they create, and include with each relay cell the
+first four bytes of the current digest. Each also keeps a SHA-1
+digest of data received, to verify that the received hashes are correct.
+
+To be sure of removing or modifying a cell, the attacker must be able
+to deduce the current digest state (which depends on all
+traffic between Alice and Bob, starting with their negotiated key).
+Attacks on SHA-1 where the adversary can incrementally add to a hash
+to produce a new valid hash don't work, because all hashes are
+end-to-end encrypted across the circuit. The computational overhead
+of computing the digests is minimal compared to doing the AES
+encryption performed at each hop of the circuit. We use only four
+bytes per cell to minimize overhead; the chance that an adversary will
+correctly guess a valid hash
+%, plus the payload the current cell,
+is
+acceptably low, given that the OP or OR tear down the circuit if they
+receive a bad hash.
+
+\subsection{Rate limiting and fairness}
+\label{subsec:rate-limit}
+
+Volunteers are more willing to run services that can limit
+their bandwidth usage. To accommodate them, Tor servers use a
+token bucket approach~\cite{tannenbaum96} to
+enforce a long-term average rate of incoming bytes, while still
+permitting short-term bursts above the allowed bandwidth.
+% Current bucket sizes are set to ten seconds' worth of traffic.
+
+%Further, we want to avoid starving any Tor streams. Entire circuits
+%could starve if we read greedily from connections and one connection
+%uses all the remaining bandwidth. We solve this by dividing the number
+%of tokens in the bucket by the number of connections that want to read,
+%and reading at most that number of bytes from each connection. We iterate
+%this procedure until the number of tokens in the bucket is under some
+%threshold (currently 10KB), at which point we greedily read from connections.
+
+Because the Tor protocol outputs about the same number of bytes as it
+takes in, it is sufficient in practice to limit only incoming bytes.
+With TCP streams, however, the correspondence is not one-to-one:
+relaying a single incoming byte can require an entire 512-byte cell.
+(We can't just wait for more bytes, because the local application may
+be awaiting a reply.) Therefore, we treat this case as if the entire
+cell size had been read, regardless of the cell's fullness.
+
+Further, inspired by Rennhard et al's design in~\cite{anonnet}, a
+circuit's edges can heuristically distinguish interactive streams from bulk
+streams by comparing the frequency with which they supply cells. We can
+provide good latency for interactive streams by giving them preferential
+service, while still giving good overall throughput to the bulk
+streams. Such preferential treatment presents a possible end-to-end
+attack, but an adversary observing both
+ends of the stream can already learn this information through timing
+attacks.
+
+\subsection{Congestion control}
+\label{subsec:congestion}
+
+Even with bandwidth rate limiting, we still need to worry about
+congestion, either accidental or intentional. If enough users choose the
+same OR-to-OR connection for their circuits, that connection can become
+saturated. For example, an attacker could send a large file
+through the Tor network to a webserver he runs, and then
+refuse to read any of the bytes at the webserver end of the
+circuit. Without some congestion control mechanism, these bottlenecks
+can propagate back through the entire network. We don't need to
+reimplement full TCP windows (with sequence numbers,
+the ability to drop cells when we're full and retransmit later, and so
+on),
+because TCP already guarantees in-order delivery of each
+cell.
+%But we need to investigate further the effects of the current
+%parameters on throughput and latency, while also keeping privacy in mind;
+%see Section~\ref{sec:maintaining-anonymity} for more discussion.
+We describe our response below.
+
+\textbf{Circuit-level throttling:}
+To control a circuit's bandwidth usage, each OR keeps track of two
+windows. The \emph{packaging window} tracks how many relay data cells the OR is
+allowed to package (from incoming TCP streams) for transmission back to the OP,
+and the \emph{delivery window} tracks how many relay data cells it is willing
+to deliver to TCP streams outside the network. Each window is initialized
+(say, to 1000 data cells). When a data cell is packaged or delivered,
+the appropriate window is decremented. When an OR has received enough
+data cells (currently 100), it sends a \emph{relay sendme} cell towards the OP,
+with streamID zero. When an OR receives a \emph{relay sendme} cell with
+streamID zero, it increments its packaging window. Either of these cells
+increments the corresponding window by 100. If the packaging window
+reaches 0, the OR stops reading from TCP connections for all streams
+on the corresponding circuit, and sends no more relay data cells until
+receiving a \emph{relay sendme} cell.
+
+The OP behaves identically, except that it must track a packaging window
+and a delivery window for every OR in the circuit. If a packaging window
+reaches 0, it stops reading from streams destined for that OR.
+
+\textbf{Stream-level throttling}:
+The stream-level congestion control mechanism is similar to the
+circuit-level mechanism. ORs and OPs use \emph{relay sendme} cells
+to implement end-to-end flow control for individual streams across
+circuits. Each stream begins with a packaging window (currently 500 cells),
+and increments the window by a fixed value (50) upon receiving a \emph{relay
+sendme} cell. Rather than always returning a \emph{relay sendme} cell as soon
+as enough cells have arrived, the stream-level congestion control also
+has to check whether data has been successfully flushed onto the TCP
+stream; it sends the \emph{relay sendme} cell only when the number of bytes pending
+to be flushed is under some threshold (currently 10 cells' worth).
+
+%% Maybe omit this next paragraph. -NM
+%Currently, non-data relay cells do not affect the windows. Thus we
+%avoid potential deadlock issues, for example, arising because a stream
+%can't send a \emph{relay sendme} cell when its packaging window is empty.
+
+These arbitrarily chosen parameters seem to give tolerable throughput
+and delay; see Section~\ref{sec:in-the-wild}.
+
+\section{Rendezvous Points and hidden services}
+\label{sec:rendezvous}
+
+Rendezvous points are a building block for \emph{location-hidden
+services} (also known as \emph{responder anonymity}) in the Tor
+network. Location-hidden services allow Bob to offer a TCP
+service, such as a webserver, without revealing his IP address.
+This type of anonymity protects against distributed DoS attacks:
+attackers are forced to attack the onion routing network
+because they do not know Bob's IP address.
+
+Our design for location-hidden servers has the following goals.
+\textbf{Access-control:} Bob needs a way to filter incoming requests,
+so an attacker cannot flood Bob simply by making many connections to him.
+\textbf{Robustness:} Bob should be able to maintain a long-term pseudonymous
+identity even in the presence of router failure. Bob's service must
+not be tied to a single OR, and Bob must be able to migrate his service
+across ORs. \textbf{Smear-resistance:}
+A social attacker
+should not be able to ``frame'' a rendezvous router by
+offering an illegal or disreputable location-hidden service and
+making observers believe the router created that service.
+\textbf{Application-transparency:} Although we require users
+to run special software to access location-hidden servers, we must not
+require them to modify their applications.
+
+We provide location-hiding for Bob by allowing him to advertise
+several onion routers (his \emph{introduction points}) as contact
+points. He may do this on any robust efficient
+key-value lookup system with authenticated updates, such as a
+distributed hash table (DHT) like CFS~\cite{cfs:sosp01}.\footnote{
+Rather than rely on an external infrastructure, the Onion Routing network
+can run the lookup service itself. Our current implementation provides a
+simple lookup system on the
+directory servers.} Alice, the client, chooses an OR as her
+\emph{rendezvous point}. She connects to one of Bob's introduction
+points, informs him of her rendezvous point, and then waits for him
+to connect to the rendezvous point. This extra level of indirection
+helps Bob's introduction points avoid problems associated with serving
+unpopular files directly (for example, if Bob serves
+material that the introduction point's community finds objectionable,
+or if Bob's service tends to get attacked by network vandals).
+The extra level of indirection also allows Bob to respond to some requests
+and ignore others.
+
+\subsection{Rendezvous points in Tor}
+
+The following steps are
+%We give an overview of the steps of a rendezvous. These are
+performed on behalf of Alice and Bob by their local OPs;
+application integration is described more fully below.
+
+\begin{tightlist}
+\item Bob generates a long-term public key pair to identify his service.
+\item Bob chooses some introduction points, and advertises them on
+ the lookup service, signing the advertisement with his public key. He
+ can add more later.
+\item Bob builds a circuit to each of his introduction points, and tells
+ them to wait for requests.
+\item Alice learns about Bob's service out of band (perhaps Bob told her,
+ or she found it on a website). She retrieves the details of Bob's
+ service from the lookup service. If Alice wants to access Bob's
+ service anonymously, she must connect to the lookup service via Tor.
+\item Alice chooses an OR as the rendezvous point (RP) for her connection to
+ Bob's service. She builds a circuit to the RP, and gives it a
+ randomly chosen ``rendezvous cookie'' to recognize Bob.
+\item Alice opens an anonymous stream to one of Bob's introduction
+ points, and gives it a message (encrypted with Bob's public key)
+ telling it about herself,
+ her RP and rendezvous cookie, and the
+ start of a DH
+ handshake. The introduction point sends the message to Bob.
+\item If Bob wants to talk to Alice, he builds a circuit to Alice's
+ RP and sends the rendezvous cookie, the second half of the DH
+ handshake, and a hash of the session
+ key they now share. By the same argument as in
+ Section~\ref{subsubsec:constructing-a-circuit}, Alice knows she
+ shares the key only with Bob.
+\item The RP connects Alice's circuit to Bob's. Note that RP can't
+ recognize Alice, Bob, or the data they transmit.
+\item Alice sends a \emph{relay begin} cell along the circuit. It
+ arrives at Bob's OP, which connects to Bob's
+ webserver.
+\item An anonymous stream has been established, and Alice and Bob
+ communicate as normal.
+\end{tightlist}
+
+When establishing an introduction point, Bob provides the onion router
+with the public key identifying his service. Bob signs his
+messages, so others cannot usurp his introduction point
+in the future. He uses the same public key to establish the other
+introduction points for his service, and periodically refreshes his
+entry in the lookup service.
+
+The message that Alice gives
+the introduction point includes a hash of Bob's public key % to identify
+%the service, along with
+and an optional initial authorization token (the
+introduction point can do prescreening, for example to block replays). Her
+message to Bob may include an end-to-end authorization token so Bob
+can choose whether to respond.
+The authorization tokens can be used to provide selective access:
+important users can get uninterrupted access.
+%important users get tokens to ensure uninterrupted access. %to the
+%service.
+During normal situations, Bob's service might simply be offered
+directly from mirrors, while Bob gives out tokens to high-priority users. If
+the mirrors are knocked down,
+%by distributed DoS attacks or even
+%physical attack,
+those users can switch to accessing Bob's service via
+the Tor rendezvous system.
+
+Bob's introduction points are themselves subject to DoS---he must
+open many introduction points or risk such an attack.
+He can provide selected users with a current list or future schedule of
+unadvertised introduction points;
+this is most practical
+if there is a stable and large group of introduction points
+available. Bob could also give secret public keys
+for consulting the lookup service. All of these approaches
+limit exposure even when
+some selected users collude in the DoS\@.
+
+\subsection{Integration with user applications}
+
+Bob configures his onion proxy to know the local IP address and port of his
+service, a strategy for authorizing clients, and his public key. The onion
+proxy anonymously publishes a signed statement of Bob's
+public key, an expiration time, and
+the current introduction points for his service onto the lookup service,
+indexed
+by the hash of his public key. Bob's webserver is unmodified,
+and doesn't even know that it's hidden behind the Tor network.
+
+Alice's applications also work unchanged---her client interface
+remains a SOCKS proxy. We encode all of the necessary information
+into the fully qualified domain name (FQDN) Alice uses when establishing her
+connection. Location-hidden services use a virtual top level domain
+called {\tt .onion}: thus hostnames take the form {\tt x.y.onion} where
+{\tt x} is the authorization cookie and {\tt y} encodes the hash of
+the public key. Alice's onion proxy
+examines addresses; if they're destined for a hidden server, it decodes
+the key and starts the rendezvous as described above.
+
+\subsection{Previous rendezvous work}
+%XXXX Should this get integrated into the earlier related work section? -NM
+
+Rendezvous points in low-latency anonymity systems were first
+described for use in ISDN telephony~\cite{jerichow-jsac98,isdn-mixes}.
+Later low-latency designs used rendezvous points for hiding location
+of mobile phones and low-power location
+trackers~\cite{federrath-ih96,reed-protocols97}. Rendezvous for
+anonymizing low-latency
+Internet connections was suggested in early Onion Routing
+work~\cite{or-ih96}, but the first published design was by Ian
+Goldberg~\cite{ian-thesis}. His design differs from
+ours in three ways. First, Goldberg suggests that Alice should manually
+hunt down a current location of the service via Gnutella; our approach
+makes lookup transparent to the user, as well as faster and more robust.
+Second, in Tor the client and server negotiate session keys
+with Diffie-Hellman, so plaintext is not exposed even at the rendezvous
+point. Third,
+our design minimizes the exposure from running the
+service, to encourage volunteers to offer introduction and rendezvous
+services. Tor's introduction points do not output any bytes to the
+clients; the rendezvous points don't know the client or the server,
+and can't read the data being transmitted. The indirection scheme is
+also designed to include authentication/authorization---if Alice doesn't
+include the right cookie with her request for service, Bob need not even
+acknowledge his existence.
+
+\section{Other design decisions}
+\label{sec:other-design}
+
+\subsection{Denial of service}
+\label{subsec:dos}
+
+Providing Tor as a public service creates many opportunities for
+denial-of-service attacks against the network. While
+flow control and rate limiting (discussed in
+Section~\ref{subsec:congestion}) prevent users from consuming more
+bandwidth than routers are willing to provide, opportunities remain for
+users to
+consume more network resources than their fair share, or to render the
+network unusable for others.
+
+First of all, there are several CPU-consuming denial-of-service
+attacks wherein an attacker can force an OR to perform expensive
+cryptographic operations. For example, an attacker can
+%\emph{create} cell full of junk bytes can force an OR to perform an RSA
+%decrypt.
+%Similarly, an attacker can
+fake the start of a TLS handshake, forcing the OR to carry out its
+(comparatively expensive) half of the handshake at no real computational
+cost to the attacker.
+
+We have not yet implemented any defenses for these attacks, but several
+approaches are possible. First, ORs can
+require clients to solve a puzzle~\cite{puzzles-tls} while beginning new
+TLS handshakes or accepting \emph{create} cells. So long as these
+tokens are easy to verify and computationally expensive to produce, this
+approach limits the attack multiplier. Additionally, ORs can limit
+the rate at which they accept \emph{create} cells and TLS connections,
+so that
+the computational work of processing them does not drown out the
+symmetric cryptography operations that keep cells
+flowing. This rate limiting could, however, allow an attacker
+to slow down other users when they build new circuits.
+
+% What about link-to-link rate limiting?
+
+Adversaries can also attack the Tor network's hosts and network
+links. Disrupting a single circuit or link breaks all streams passing
+along that part of the circuit. Users similarly lose service
+when a router crashes or its operator restarts it. The current
+Tor design treats such attacks as intermittent network failures, and
+depends on users and applications to respond or recover as appropriate. A
+future design could use an end-to-end TCP-like acknowledgment protocol,
+so no streams are lost unless the entry or exit point is
+disrupted. This solution would require more buffering at the network
+edges, however, and the performance and anonymity implications from this
+extra complexity still require investigation.
+
+\subsection{Exit policies and abuse}
+\label{subsec:exitpolicies}
+
+% originally, we planned to put the "users only know the hostname,
+% not the IP, but exit policies are by IP" problem here too. Not
+% worth putting in the submission, but worth thinking about putting
+% in sometime somehow. -RD
+
+Exit abuse is a serious barrier to wide-scale Tor deployment. Anonymity
+presents would-be vandals and abusers with an opportunity to hide
+the origins of their activities. Attackers can harm the Tor network by
+implicating exit servers for their abuse. Also, applications that commonly
+use IP-based authentication (such as institutional mail or webservers)
+can be fooled by the fact that anonymous connections appear to originate
+at the exit OR.
+
+We stress that Tor does not enable any new class of abuse. Spammers
+and other attackers already have access to thousands of misconfigured
+systems worldwide, and the Tor network is far from the easiest way
+to launch attacks.
+%Indeed, because of its limited
+%anonymity, Tor is probably not a good way to commit crimes.
+But because the
+onion routers can be mistaken for the originators of the abuse,
+and the volunteers who run them may not want to deal with the hassle of
+explaining anonymity networks to irate administrators, we must block or limit
+abuse through the Tor network.
+
+To mitigate abuse issues, each onion router's \emph{exit policy}
+describes to which external addresses and ports the router will
+connect. On one end of the spectrum are \emph{open exit}
+nodes that will connect anywhere. On the other end are \emph{middleman}
+nodes that only relay traffic to other Tor nodes, and \emph{private exit}
+nodes that only connect to a local host or network. A private
+exit can allow a client to connect to a given host or
+network more securely---an external adversary cannot eavesdrop traffic
+between the private exit and the final destination, and so is less sure of
+Alice's destination and activities. Most onion routers in the current
+network function as
+\emph{restricted exits} that permit connections to the world at large,
+but prevent access to certain abuse-prone addresses and services such
+as SMTP.
+The OR might also be able to authenticate clients to
+prevent exit abuse without harming anonymity~\cite{or-discex00}.
+
+%The abuse issues on closed (e.g. military) networks are different
+%from the abuse on open networks like the Internet. While these IP-based
+%access controls are still commonplace on the Internet, on closed networks,
+%nearly all participants will be honest, and end-to-end authentication
+%can be assumed for important traffic.
+
+Many administrators use port restrictions to support only a
+limited set of services, such as HTTP, SSH, or AIM.
+This is not a complete solution, of course, since abuse opportunities for these
+protocols are still well known.
+
+We have not yet encountered any abuse in the deployed network, but if
+we do we should consider using proxies to clean traffic for certain
+protocols as it leaves the network. For example, much abusive HTTP
+behavior (such as exploiting buffer overflows or well-known script
+vulnerabilities) can be detected in a straightforward manner.
+Similarly, one could run automatic spam filtering software (such as
+SpamAssassin) on email exiting the OR network.
+
+ORs may also rewrite exiting traffic to append
+headers or other information indicating that the traffic has passed
+through an anonymity service. This approach is commonly used
+by email-only anonymity systems. ORs can also
+run on servers with hostnames like {\tt anonymous} to further
+alert abuse targets to the nature of the anonymous traffic.
+
+A mixture of open and restricted exit nodes allows the most
+flexibility for volunteers running servers. But while having many
+middleman nodes provides a large and robust network,
+having only a few exit nodes reduces the number of points
+an adversary needs to monitor for traffic analysis, and places a
+greater burden on the exit nodes. This tension can be seen in the
+Java Anon Proxy
+cascade model, wherein only one node in each cascade needs to handle
+abuse complaints---but an adversary only needs to observe the entry
+and exit of a cascade to perform traffic analysis on all that
+cascade's users. The hydra model (many entries, few exits) presents a
+different compromise: only a few exit nodes are needed, but an
+adversary needs to work harder to watch all the clients; see
+Section~\ref{sec:conclusion}.
+
+Finally, we note that exit abuse must not be dismissed as a peripheral
+issue: when a system's public image suffers, it can reduce the number
+and diversity of that system's users, and thereby reduce the anonymity
+of the system itself. Like usability, public perception is a
+security parameter. Sadly, preventing abuse of open exit nodes is an
+unsolved problem, and will probably remain an arms race for the
+foreseeable future. The abuse problems faced by Princeton's CoDeeN
+project~\cite{darkside} give us a glimpse of likely issues.
+
+\subsection{Directory Servers}
+\label{subsec:dirservers}
+
+First-generation Onion Routing designs~\cite{freedom2-arch,or-jsac98} used
+in-band network status updates: each router flooded a signed statement
+to its neighbors, which propagated it onward. But anonymizing networks
+have different security goals than typical link-state routing protocols.
+For example, delays (accidental or intentional)
+that can cause different parts of the network to have different views
+of link-state and topology are not only inconvenient: they give
+attackers an opportunity to exploit differences in client knowledge.
+We also worry about attacks to deceive a
+client about the router membership list, topology, or current network
+state. Such \emph{partitioning attacks} on client knowledge help an
+adversary to efficiently deploy resources
+against a target~\cite{minion-design}.
+
+Tor uses a small group of redundant, well-known onion routers to
+track changes in network topology and node state, including keys and
+exit policies. Each such \emph{directory server} acts as an HTTP
+server, so clients can fetch current network state
+and router lists, and so other ORs can upload
+state information. Onion routers periodically publish signed
+statements of their state to each directory server. The directory servers
+combine this information with their own views of network liveness,
+and generate a signed description (a \emph{directory}) of the entire
+network state. Client software is
+pre-loaded with a list of the directory servers and their keys,
+to bootstrap each client's view of the network.
+% XXX this means that clients will be forced to upgrade as the
+% XXX dirservers change or get compromised. argue that this is ok.
+
+When a directory server receives a signed statement for an OR, it
+checks whether the OR's identity key is recognized. Directory
+servers do not advertise unrecognized ORs---if they did,
+an adversary could take over the network by creating many
+servers~\cite{sybil}. Instead, new nodes must be approved by the
+directory
+server administrator before they are included. Mechanisms for automated
+node approval are an area of active research, and are discussed more
+in Section~\ref{sec:maintaining-anonymity}.
+
+Of course, a variety of attacks remain. An adversary who controls
+a directory server can track clients by providing them different
+information---perhaps by listing only nodes under its control, or by
+informing only certain clients about a given node. Even an external
+adversary can exploit differences in client knowledge: clients who use
+a node listed on one directory server but not the others are vulnerable.
+
+Thus these directory servers must be synchronized and redundant, so
+that they can agree on a common directory. Clients should only trust
+this directory if it is signed by a threshold of the directory
+servers.
+
+The directory servers in Tor are modeled after those in
+Mixminion~\cite{minion-design}, but our situation is easier. First,
+we make the
+simplifying assumption that all participants agree on the set of
+directory servers. Second, while Mixminion needs to predict node
+behavior, Tor only needs a threshold consensus of the current
+state of the network. Third, we assume that we can fall back to the
+human administrators to discover and resolve problems when a consensus
+directory cannot be reached. Since there are relatively few directory
+servers (currently 3, but we expect as many as 9 as the network scales),
+we can afford operations like broadcast to simplify the consensus-building
+protocol.
+
+To avoid attacks where a router connects to all the directory servers
+but refuses to relay traffic from other routers, the directory servers
+must also build circuits and use them to anonymously test router
+reliability~\cite{mix-acc}. Unfortunately, this defense is not yet
+designed or
+implemented.
+
+Using directory servers is simpler and more flexible than flooding.
+Flooding is expensive, and complicates the analysis when we
+start experimenting with non-clique network topologies. Signed
+directories can be cached by other
+onion routers,
+so directory servers are not a performance
+bottleneck when we have many users, and do not aid traffic analysis by
+forcing clients to announce their existence to any
+central point.
+
+\section{Attacks and Defenses}
+\label{sec:attacks}
+
+Below we summarize a variety of attacks, and discuss how well our
+design withstands them.\\
+
+\noindent{\large\bf Passive attacks}\\
+\emph{Observing user traffic patterns.} Observing a user's connection
+will not reveal her destination or data, but it will
+reveal traffic patterns (both sent and received). Profiling via user
+connection patterns requires further processing, because multiple
+application streams may be operating simultaneously or in series over
+a single circuit.
+
+\emph{Observing user content.} While content at the user end is encrypted,
+connections to responders may not be (indeed, the responding website
+itself may be hostile). While filtering content is not a primary goal
+of Onion Routing, Tor can directly use Privoxy and related
+filtering services to anonymize application data streams.
+
+\emph{Option distinguishability.} We allow clients to choose
+configuration options. For example, clients concerned about request
+linkability should rotate circuits more often than those concerned
+about traceability. Allowing choice may attract users with different
+%There is economic incentive to attract users by
+%allowing this choice;
+needs; but clients who are
+in the minority may lose more anonymity by appearing distinct than they
+gain by optimizing their behavior~\cite{econymics}.
+
+\emph{End-to-end timing correlation.} Tor only minimally hides
+such correlations. An attacker watching patterns of
+traffic at the initiator and the responder will be
+able to confirm the correspondence with high probability. The
+greatest protection currently available against such confirmation is to hide
+the connection between the onion proxy and the first Tor node,
+by running the OP on the Tor node or behind a firewall. This approach
+requires an observer to separate traffic originating at the onion
+router from traffic passing through it: a global observer can do this,
+but it might be beyond a limited observer's capabilities.
+
+\emph{End-to-end size correlation.} Simple packet counting
+will also be effective in confirming
+endpoints of a stream. However, even without padding, we may have some
+limited protection: the leaky pipe topology means different numbers
+of packets may enter one end of a circuit than exit at the other.
+
+\emph{Website fingerprinting.} All the effective passive
+attacks above are traffic confirmation attacks,
+which puts them outside our design goals. There is also
+a passive traffic analysis attack that is potentially effective.
+Rather than searching exit connections for timing and volume
+correlations, the adversary may build up a database of
+``fingerprints'' containing file sizes and access patterns for
+targeted websites. He can later confirm a user's connection to a given
+site simply by consulting the database. This attack has
+been shown to be effective against SafeWeb~\cite{hintz-pet02}.
+It may be less effective against Tor, since
+streams are multiplexed within the same circuit, and
+fingerprinting will be limited to
+the granularity of cells (currently 512 bytes). Additional
+defenses could include
+larger cell sizes, padding schemes to group websites
+into large sets, and link
+padding or long-range dummies.\footnote{Note that this fingerprinting
+attack should not be confused with the much more complicated latency
+attacks of~\cite{back01}, which require a fingerprint of the latencies
+of all circuits through the network, combined with those from the
+network edges to the target user and the responder website.}\\
+
+\noindent{\large\bf Active attacks}\\
+\emph{Compromise keys.} An attacker who learns the TLS session key can
+see control cells and encrypted relay cells on every circuit on that
+connection; learning a circuit
+session key lets him unwrap one layer of the encryption. An attacker
+who learns an OR's TLS private key can impersonate that OR for the TLS
+key's lifetime, but he must
+also learn the onion key to decrypt \emph{create} cells (and because of
+perfect forward secrecy, he cannot hijack already established circuits
+without also compromising their session keys). Periodic key rotation
+limits the window of opportunity for these attacks. On the other hand,
+an attacker who learns a node's identity key can replace that node
+indefinitely by sending new forged descriptors to the directory servers.
+
+\emph{Iterated compromise.} A roving adversary who can
+compromise ORs (by system intrusion, legal coercion, or extralegal
+coercion) could march down the circuit compromising the
+nodes until he reaches the end. Unless the adversary can complete
+this attack within the lifetime of the circuit, however, the ORs
+will have discarded the necessary information before the attack can
+be completed. (Thanks to the perfect forward secrecy of session
+keys, the attacker cannot force nodes to decrypt recorded
+traffic once the circuits have been closed.) Additionally, building
+circuits that cross jurisdictions can make legal coercion
+harder---this phenomenon is commonly called ``jurisdictional
+arbitrage.'' The Java Anon Proxy project recently experienced the
+need for this approach, when
+a German court forced them to add a backdoor to
+their nodes~\cite{jap-backdoor}.
+
+\emph{Run a recipient.} An adversary running a webserver
+trivially learns the timing patterns of users connecting to it, and
+can introduce arbitrary patterns in its responses.
+End-to-end attacks become easier: if the adversary can induce
+users to connect to his webserver (perhaps by advertising
+content targeted to those users), he now holds one end of their
+connection. There is also a danger that application
+protocols and associated programs can be induced to reveal information
+about the initiator. Tor depends on Privoxy and similar protocol cleaners
+to solve this latter problem.
+
+\emph{Run an onion proxy.} It is expected that end users will
+nearly always run their own local onion proxy. However, in some
+settings, it may be necessary for the proxy to run
+remotely---typically, in institutions that want
+to monitor the activity of those connecting to the proxy.
+Compromising an onion proxy compromises all future connections
+through it.
+
+\emph{DoS non-observed nodes.} An observer who can only watch some
+of the Tor network can increase the value of this traffic
+by attacking non-observed nodes to shut them down, reduce
+their reliability, or persuade users that they are not trustworthy.
+The best defense here is robustness.
+
+\emph{Run a hostile OR.} In addition to being a local observer,
+an isolated hostile node can create circuits through itself, or alter
+traffic patterns to affect traffic at other nodes. Nonetheless, a hostile
+node must be immediately adjacent to both endpoints to compromise the
+anonymity of a circuit. If an adversary can
+run multiple ORs, and can persuade the directory servers
+that those ORs are trustworthy and independent, then occasionally
+some user will choose one of those ORs for the start and another
+as the end of a circuit. If an adversary
+controls $m>1$ of $N$ nodes, he can correlate at most
+$\left(\frac{m}{N}\right)^2$ of the traffic---although an
+adversary
+could still attract a disproportionately large amount of traffic
+by running an OR with a permissive exit policy, or by
+degrading the reliability of other routers.
+
+\emph{Introduce timing into messages.} This is simply a stronger
+version of passive timing attacks already discussed earlier.
+
+\emph{Tagging attacks.} A hostile node could ``tag'' a
+cell by altering it. If the
+stream were, for example, an unencrypted request to a Web site,
+the garbled content coming out at the appropriate time would confirm
+the association. However, integrity checks on cells prevent
+this attack.
+
+\emph{Replace contents of unauthenticated protocols.} When
+relaying an unauthenticated protocol like HTTP, a hostile exit node
+can impersonate the target server. Clients
+should prefer protocols with end-to-end authentication.
+
+\emph{Replay attacks.} Some anonymity protocols are vulnerable
+to replay attacks. Tor is not; replaying one side of a handshake
+will result in a different negotiated session key, and so the rest
+of the recorded session can't be used.
+
+\emph{Smear attacks.} An attacker could use the Tor network for
+socially disapproved acts, to bring the
+network into disrepute and get its operators to shut it down.
+Exit policies reduce the possibilities for abuse, but
+ultimately the network requires volunteers who can tolerate
+some political heat.
+
+\emph{Distribute hostile code.} An attacker could trick users
+into running subverted Tor software that did not, in fact, anonymize
+their connections---or worse, could trick ORs into running weakened
+software that provided users with less anonymity. We address this
+problem (but do not solve it completely) by signing all Tor releases
+with an official public key, and including an entry in the directory
+that lists which versions are currently believed to be secure. To
+prevent an attacker from subverting the official release itself
+(through threats, bribery, or insider attacks), we provide all
+releases in source code form, encourage source audits, and
+frequently warn our users never to trust any software (even from
+us) that comes without source.\\
+
+\noindent{\large\bf Directory attacks}\\
+\emph{Destroy directory servers.} If a few directory
+servers disappear, the others still decide on a valid
+directory. So long as any directory servers remain in operation,
+they will still broadcast their views of the network and generate a
+consensus directory. (If more than half are destroyed, this
+directory will not, however, have enough signatures for clients to
+use it automatically; human intervention will be necessary for
+clients to decide whether to trust the resulting directory.)
+
+\emph{Subvert a directory server.} By taking over a directory server,
+an attacker can partially influence the final directory. Since ORs
+are included or excluded by majority vote, the corrupt directory can
+at worst cast a tie-breaking vote to decide whether to include
+marginal ORs. It remains to be seen how often such marginal cases
+occur in practice.
+
+\emph{Subvert a majority of directory servers.} An adversary who controls
+more than half the directory servers can include as many compromised
+ORs in the final directory as he wishes. We must ensure that directory
+server operators are independent and attack-resistant.
+
+\emph{Encourage directory server dissent.} The directory
+agreement protocol assumes that directory server operators agree on
+the set of directory servers. An adversary who can persuade some
+of the directory server operators to distrust one another could
+split the quorum into mutually hostile camps, thus partitioning
+users based on which directory they use. Tor does not address
+this attack.
+
+\emph{Trick the directory servers into listing a hostile OR.}
+Our threat model explicitly assumes directory server operators will
+be able to filter out most hostile ORs.
+% If this is not true, an
+% attacker can flood the directory with compromised servers.
+
+\emph{Convince the directories that a malfunctioning OR is
+working.} In the current Tor implementation, directory servers
+assume that an OR is running correctly if they can start a TLS
+connection to it. A hostile OR could easily subvert this test by
+accepting TLS connections from ORs but ignoring all cells. Directory
+servers must actively test ORs by building circuits and streams as
+appropriate. The tradeoffs of a similar approach are discussed
+in~\cite{mix-acc}.\\
+
+\noindent{\large\bf Attacks against rendezvous points}\\
+\emph{Make many introduction requests.} An attacker could
+try to deny Bob service by flooding his introduction points with
+requests. Because the introduction points can block requests that
+lack authorization tokens, however, Bob can restrict the volume of
+requests he receives, or require a certain amount of computation for
+every request he receives.
+
+\emph{Attack an introduction point.} An attacker could
+disrupt a location-hidden service by disabling its introduction
+points. But because a service's identity is attached to its public
+key, the service can simply re-advertise
+itself at a different introduction point. Advertisements can also be
+done secretly so that only high-priority clients know the address of
+Bob's introduction points or so that different clients know of different
+introduction points. This forces the attacker to disable all possible
+introduction points.
+
+\emph{Compromise an introduction point.} An attacker who controls
+Bob's introduction point can flood Bob with
+introduction requests, or prevent valid introduction requests from
+reaching him. Bob can notice a flood, and close the circuit. To notice
+blocking of valid requests, however, he should periodically test the
+introduction point by sending rendezvous requests and making
+sure he receives them.
+
+\emph{Compromise a rendezvous point.} A rendezvous
+point is no more sensitive than any other OR on
+a circuit, since all data passing through the rendezvous is encrypted
+with a session key shared by Alice and Bob.
+
+\section{Early experiences: Tor in the Wild}
+\label{sec:in-the-wild}
+
+As of mid-May 2004, the Tor network consists of 32 nodes
+(24 in the US, 8 in Europe), and more are joining each week as the code
+matures. (For comparison, the current remailer network
+has about 40 nodes.) % We haven't asked PlanetLab to provide
+%Tor nodes, since their AUP wouldn't allow exit nodes (see
+%also~\cite{darkside}) and because we aim to build a long-term community of
+%node operators and developers.}
+Each node has at least a 768Kb/768Kb connection, and
+many have 10Mb. The number of users varies (and of course, it's hard to
+tell for sure), but we sometimes have several hundred users---administrators at
+several companies have begun sending their entire departments' web
+traffic through Tor, to block other divisions of
+their company from reading their traffic. Tor users have reported using
+the network for web browsing, FTP, IRC, AIM, Kazaa, SSH, and
+recipient-anonymous email via rendezvous points. One user has anonymously
+set up a Wiki as a hidden service, where other users anonymously publish
+the addresses of their hidden services.
+
+Each Tor node currently processes roughly 800,000 relay
+cells (a bit under half a gigabyte) per week. On average, about 80\%
+of each 498-byte payload is full for cells going back to the client,
+whereas about 40\% is full for cells coming from the client. (The difference
+arises because most of the network's traffic is web browsing.) Interactive
+traffic like SSH brings down the average a lot---once we have more
+experience, and assuming we can resolve the anonymity issues, we may
+partition traffic into two relay cell sizes: one to handle
+bulk traffic and one for interactive traffic.
+
+Based in part on our restrictive default exit policy (we
+reject SMTP requests) and our low profile, we have had no abuse
+issues since the network was deployed in October
+2003. Our slow growth rate gives us time to add features,
+resolve bugs, and get a feel for what users actually want from an
+anonymity system. Even though having more users would bolster our
+anonymity sets, we are not eager to attract the Kazaa or warez
+communities---we feel that we must build a reputation for privacy, human
+rights, research, and other socially laudable activities.
+
+As for performance, profiling shows that Tor spends almost
+all its CPU time in AES, which is fast. Current latency is attributable
+to two factors. First, network latency is critical: we are
+intentionally bouncing traffic around the world several times. Second,
+our end-to-end congestion control algorithm focuses on protecting
+volunteer servers from accidental DoS rather than on optimizing
+performance. % Right now the first $500 \times 500\mbox{B}=250\mbox{KB}$
+%of the stream arrives
+%quickly, and after that throughput depends on the rate that \emph{relay
+%sendme} acknowledgments arrive.
+To quantify these effects, we did some informal tests using a network of 4
+nodes on the same machine (a heavily loaded 1GHz Athlon). We downloaded a 60
+megabyte file from {\tt debian.org} every 30 minutes for 54 hours (108 sample
+points). It arrived in about 300 seconds on average, compared to 210s for a
+direct download. We ran a similar test on the production Tor network,
+fetching the front page of {\tt cnn.com} (55 kilobytes):
+% every 20 seconds for 8952 data points
+while a direct
+download consistently took about 0.3s, the performance through Tor varied.
+Some downloads were as fast as 0.4s, with a median at 2.8s, and
+90\% finishing within 5.3s. It seems that as the network expands, the chance
+of building a slow circuit (one that includes a slow or heavily loaded node
+or link) is increasing. On the other hand, as our users remain satisfied
+with this increased latency, we can address our performance incrementally as we
+proceed with development. %\footnote{For example, we have just begun pushing
+%a pipelining patch to the production network that seems to decrease
+%latency for medium-to-large files; we will present revised benchmarks
+%as they become available.}
+
+%With the current network's topology and load, users can typically get 1-2
+%megabits sustained transfer rate, which is good enough for now.
+%Indeed, the Tor
+%design aims foremost to provide a security research platform; performance
+%only needs to be sufficient to retain users~\cite{econymics,back01}.
+%We can tweak the congestion control
+%parameters to provide faster throughput at the cost of
+%larger buffers at each node; adding the heuristics mentioned in
+%Section~\ref{subsec:rate-limit} to favor low-volume
+%streams may also help. More research remains to find the
+%right balance.
+% We should say _HOW MUCH_ latency there is in these cases. -NM
+
+%performs badly on lossy networks. may need airhook or something else as
+%transport alternative?
+
+Although Tor's clique topology and full-visibility directories present
+scaling problems, we still expect the network to support a few hundred
+nodes and maybe 10,000 users before we're forced to become
+more distributed. With luck, the experience we gain running the current
+topology will help us choose among alternatives when the time comes.
+
+\section{Open Questions in Low-latency Anonymity}
+\label{sec:maintaining-anonymity}
+
+In addition to the non-goals in
+Section~\ref{subsec:non-goals}, many questions must be solved
+before we can be confident of Tor's security.
+
+Many of these open issues are questions of balance. For example,
+how often should users rotate to fresh circuits? Frequent rotation
+is inefficient, expensive, and may lead to intersection attacks and
+predecessor attacks~\cite{wright03}, but infrequent rotation makes the
+user's traffic linkable. Besides opening fresh circuits, clients can
+also exit from the middle of the circuit,
+or truncate and re-extend the circuit. More analysis is
+needed to determine the proper tradeoff.
+
+%% Duplicated by 'Better directory distribution' in section 9.
+%
+%A similar question surrounds timing of directory operations: how often
+%should directories be updated? Clients that update infrequently receive
+%an inaccurate picture of the network, but frequent updates can overload
+%the directory servers. More generally, we must find more
+%decentralized yet practical ways to distribute up-to-date snapshots of
+%network status without introducing new attacks.
+
+How should we choose path lengths? If Alice always uses two hops,
+then both ORs can be certain that by colluding they will learn about
+Alice and Bob. In our current approach, Alice always chooses at least
+three nodes unrelated to herself and her destination.
+%% This point is subtle, but not IMO necessary. Anybody who thinks
+%% about it will see that it's implied by the above sentence; anybody
+%% who doesn't think about it is safe in his ignorance.
+%
+%Thus normally she chooses
+%three nodes, but if she is running an OR and her destination is on an OR,
+%she uses five.
+Should Alice choose a random path length (e.g.~from a geometric
+distribution) to foil an attacker who
+uses timing to learn that he is the fifth hop and thus concludes that
+both Alice and the responder are running ORs?
+
+Throughout this paper, we have assumed that end-to-end traffic
+confirmation will immediately and automatically defeat a low-latency
+anonymity system. Even high-latency anonymity systems can be
+vulnerable to end-to-end traffic confirmation, if the traffic volumes
+are high enough, and if users' habits are sufficiently
+distinct~\cite{statistical-disclosure,limits-open}. Can anything be
+done to
+make low-latency systems resist these attacks as well as high-latency
+systems? Tor already makes some effort to conceal the starts and ends of
+streams by wrapping long-range control commands in identical-looking
+relay cells. Link padding could frustrate passive observers who count
+packets; long-range padding could work against observers who own the
+first hop in a circuit. But more research remains to find an efficient
+and practical approach. Volunteers prefer not to run constant-bandwidth
+padding; but no convincing traffic shaping approach has been
+specified. Recent work on long-range padding~\cite{defensive-dropping}
+shows promise. One could also try to reduce correlation in packet timing
+by batching and re-ordering packets, but it is unclear whether this could
+improve anonymity without introducing so much latency as to render the
+network unusable.
+
+A cascade topology may better defend against traffic confirmation by
+aggregating users, and making padding and
+mixing more affordable. Does the hydra topology (many input nodes,
+few output nodes) work better against some adversaries? Are we going
+to get a hydra anyway because most nodes will be middleman nodes?
+
+Common wisdom suggests that Alice should run her own OR for best
+anonymity, because traffic coming from her node could plausibly have
+come from elsewhere. How much mixing does this approach need? Is it
+immediately beneficial because of real-world adversaries that can't
+observe Alice's router, but can run routers of their own?
+
+To scale to many users, and to prevent an attacker from observing the
+whole network, it may be necessary
+to support far more servers than Tor currently anticipates.
+This introduces several issues. First, if approval by a central set
+of directory servers is no longer feasible, what mechanism should be used
+to prevent adversaries from signing up many colluding servers? Second,
+if clients can no longer have a complete picture of the network,
+how can they perform discovery while preventing attackers from
+manipulating or exploiting gaps in their knowledge? Third, if there
+are too many servers for every server to constantly communicate with
+every other, which non-clique topology should the network use?
+(Restricted-route topologies promise comparable anonymity with better
+scalability~\cite{danezis-pets03}, but whatever topology we choose, we
+need some way to keep attackers from manipulating their position within
+it~\cite{casc-rep}.) Fourth, if no central authority is tracking
+server reliability, how do we stop unreliable servers from making
+the network unusable? Fifth, do clients receive so much anonymity
+from running their own ORs that we should expect them all to do
+so~\cite{econymics}, or do we need another incentive structure to
+motivate them? Tarzan and MorphMix present possible solutions.
+
+% advogato, captcha
+
+When a Tor node goes down, all its circuits (and thus streams) must break.
+Will users abandon the system because of this brittleness? How well
+does the method in Section~\ref{subsec:dos} allow streams to survive
+node failure? If affected users rebuild circuits immediately, how much
+anonymity is lost? It seems the problem is even worse in a peer-to-peer
+environment---such systems don't yet provide an incentive for peers to
+stay connected when they're done retrieving content, so we would expect
+a higher churn rate.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\section{Future Directions}
+\label{sec:conclusion}
+
+Tor brings together many innovations into a unified deployable system. The
+next immediate steps include:
+
+\emph{Scalability:} Tor's emphasis on deployability and design simplicity
+has led us to adopt a clique topology, semi-centralized
+directories, and a full-network-visibility model for client
+knowledge. These properties will not scale past a few hundred servers.
+Section~\ref{sec:maintaining-anonymity} describes some promising
+approaches, but more deployment experience will be helpful in learning
+the relative importance of these bottlenecks.
+
+\emph{Bandwidth classes:} This paper assumes that all ORs have
+good bandwidth and latency. We should instead adopt the MorphMix model,
+where nodes advertise their bandwidth level (DSL, T1, T3), and
+Alice avoids bottlenecks by choosing nodes that match or
+exceed her bandwidth. In this way DSL users can usefully join the Tor
+network.
+
+\emph{Incentives:} Volunteers who run nodes are rewarded with publicity
+and possibly better anonymity~\cite{econymics}. More nodes means increased
+scalability, and more users can mean more anonymity. We need to continue
+examining the incentive structures for participating in Tor. Further,
+we need to explore more approaches to limiting abuse, and understand
+why most people don't bother using privacy systems.
+
+\emph{Cover traffic:} Currently Tor omits cover traffic---its costs
+in performance and bandwidth are clear but its security benefits are
+not well understood. We must pursue more research on link-level cover
+traffic and long-range cover traffic to determine whether some simple padding
+method offers provable protection against our chosen adversary.
+
+%%\emph{Offer two relay cell sizes:} Traffic on the Internet tends to be
+%%large for bulk transfers and small for interactive traffic. One cell
+%%size cannot be optimal for both types of traffic.
+% This should go in the spec and todo, but not the paper yet. -RD
+
+\emph{Caching at exit nodes:} Perhaps each exit node should run a
+caching web proxy~\cite{shsm03}, to improve anonymity for cached pages
+(Alice's request never
+leaves the Tor network), to improve speed, and to reduce bandwidth cost.
+On the other hand, forward security is weakened because caches
+constitute a record of retrieved files. We must find the right
+balance between usability and security.
+
+\emph{Better directory distribution:}
+Clients currently download a description of
+the entire network every 15 minutes. As the state grows larger
+and clients more numerous, we may need a solution in which
+clients receive incremental updates to directory state.
+More generally, we must find more
+scalable yet practical ways to distribute up-to-date snapshots of
+network status without introducing new attacks.
+
+\emph{Further specification review:} Our public
+byte-level specification~\cite{tor-spec} needs
+external review. We hope that as Tor
+is deployed, more people will examine its
+specification.
+
+\emph{Multisystem interoperability:} We are currently working with the
+designer of MorphMix to unify the specification and implementation of
+the common elements of our two systems. So far, this seems
+to be relatively straightforward. Interoperability will allow testing
+and direct comparison of the two designs for trust and scalability.
+
+\emph{Wider-scale deployment:} The original goal of Tor was to
+gain experience in deploying an anonymizing overlay network, and
+learn from having actual users. We are now at a point in design
+and development where we can start deploying a wider network. Once
+we have many actual users, we will doubtlessly be better
+able to evaluate some of our design decisions, including our
+robustness/latency tradeoffs, our performance tradeoffs (including
+cell size), our abuse-prevention mechanisms, and
+our overall usability.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%% commented out for anonymous submission
+\section*{Acknowledgments}
+ We thank Peter Palfrader, Geoff Goodell, Adam Shostack, Joseph Sokol-Margolis,
+ John Bashinski, and Zack Brown
+ for editing and comments;
+ Matej Pfajfar, Andrei Serjantov, Marc Rennhard for design discussions;
+ Bram Cohen for congestion control discussions;
+ Adam Back for suggesting telescoping circuits; and
+ Cathy Meadows for formal analysis of the \emph{extend} protocol.
+ This work has been supported by ONR and DARPA.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\bibliographystyle{latex8}
+\bibliography{tor-design}
+
+\end{document}
+
+% Style guide:
+% U.S. spelling
+% avoid contractions (it's, can't, etc.)
+% prefer ``for example'' or ``such as'' to e.g.
+% prefer ``that is'' to i.e.
+% 'mix', 'mixes' (as noun)
+% 'mix-net'
+% 'mix', 'mixing' (as verb)
+% 'middleman' [Not with a hyphen; the hyphen has been optional
+% since Middle English.]
+% 'nymserver'
+% 'Cypherpunk', 'Cypherpunks', 'Cypherpunk remailer'
+% 'Onion Routing design', 'onion router' [note capitalization]
+% 'SOCKS'
+% Try not to use \cite as a noun.
+% 'Authorizating' sounds great, but it isn't a word.
+% 'First, second, third', not 'Firstly, secondly, thirdly'.
+% 'circuit', not 'channel'
+% Typography: no space on either side of an em dash---ever.
+% Hyphens are for multi-part words; en dashs imply movement or
+% opposition (The Alice--Bob connection); and em dashes are
+% for punctuation---like that.
+% A relay cell; a control cell; a \emph{create} cell; a
+% \emph{relay truncated} cell. Never ``a \emph{relay truncated}.''
+%
+% 'Substitute ``Damn'' every time you're inclined to write ``very;'' your
+% editor will delete it and the writing will be just as it should be.'
+% -- Mark Twain
diff --git a/doc/design-paper/usenix.sty b/doc/design-paper/usenix.sty
new file mode 100644
index 0000000000..4442f11574
--- /dev/null
+++ b/doc/design-paper/usenix.sty
@@ -0,0 +1,98 @@
+% usenix-2e.sty - to be used with latex2e (the new one) for USENIX.
+% To use this style file, do this:
+%
+% \documentclass[twocolumn]{article}
+% \usepackage{usenix-2e}
+% and put {\rm ....} around the author names.
+%
+% $Id$
+%
+% The following definitions are modifications of standard article.sty
+% definitions, arranged to do a better job of matching the USENIX
+% guidelines.
+% It will automatically select two-column mode and the Times-Roman
+% font.
+
+%
+% USENIX papers are two-column.
+% Times-Roman font is nice if you can get it (requires NFSS,
+% which is in latex2e.
+
+\if@twocolumn\else\input twocolumn.sty\fi
+\usepackage{times}
+
+%
+% USENIX wants margins of: 7/8" side, 1" bottom, and 3/4" top.
+% 0.25" gutter between columns.
+% Gives active areas of 6.75" x 9.25"
+%
+\setlength{\textheight}{9.0in}
+\setlength{\columnsep}{0.25in}
+%%\setlength{\textwidth}{6.75in}
+\setlength{\textwidth}{7.00in}
+%\setlength{\footheight}{0.0in}
+\setlength{\topmargin}{-0.25in}
+\setlength{\headheight}{0.0in}
+\setlength{\headsep}{0.0in}
+\setlength{\evensidemargin}{-0.125in}
+\setlength{\oddsidemargin}{-0.125in}
+
+%
+% Usenix wants no page numbers for submitted papers, so that they can
+% number them themselves.
+%
+\pagestyle{empty}
+
+%
+% Usenix titles are in 14-point bold type, with no date, and with no
+% change in the empty page headers. The whol author section is 12 point
+% italic--- you must use {\rm } around the actual author names to get
+% them in roman.
+%
+\def\maketitle{\par
+ \begingroup
+ \renewcommand\thefootnote{\fnsymbol{footnote}}%
+ \def\@makefnmark{\hbox to\z@{$\m@th^{\@thefnmark}$\hss}}%
+ \long\def\@makefntext##1{\parindent 1em\noindent
+ \hbox to1.8em{\hss$\m@th^{\@thefnmark}$}##1}%
+ \if@twocolumn
+ \twocolumn[\@maketitle]%
+ \else \newpage
+ \global\@topnum\z@
+ \@maketitle \fi\@thanks
+ \endgroup
+ \setcounter{footnote}{0}%
+ \let\maketitle\relax
+ \let\@maketitle\relax
+ \gdef\@thanks{}\gdef\@author{}\gdef\@title{}\let\thanks\relax}
+
+\def\@maketitle{\newpage
+ \vbox to 2.5in{
+ \vspace*{\fill}
+ \vskip 2em
+ \begin{center}%
+ {\Large\bf \@title \par}%
+ \vskip 0.375in minus 0.300in
+ {\large\it
+ \lineskip .5em
+ \begin{tabular}[t]{c}\@author
+ \end{tabular}\par}%
+ \end{center}%
+ \par
+ \vspace*{\fill}
+% \vskip 1.5em
+ }
+}
+
+%
+% The abstract is preceded by a 12-pt bold centered heading
+\def\abstract{\begin{center}%
+{\large\bf \abstractname\vspace{-.5em}\vspace{\z@}}%
+\end{center}}
+\def\endabstract{}
+
+%
+% Main section titles are 12-pt bold. Others can be same or smaller.
+%
+\def\section{\@startsection {section}{1}{\z@}{-3.5ex plus-1ex minus
+ -.2ex}{2.3ex plus.2ex}{\reset@font\large\bf}}