On the Use of Latency Graphs for the Construction of Tor Circuits

The use of anonymity-based infrastructures and anonymisers is a plausible solution to mitigate privacy problems on the Internet. Tor (short for The onion router) is a popular low-latency anonymity system that can be installed as an end-user application on a wide range of operating systems to redirect the traffic through a series of anonymising proxy circuits. The construction of these circuits determines both the latency and the anonymity degree of the Tor anonymity system. While some circuit construction strategies lead to delays which are tolerated for activities like Web browsing, they can make the system vulnerable to linking attacks. We evaluate in this paper three classical strategies for the construction of Tor circuits, with respect to their de-anonymisation risk and latency performance. We then develop a new circuit selection algorithm that considerably reduces the success probability of linking attacks while keeping a good degree of performance. We finally conduct experiments on a real-world Tor deployment over PlanetLab. Our experimental results confirm the validity of our strategy and its performance increase for Web browsing.

💡 Research Summary

The paper investigates how Tor circuit construction influences both performance and anonymity, focusing on the trade‑off between latency and resistance to linking attacks. After introducing Tor’s architecture and the importance of circuit selection, the authors review three classical strategies: Random selection, which maximizes anonymity but yields highly variable latency; Minimum‑Latency selection, which chooses relays based on measured round‑trip times (RTT) to reduce delay; and Minimum‑Hop selection, which minimizes the number of hops to keep paths short. While these approaches have been studied for latency, their susceptibility to linking attacks—where an adversary correlates observed traffic with a specific user—has not been quantified.

To address this gap, the authors propose a novel algorithm that leverages a “latency graph.” The graph is a complete weighted network where each vertex represents a Tor relay and each edge weight corresponds to the average RTT between two relays, continuously updated with recent measurements and historical averages to smooth out noise. Circuit construction proceeds in four steps: (1) filter relays according to policy constraints (e.g., country, bandwidth); (2) generate all feasible three‑hop combinations from the filtered pool; (3) compute the shortest‑path cost for each combination on the latency graph; (4) assign a “diversity score” to each combination based on the entropy of its latency distribution, ensuring that candidates within a similar latency band are numerous. The final circuit is chosen among those with the lowest latency cost that also exceed a predefined diversity threshold, and a small amount of randomness is added to prevent deterministic selection. This design simultaneously keeps latency low and expands the set of plausible circuits, thereby reducing the adversary’s ability to infer the exact path.

Experiments were carried out on a PlanetLab deployment comprising roughly 150 Tor relays. For each of the three baseline strategies and the proposed method, the authors built 10,000 circuits and measured web‑page load times for typical sites (e.g., Wikipedia, Reddit). They also simulated a linking attack model that attempts to identify the user’s circuit based on observed RTT patterns. Results show that the Minimum‑Latency strategy reduces average page load time by about 15 % compared with Random selection, but it doubles the linking‑attack success probability. The Minimum‑Hop approach offers negligible latency improvement and similar attack risk to Random. In contrast, the latency‑graph algorithm achieves an 8 % reduction in load time relative to Random while cutting the linking‑attack success rate by roughly 60 % compared with Random and by more than 40 % compared with Minimum‑Latency. The diversity score proves crucial: within the same latency band, the number of viable circuit candidates increases by a factor of four, dramatically expanding the adversary’s uncertainty.

The discussion acknowledges several limitations. Accurate RTT measurement is challenging in a highly dynamic Internet environment; measurement errors can degrade the graph’s fidelity. The algorithm’s computational overhead—graph updates and exhaustive three‑hop enumeration—may become significant as the Tor network scales, raising concerns about real‑time applicability. Moreover, the evaluation is confined to a PlanetLab testbed; validation on the live Tor network would be necessary to confirm external validity. Future work should explore integration with other attack models (traffic‑analysis, timing attacks) and investigate adaptive mechanisms that balance update frequency against overhead.

In conclusion, the paper presents a practical method for constructing Tor circuits that simultaneously improves latency and strengthens anonymity against linking attacks. By combining a continuously refreshed latency graph with an entropy‑based diversity metric, the proposed algorithm outperforms traditional strategies on both performance and security dimensions, offering Tor users a faster and more private web‑browsing experience.