Network Model in Onion Routing Network
For purposes of this analysis, an Onion Routing network consists of onion proxies (or simply proxies),
Core Onion Routers (CORs), links, over which CORs pass xed length cells, and responder proxies, which
reconstruct cells into the application layer data stream.
An attempt to analyze the tra c on a real onion routing network might try to take advantage of topo-
logical features, exit policies, outside information about communicants, and other details that we cannot
hope to incorporate in a mathematical assessment of onion outing networks generally. We make a number of
general and speci c assumptions to permit us to proceed with the analysis. We also comment on the validity
of these assumptions below.
Assumption 1. The network of onion routers is a clique (fully connected graph).
Since links are simply TCP/IP connections traversing the Internet, a COR can maintain many such
connections with relatively little overhead, and the second generation implementation allows a COR to
have on the order of fty thick pipe links to other CORs. Beyond that size, one is likely to nd regions
of highly connected nodes with multiple bridges between them. Assumption 1 thus seems reasonable
for OR networks of up to 50 CORs.
Assumption 2. Links are all padded or bandwidth-limited to a constant rate.
This simpli cation allows us to ignore passive eavesdroppers, since all an eavesdropper will see on
any link is a constant ow of xed length, encrypted cells. In fact, we expect that padding and limiting
will be used to smooth rapid (and therefore potentially trackable) changes in link tra c rather than
to maintain absolutely xed tra c ows. Even if uctuations could be observed, no principal remote
from a link can identify his own tra c as it passes across that link, since each link is covered by the
stream cipher under a key that the remote principal does not...