pith. sign in

arxiv: 2602.23560 · v2 · submitted 2026-02-27 · 💻 cs.CR

A traffic analysis attack against Introduction Protocol and Onion Services

Nicolas Constantinides This is my paper

Pith reviewed 2026-05-15 19:28 UTC · model grok-4.3

classification 💻 cs.CR
keywords Toronion servicestraffic analysisintersection attackintroduction protocolrelay identificationprivacy model
0
0 comments X p. Extension

The pith

An adversary observing one relay can identify every hop in a Tor onion service introduction circuit through repeated timed probes and intersections.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows that Tor onion services can be traced hop by hop using an intersection attack on their introduction circuits. An adversary probes the service repeatedly and records destination IP addresses seen at a single relay inside narrow timing windows between specific protocol messages. Intersecting these sets over many probes isolates the next relay with certainty, then repeats for the following hop. The work argues this succeeds without global visibility or payload inspection, exposing a limit in Tor's traffic-analysis resistance for this protocol. Live experiments confirm the intersections converge reliably enough for practical use.

Core claim

We present a practical intersection attack against Tor introduction circuits that over repeated interactions can identify each hop from the introduction point toward the onion service while requiring observation at only one relay per stage. The attack repeatedly probes the target service and intersects sets of destination IP addresses observed within narrowly bounded INTRODUCE1-RENDEZVOUS2 intervals, without assuming global visibility or access to packet payloads. Our traffic-analysis technique identifies with certainty the next relay in the path to target at each stage, thereby revealing a gap in Tor's privacy model.

What carries the argument

Intersection of destination-IP sets observed inside narrowly bounded INTRODUCE1-RENDEZVOUS2 timing intervals at a single relay, which isolates traffic belonging to the next hop in the introduction circuit.

If this is right

  • Each successive relay toward the onion service can be identified with certainty once the prior hop is known.
  • Observation at only one relay per stage suffices to reveal the full path.
  • The attack works without global network visibility or decryption of payloads.
  • Convergence occurs in live-network tests and is affected by relay consensus weight and background traffic volume.
  • The attack remains feasible for a partial-global adversary who controls or observes relays in limited locations.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Cooperating observers in high-weight jurisdictions could map many onion services faster because relay selection concentrates weight geographically.
  • The minimal-storage intersection plugin lowers the cost of running the attack at scale while satisfying data-minimization constraints.
  • Similar timing windows in other Tor message sequences might allow analogous intersection attacks on additional circuit types.

Load-bearing premise

Narrow timing windows around the protocol messages reliably separate the service's traffic from unrelated background flows so that repeated intersections converge on the true next relay.

What would settle it

After many probes the intersection sets at any stage fail to shrink to a single consistent relay address that matches the actual circuit path.

Figures

Figures reproduced from arXiv: 2602.23560 by Nicolas Constantinides.

Figure 1
Figure 1. Figure 1: shows the four-hop introduction circuit used in the default Vanguard￾Lite configuration. The circuit starts at the introduction point (IP) and traverses two middle relays, Middle 1 (M1) and Middle 0 (M0). In this configuration, M0 serves as the Vanguard relay. The circuit terminates at the entry guard (E-G), which connects to the hidden service. When an INTRODUCE1 cell arrives at the introduction point, th… view at source ↗
Figure 2
Figure 2. Figure 2: Geographic Concentration of Tor Relays: 14-Eyes Alliance Countries vs. All Others 9 Mitigation Discussion Our results indicate that the attack is enabled by the long lifetime and static structure of introduction circuits. We outline two configuration-level mitigation proposals that can be implemented as configurable system or protocol settings to reduce the adversary’s observation window and hinder converg… view at source ↗
Figure 3
Figure 3. Figure 3: Selection probability for entry and middle relays hosted inside vs. outside the Fourteen-Eyes alliance, based on Tor consensus weights. circuit structure can be observed and limits repeated intersection. The recon￾struction interval can be exposed as a configurable parameter, allowing hidden service operators to adjust it based on their requirements. This configuration should be combined with a Vanguard-st… view at source ↗
read the original abstract

Tor onion services rely on long-lived introduction circuits to support anonymous rendezvous between clients and services. Although Tor incorporates defenses against traffic analysis, the introduction protocol retains deterministic routing structure that can be exploited by an adversary. We present a practical intersection attack against Tor introduction circuits that over repeated interactions can identify each hop from the introduction point toward the onion service while requiring observation at only one relay per stage. The attack repeatedly probes the target service and intersects sets of destination IP addresses observed within narrowly bounded INTRODUCE1-RENDEZVOUS2 intervals, without assuming global visibility or access to packet payloads. Our traffic-analysis technique identifies with certainty the next relay in the path to target at each stage, thereby revealing a gap in Tor's privacy model, which is intended to resist traffic-analysis attacks in which an adversary uses traffic patterns to determine which points in the network to observe or attack. We evaluate the attack's feasibility through live-network experiments using a self-operated onion service and relays. To support data minimization, we implement a Tor-compatible plugin that computes intersections online over pseudonymized data retained only in volatile memory. Our experiments show reliable convergence in practice, with convergence rate influenced by relay consensus weight and time-varying background traffic. We further assess practicality under a partial-global adversary model and discuss the implications of geographic concentration in Tor relay selection weight across cooperating jurisdictions.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 1 minor

Summary. The manuscript presents a practical intersection attack on Tor onion service introduction circuits. By repeatedly probing a target service and intersecting sets of destination IP addresses observed within narrowly bounded INTRODUCE1-RENDEZVOUS2 timing intervals at a single relay, the attack reconstructs successive hops toward the onion service without global visibility or payload access. Live-network experiments with a self-operated service and relays are claimed to show reliable convergence, with rate influenced by consensus weight and background traffic. A Tor-compatible plugin is implemented to perform online intersections over pseudonymized data retained only in volatile memory. The work argues this reveals a gap in Tor's traffic-analysis resistance for the introduction protocol.

Significance. If the empirical results hold, the attack demonstrates that partial observation at one relay per stage can suffice to identify introduction-circuit hops, challenging Tor's design assumptions about traffic-analysis resistance. The data-minimizing plugin and live-network evaluation are strengths that support reproducible and ethical assessment of the vulnerability. The findings could motivate protocol changes to the introduction and rendezvous mechanisms.

major comments (1)
  1. [Evaluation section] Evaluation section: The central claim that the technique 'identifies with certainty' the next relay (abstract and §5) is load-bearing yet unsupported by quantitative metrics. No false-positive rates, error rates, sensitivity analysis on timing-window width, or controls for background traffic are reported, despite the explicit statement that convergence is 'influenced by' time-varying background traffic. This leaves open whether narrow INTRODUCE1-RENDEZVOUS2 windows reliably isolate target flows from concurrent circuits under realistic load.
minor comments (1)
  1. [Abstract] Abstract: The strong phrasing 'identifies with certainty' is later qualified by the influence of background traffic; a more precise statement of observed success rates would improve clarity.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the constructive feedback. We respond to the major comment below and plan to revise the manuscript accordingly to strengthen the evaluation.

read point-by-point responses

  1. Referee: [Evaluation section] Evaluation section: The central claim that the technique 'identifies with certainty' the next relay (abstract and §5) is load-bearing yet unsupported by quantitative metrics. No false-positive rates, error rates, sensitivity analysis on timing-window width, or controls for background traffic are reported, despite the explicit statement that convergence is 'influenced by' time-varying background traffic. This leaves open whether narrow INTRODUCE1-RENDEZVOUS2 windows reliably isolate target flows from concurrent circuits under realistic load.

    Authors: We agree that additional quantitative metrics would strengthen the claims. In the experiments described in §5, the attack achieved reliable convergence to the correct relay in all tested cases, with no false positives observed. To provide rigorous support, we will revise the evaluation section to include: false-positive rates from multiple independent runs, sensitivity analysis on the timing window width (e.g., varying from 1s to 5s), and controls for background traffic by measuring convergence under different load conditions. This will better substantiate the 'identifies with certainty' claim under realistic conditions. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical intersection attack with no fitted parameters or self-referential derivations

full rationale

The manuscript presents a traffic-analysis attack based on repeated live-network probes and set intersection over observed destination IPs within timing windows. No equations, parameters, or uniqueness theorems are derived; the central claim rests on experimental convergence rates under real Tor traffic rather than any reduction of a prediction to prior fitted inputs or self-citations. The attack description and evaluation contain no self-definitional loops, fitted-input predictions, or load-bearing self-citations that would force the result by construction. The derivation chain is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The attack rests on domain assumptions about Tor circuit timing and routing behavior rather than new mathematical axioms or fitted parameters.

axioms (2)
  • domain assumption Tor introduction circuits maintain deterministic routing structure that produces observable timing correlations at intermediate relays
    Invoked in the description of the intersection attack on long-lived introduction circuits.
  • domain assumption Narrowly bounded INTRODUCE1-RENDEZVOUS2 intervals isolate relevant destination traffic from background noise sufficiently for intersection to succeed
    Central to the claim that repeated probes allow identification of the next hop.

pith-pipeline@v0.9.0 · 5528 in / 1387 out tokens · 43849 ms · 2026-05-15T19:28:53.419399+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

33 extracted references · 33 canonical work pages · 2 internal anchors

  1. [1]

    https://www.tcpdump.org/, official website of the tcpdump packet analyzer

    tcpdump.org. https://www.tcpdump.org/, official website of the tcpdump packet analyzer

    work page

  2. [2]

    Structure and Content of the Visible Darknet

    Avarikioti, G., Brunner, R., Kiayias, A., Wattenhofer, R., Zindros, D.: Structure and content of the visible darknet. arXiv preprint arXiv:1811.01348 (2018)

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  3. [3]

    In: 2013 IEEE Symposium on Security and Privacy

    Biryukov, A., Pustogarov, I., Weinmann, R.P.: Trawling for tor hidden services: Detection, measurement, deanonymization. In: 2013 IEEE Symposium on Security and Privacy. pp. 80–94. IEEE (2013)

    work page 2013

  4. [4]

    Brophy, S.: Should the united states collect intelligence on its close allies? (2020)

    work page 2020

  5. [5]

    In: International Workshop on Information Hiding

    Danezis, G., Serjantov, A.: Statistical disclosure or intersection attacks on anonymity systems. In: International Workshop on Information Hiding. pp. 293–

    work page

  6. [6]

    Diaz, C., Halpin, H., Kiayias, A.: The nym network (2021)

    work page 2021

  7. [7]

    In: International Workshop on Privacy Enhancing Technologies

    Diaz, C., Seys, S., Claessens, J., Preneel, B.: Towards measuring anonymity. In: International Workshop on Privacy Enhancing Technologies. pp. 54–68. Springer (2002)

    work page 2002

  8. [8]

    Dingledine, R., Mathewson, N., Syverson, P.: Tor: The second-generation onion router (2004)

    work page 2004

  9. [9]

    IEEE Communications Surveys & Tutorials17(4), 2296– 2316 (2015)

    Erdin, E., Zachor, C., Gunes, M.H.: How to find hidden users: A survey of attacks on anonymity networks. IEEE Communications Surveys & Tutorials17(4), 2296– 2316 (2015)

    work page 2015

  10. [10]

    Hayes, J., Danezis, G.: k-fingerprinting: A robust scalable website fingerprinting technique.In:25thUSENIXSecuritySymposium(USENIXSecurity16).pp.1187– 1203 (2016)

    work page 2016

  11. [11]

    Journal of Cybersecurity and Privacy1(3), 496–518 (2021)

    Huete Trujillo, D.L., Ruiz-Martínez, A.: Tor hidden services: A systematic litera- ture review. Journal of Cybersecurity and Privacy1(3), 496–518 (2021)

    work page 2021

  12. [12]

    In: 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019)

    Iacovazzi, A., Frassinelli, D., Elovici, Y.: The{DUSTER}attack: Tor onion service attribution based on flow watermarking with track hiding. In: 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019). pp. 213–225 (2019)

    work page 2019

  13. [13]

    In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

    Jansen, R., Johnson, A.: Safely measuring tor. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. pp. 1553–1567 (2016)

    work page 2016

  14. [14]

    Karunanayake, I., Ahmed, N., Malaney, R., Islam, R., Jha, S.K.: De-anonymisation attacks on tor: A survey (2021)

    work page 2021

  15. [15]

    In: 24th USENIX Security Symposium (USENIX Security 15)

    Kwon, A., AlSabah, M., Lazar, D., Dacier, M., Devadas, S.: Circuit fingerprinting attacks: Passive deanonymization of tor hidden services. In: 24th USENIX Security Symposium (USENIX Security 15). pp. 287–302 (2015)

    work page 2015

  16. [16]

    TorPolice: Towards Enforcing Service-Defined Access Policies in Anonymous Systems

    Liu, Z., Liu, Y., Winter, P., Mittal, P., Hu, Y.C.: Torpolice: Towards en- forcing service-defined access policies in anonymous systems. arXiv preprint arXiv:1708.08162 (2017) A traffic analysis attack against Introduction Protocol and Onion Services 21

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  17. [17]

    Reference and User Services Quarterly54(4), 17–20 (2015)

    Macrina, A., Phetteplace, E.: The tor browser and intellectual freedom in the digital age. Reference and User Services Quarterly54(4), 17–20 (2015)

    work page 2015

  18. [18]

    In: International Workshop on Data Privacy Management

    Murdoch, S.J.: Quantifying and measuring anonymity. In: International Workshop on Data Privacy Management. pp. 3–13. Springer (2013)

    work page 2013

  19. [19]

    In: 2005 IEEE Sym- posium on Security and Privacy (S&P’05)

    Murdoch, S.J., Danezis, G.: Low-cost traffic analysis of tor. In: 2005 IEEE Sym- posium on Security and Privacy (S&P’05). pp. 183–195. IEEE (2005)

    work page 2005

  20. [20]

    In: Proceedings of the 2018 ACM SIGSAC con- ference on computer and communications security

    Nasr, M., Bahramali, A., Houmansadr, A.: Deepcorr: Strong flow correlation at- tacks on tor using deep learning. In: Proceedings of the 2018 ACM SIGSAC con- ference on computer and communications security. pp. 1962–1976 (2018)

    work page 2018

  21. [21]

    In: 2006 IEEE Symposium on Security and Privacy (S&P’06)

    Overlier, L., Syverson, P.: Locating hidden servers. In: 2006 IEEE Symposium on Security and Privacy (S&P’06). pp. 15–pp. IEEE (2006)

    work page 2006

  22. [22]

    In:Proceedingsofthe15thInternationalConferenceonAvailability,Reliabilityand Security

    Platzer, F., Schäfer, M., Steinebach, M.: Critical traffic analysis on the tor network. In:Proceedingsofthe15thInternationalConferenceonAvailability,Reliabilityand Security. pp. 1–10 (2020)

    work page 2020

  23. [23]

    IEEE Journal on Selected areas in Communications16(4), 482–494 (2002)

    Reed, M.G., Syverson, P.F., Goldschlag, D.M.: Anonymous connections and onion routing. IEEE Journal on Selected areas in Communications16(4), 482–494 (2002)

    work page 2002

  24. [24]

    Proceed- ings on Privacy Enhancing Technologies (2024)

    Sasy, S., Goldberg, I.: Sok: Metadata-protecting communication systems. Proceed- ings on Privacy Enhancing Technologies (2024)

    work page 2024

  25. [25]

    In: 2015 IEEE Security and Privacy Workshops

    Shirazi, F., Goehring, M., Diaz, C.: Tor experimentation tools. In: 2015 IEEE Security and Privacy Workshops. pp. 206–213. IEEE (2015)

    work page 2015

  26. [26]

    https://onionoo.torproject.org/ (2025), accessed: 2025-12-18

    The Tor Project: Onionoo: Tor relay and bridge information service. https://onionoo.torproject.org/ (2025), accessed: 2025-12-18

    work page 2025

  27. [27]

    https://research.torproject.org/safetyboard.html (2025), accessed: 2025-12-18

    The Tor Project: Safety board. https://research.torproject.org/safetyboard.html (2025), accessed: 2025-12-18

    work page 2025

  28. [28]

    https://spec.torproject.org/vanguards-spec/index.html (2025), accessed: 2025-12- 18

    The Tor Project: Tor vanguards specification. https://spec.torproject.org/vanguards-spec/index.html (2025), accessed: 2025-12- 18

    work page 2025

  29. [29]

    https://metrics.torproject.org/hidserv-dir-v3-onions-seen.html (2026), accessed: 2026-01-04

    The Tor Project: Onion services – unique .onion addresses (version 3 only). https://metrics.torproject.org/hidserv-dir-v3-onions-seen.html (2026), accessed: 2026-01-04

    work page 2026

  30. [30]

    https://spec.torproject.org/param-spec.html (2026), accessed: 2026-04-01

    The Tor Project: Tor network parameters specification. https://spec.torproject.org/param-spec.html (2026), accessed: 2026-04-01

    work page 2026

  31. [31]

    https://spec.torproject.org/path-spec/path-selection-constraints.html (2026), accessed: 2026-04-01

    The Tor Project: Tor path selection and constraints specification. https://spec.torproject.org/path-spec/path-selection-constraints.html (2026), accessed: 2026-04-01

    work page 2026

  32. [32]

    https://spec.torproject.org/guard- spec/index.html (nd), accessed: 2026-04-01

    The Tor Project: Tor guard specification. https://spec.torproject.org/guard- spec/index.html (nd), accessed: 2026-04-01

    work page 2026

  33. [33]

    GNNShap: Scalable and Accurate

    Zhang, Q., Teng, Z., Wang, X., Gao, Y., Liu, Q., Shi, J.: Hsdirsniper: A new attack exploiting vulnerabilities in tor’s hidden service directories. In: Proceedings of the ACM Web Conference 2024. p. 1812–1823. WWW ’24, Association for Computing Machinery,NewYork,NY,USA(2024).https://doi.org/10.1145/3589334.3645591, https://doi.org/10.1145/3589334.3645591

    work page doi:10.1145/3589334.3645591 2024