Motivation

We would like to protect the social graph by preventing traffic analysis. In order to accomplish this, we intend to use Onion Routing (OR) as the routing layer.

Tor and the Core

Tor is a close match to our requirements for an OR. It prevents traffic analysis by obfuscating the source and target for packets. However, it assumes that the Onion Proxy (OP) is trusted. Since the Core is not trusted, it cannot be allowed to create the OR path or to transmit data to arbitrary routers on the path.

Modifications to Tor

Instead of having the Core create the path, the path will be created by the Agent with the Core acting as a proxy to the first hop.

Since we cannot have the Core handle the OR path keys, it can't be relied upon to encrypt the content with the keys. Shipping the content back to the Agent for encryption is prohibitive in terms of bandwidth.

Instead, we have the remote Agent create a reverse circuit to the local Core. The local Core sends out data only through the Tor reply method, which involves just the end-to-end key and the last hop key. The Core is therefore unable to break anonymity by communicating with intermediate cores.

To summarize, Agents create Tor paths and use Tor paths in the forward direction (although they use the local Core as a transparent proxy). Cores only use Tor paths in the reverse direction.