Evaluating Dynamic Tor Onion Services for Privacy Preserving Distributed Digital Identity Systems


  • Tobias Höller Institute of Networks and Security, Johannes Kepler University Linz, Austria
  • Michael Roland Institute of Networks and Security, Johannes Kepler University Linz, Austria https://orcid.org/0000-0003-4675-0539
  • René Mayrhofer Institute of Networks and Security, Johannes Kepler University Linz, Austria




Digital Identity, Tor, Onion Service, Privacy, Unlinkability, Network Unlinkability


Digital identity documents provide several key benefits over physical ones. They can be created more easily, incur less costs, improve usability and can be updated if necessary. However, the deployment of digital identity systems does come with several challenges regarding both security and privacy of personal information. In this paper, we highlight one challenge that digital identity systems face if they are set up in a distributed fashion: Network Unlinkability. We discuss why network unlinkability is so critical for a distributed digital identity system that wants to protect the privacy of its users and present a specific definition of unlinkability for our use-case. Based on this definition, we propose a scheme that utilizes the Tor network to achieve the required level of unlinkability by dynamically creating onion services and evaluate the feasibility of our approach by measuring the deployment times of onion services.


Download data is not yet available.

Author Biographies

Tobias Höller, Institute of Networks and Security, Johannes Kepler University Linz, Austria

Tobias Höller is currently a university assistant and PhD candidate at the Institute of Network and Security at Johannes Kepler University Linz. He obtained his Master’s degree at Johannes Kepler University Linz. His research interests are onion routing (specifically Tor) and digital identity systems.

Michael Roland, Institute of Networks and Security, Johannes Kepler University Linz, Austria

Michael Roland is a post-doc researcher at the Institute of Networks and Security at Johannes Kepler University (JKU) Linz, Austria. He is also a lecturer at the University of Applied Sciences Upper Austria in Hagenberg. His main research interests are digital identities, NFC, smart cards, and wireless technologies with focus on security and privacy. He holds a B.Sc. and a M.Sc. degree in Embedded Systems Design (University of Applied Sciences Upper Austria, 2007 and 2009) and a Ph.D. (Dr. techn.) degree in Computer Science (Johannes Kepler University Linz, Austria, 2013).

René Mayrhofer, Institute of Networks and Security, Johannes Kepler University Linz, Austria

René Mayrhofer is currently heading the Android Platform Security team at Google and tries to make recent advances in usable, mobile security research available to the Billions of Android users. He is on leave from the Institute of Networks and Security at Johannes Kepler University Linz (JKU), Austria, where he continues to supervise PhD and Master students. His research interests include computer security, mobile devices, network communication, and machine learning, which he currently brings together in his research on securing mobile devices.


James Ball, Bruce Schneier, and Glenn Greenwald. Nsa and gchq target tor network that protects anonymity of web users. https://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-network-encryption, 2013.

Alex Biryukov, Ivan Pustogarov, and Ralf-Philipp Weinmann. Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP ’13, page 80–94, USA, 2013. IEEE Computer Society.

Jan Camenisch and Els Van Herreweghen. Design and Implementation of the Idemix Anonymous Credential System. In Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS ’02, page 21–30, New York, NY, USA, 2002. Association for Computing Machinery.

Chen Chen, Daniele E. Asoni, David Barrera, George Danezis, and Adrain Perrig. Hornet: High-speed onion routing at the network layer. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS ’15, page 1441–1454, New York, NY, USA, 2015. Association for Computing Machinery.

A. Cooper, H. Tschofenig, B. Aboba, J. Peterson, J. Morris, M. Hansen, and R. Smith. Privacy Considerations for Internet Protocols. RFC 6973, 2013.

Roger Dingledine. Next Generation Tor Onion Services. DEF CON 25, 2017.

Roger Dingledine, Nick Mathewson, and Paul Syverson. Tor: The second-generation onion router. In Proceedings of the 13th USENIX Security Symposium. USENIX Association, 2004.

European Comission. eHealth and COVID-19. https://ec.europa.eu/health/ehealth/covid-19_en, 2021.

Mengle Gautam. Major Aadhaar data leak plugged: French security researcher. https://www.thehindu.com/sci-tech/technology/major-aadhaar-data-leak-plugged-french-security-researcher/article26584981.ece, 2019.

David Goldschlag, Michael Reed, and Paul Syverson. Onion routing. Communications of the ACM, 42(2):39–41, 1999.

Government of India. Unique Identification Authority of India. https://uidai.gov.in/, 2009.

Tobias Höller, Michael Roland, and René Mayrhofer. On the state of V3 onion services. In Proceedings of the ACM SIGCOMM 2021 Workshop on Free and Open Communications on the Internet (FOCI ’21), pages 50–56. ACM, August 2021.

I2P. The Invisible Internet Project. https://geti2p.net/, 2021.

International Organization for Standardization. Personal identification — ISO-compliant driving licence — Part 5: Mobile driving licence (mDL) application. Standard ISO/IEC TR 29110-1:2016, Geneva, CH, 2016.

Jörg Lenhard, Karsten Loesing, and Guido Wirtz. Performance Measurements of Tor Hidden Services in Low-Bandwidth Access Networks. In Applied Cryptography and Network Security, pages 324–341, Berlin Heidelberg, 2009. Springer.

Karsten Loesing, Werner Sandmann, Christian Wilms, and Guido Wirtz. Performance Measurements and Statistics of Tor Hidden Services. In 2008 International Symposium on Applications and the Internet, pages 1–7, Turku, Finland, 2008. IEEE.

Even MacAskill, Julian Borger, Nick Hopkins, Nick Davies, and James Ball. GCHQ taps fibre-optic cables for secret access to world’s communications. https://www.theguardian.com/uk/2013/jun/21/gchq-cables-secret-world-communications-nsa, 2013.

Andre Meister. How the German Foreign Intelligence Agency BND tapped the Internet Exchange Point DE-CIX in Frankfurt, since 2009. https://netzpolitik.org/2015/how-the-german-foreign-intelligence-agency-bnd-tapped-the-internet-exchange-point-de-cix-in-frankfurt-since-2009/, 2015.

Iynkaran Natgunanathan, Abid Mehmood, Yong Xiang, Gleb Beliakov, and John Yearwood. Protection of privacy in biometric data. IEEE Access, 4:880–892, 2016.

Open Privacy Research Society. cwtch. https://cwtch.im/.

Gareth Owen and Nick Savage. Empirical analysis of Tor Hidden Services. IET Information Security, 10(3):113–118, 2016.

Mike Perry. The Vanguards Onion Service Addon. https://github.com/mikeperry-tor/vanguards.

Khaira Rachna. Rs 500, 10 minutes, and you have access to billion Aadhaar details. https://www.tribuneindia.com/news/archive/nation/rs-500-10-minutes-and-you-have-access-to-billion-aadhaar-details-523361, 2018.

Manu Sporny, Dave Longley, and David Chadwick. Verifiable Credentials Data Model 1.0. https://www.w3.org/TR/vc-data-model/, 2019.

Aaron Swartz. Securedrop. https://github.com/freedomofpress/securedrop.

The Tor Project. Tor Rendezvous Specification. https://github.com/torproject/torspec/blob/master/rend-spec-v2.txt.

The Tor Project. Tor Rendezvous Specification – Version 3. https://github.com/torproject/torspec/blob/master/rend-spec-v3.txt.

The Tor Project. Onion Service version 2 deprecation timeline. https://blog.torproject.org/v2-deprecation-timeline, 2020.

The Tor Project. The Tor Project. https://www.torproject.org/, 2021.

The Tor Project. Tor Metrics. https://metrics.torproject.org, 2021.

Srinath Vudali. Aadhaar details of 7.82 crore from Telangana and Andhra found in possession of IT Grids (India) Pvt Ltd. https://timesofindia.indiatimes.com/city/hyderabad/aadhaar-details-of-7-82-crore-from-telangana-and-andhra-found-in-possession-of-it-grids-india-pvt-ltd/articleshow/68865938.cms, 2019.






WTMC 2021 Workshop