Date Added: May 2010
Choosing a path length for low latency anonymous networks that optimally balances security and performance is an open problem. Tor's design decision to build paths with precisely three routers is thought to strike the correct balance. In this paper, the authors investigate this design decision by experimentally evaluating several of the key benefits and drawbacks of two-hop and three-hop paths. They find that a three-hop design is slightly more vulnerable to endpoint compromise than a two-hop design in the presence of attackers who employ simple denial-of-service tactics; two-hop paths trivially reveal entry guards to exit routers, but even with three-hop paths the exit can learn entry guards by deploying inexpensive middle-only routers; and three-hop paths incur a performance penalty relative to two-hop paths.