How does Tor's threat model differ from i2p's threat model?

  • I2P is an alternative anonymity system, with a very different design - it focuses more on intra-I2P communication, rather than communication with the wider internet. Unlike Tor, every user of I2P is also the equivalent of a Tor relay.

    I'm interested in how their threat model differs from the one assumed by Tor.

    • What kind of adversary does Tor protect against, that I2P doesn't?
    • What kind of adversary does I2P protect against, that Tor doesn't?
    • Are there any adversaries that neither project protects against?

    When you’re asking about “adversaries that neither project protects against”, what sort of answer are you looking for? Neither one protects against people looking over your shoulder.

    I'm thinking more along the lines of global adverseries. Nefarious network administrators. Malicious relay/node operators. I personally would take Looking-over-your-shoulder as an implicit attack, as there's nothing that an anonymity network can do to prevent it.

  • user175

    user175 Correct answer

    9 years ago

    Tor does not have a single threat model. It provides a various degrees of protection against different adversaries: local observers, malicious node operators, observers of the underlying Internet, etc. That said, the usual stated adversary in security analyses is one that owns a fraction c/n of the relays, as well as some clients and destinations. With all of these the adversary can do anything feasible (sometimes computationally, sometimes practically), generate traffic, drop traffic, violate protocols, etc. The adversary is usually assumed to also observe some, but definitely not all, of the Internet connections between relays, clients, and destinations from observers at ASes, IXPs, ISPs, etc. This Tor-network-link adversary is either passive or may drop, replay, or induce timing signatures and traffic passing over it. Adversaries for i2p are similar. For both systems there is no adversary against which one is completely secure and the other completely broken. It's all a matter of degree.

    There are many specifics, for example, attacks on the different approaches to propagating network information. (Tor currently distributes information about all the nodes in the network to each client before it begins communicating using about a dozen directory authorities and a system of mirrors. i2p uses a modified DHT.) A complete answer would discuss all of these as well as destination fingerprinting, latency attacks, etc. It would be long and require frequent updating depending what new attacks have been discovered and what countermeasures have been designed and deployed. For similar reasons, which of Tor and i2p is more secure for each of these would be similarly complicated and dynamic. In the interest of giving a meaningful answer to the question I thus limit comparative points to the most significant and fundamental.

    Because it is a low latency system, Tor is effectively broken against an adversary that can watch both the client and destination end of a connection. This is true whether the adversary is at a Tor relay, the destination, or is an observer on the Internet. The same is essentially true of i2p and all low latency systems although the details vary. (For example, i2p uses variable length tunnels which make this slightly less certain, but they are typically 3 hops like Tor and do not vary much. Latency and intersection across a few connections can reduce the uncertainty.) Tor gets its security against such an adversary by being large enough that it becomes expensive for an adversary to have the resources to observe much of the network. The latest most detailed analysis of this can be found in

    The heart of the difference comes to how design differences and other factors affect the usability of the two. Tor is primarily for clients to make TCP connections to arbitrary Internet destinations and lets users run clients without needing to carry traffic for others. i2p is (with limited exceptions) a closed p2p system both in its destinations and in how traffic is carried. The induced motivational differences mean that Tor is orders of magnitude larger than i2p and is likely to remain such regardless of how either can scale in principle. The resources (IP addresses, bandwidth, IXPs etc.) necessary to observe and deanonymize most communication on the largest i2p network are thus much less than those needed to observe and deanonymize most communication on the Tor network. If the adversary is local or distributed but small, both systems will provide reasonable protection as long as the client and destination are not local to each other. Tor is likely to retain better protection as the adversary grows, although against a strong enough adversary both are effectively broken---like any actual system designed to protect security.

    That seems like a pretty thorough answer!

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM