Circuit-Padding Machines in Tor

• Circuit-padding machines are finite-state automata embedded in Tor circuits that emit dummy traffic to obscure true packet flows and counteract fingerprinting attacks.
• They employ probabilistic state transitions and parametric designs to balance bandwidth overhead with enhanced protection efficacy.
• Evaluations of designs like WTF-PAD, Spring, and Interspace demonstrate tradeoffs via genetic programming and probabilistic initialization to reduce adversarial recall.

Circuit-padding machines are finite-state automata embedded within Tor circuits, designed to emit dummy (padding) traffic to obscure real packet traces and counteract powerful traffic analysis attacks such as Website Fingerprinting (WF) or circuit fingerprinting. These machines operate at the circuit layer, functioning independently from stream-level defenses, and are capable of injecting, postponing, or passing Tor cells based on their internal state and triggering network events. Through parametric design and probabilistic mechanisms, circuit-padding machines offer a tunable tradeoff between bandwidth overhead and protection efficacy, forming the basis for modern padding defenses in Tor and related anonymity systems (Pulls, 2020, Kadianakis et al., 2021).

1. State-Machine Architecture and Operational Model

Each circuit-padding machine is realized as a compact abstract state machine, instantiated separately for client-side and relay-side participation in a Tor circuit. Let $S = \{s_0, s_1, \dots, s_n\}$ denote the set of states. Associated with each $s \in S$ are probability distributions:

• $D_t(s)$: Inter-arrival time distribution for waiting before injecting the next padding cell (typically in microseconds).
• $D_\ell(s)$: Distribution governing the number of padding cells to emit in a single burst.

Transitions are triggered by discrete events $$E = \{\text{ON\_PACKET}, \text{ON\_TIMER}, \ldots\}$$. The transition function $T(s,e)$ dictates state progression and padding actions. For event $e$ in state $s_1$, the probability of moving to state $s_2$ is $P(s_1 \to s_2\mid e)$.

Triggering events include:

• ON_PACKET: Real Tor cell observed for inbound/outbound transmission.
• ON_TIMER: Padding timer expires (sample drawn from $D_t(s)$).

Upon timer expiry, the machine samples $\ell \sim D_\ell$ and emits $\ell$ padding cells; subsequent transitions follow the event logic (Pulls, 2020, Kadianakis et al., 2021).

2. Key Padding Machines: WTF-PAD, Spring, and Interspace

The initial reference design, WTF-PAD, inspired the architecture of Tor's circuit-padding implementation. WTF-PAD uses random inter-padding delays and event-driven transitions to inject dummy packets and obfuscate true packet sequences.

The Interspace machine builds upon a manually-tuned simplification ("Spring") of an evolved automaton. Interspace introduces systematic probabilistic variation:

• At Tor instance startup, Interspace chooses among two client-side variants with equal probability and randomizes specific transitions (50% chance).
• On the relay side, Tor selects between Spring’s logic and a hand-crafted variant (variant parameters for distributions drawn uniformly at setup).

Main efficiency/effectiveness controls are:

• allowed_padding_count: Absolute upper bound on padding cells (e.g., $1\,500$).
• max_padding_percent: Ratio of padding to total cells (e.g., $0.5$).

Varying allowed_padding_count yields a bandwidth/recall Pareto frontier: more padding reduces attack recall but increases overhead. Empirical results: allowed_padding_count $=1500$ gives overhead $230\%$ and max recall $0.35$; $=100$ gives $150\%$ overhead and $0.70$ recall (Pulls, 2020).

3. Automated Synthesis via Genetic Programming

Padding machine variants are optimized using genetic programming (GP):

• Representation: Candidate = two four-state automata (client, relay); each state includes $D_t$/$D_\ell$ parameters and transitions.
• Fitness: $1-\text{Recall}_{\max}$, where $\text{Recall}_{\max}$ is obtained from the Deep Fingerprinting (DF) classifier on the “Goodenough” dataset (20,000 traces).
• Operators: Population (10 machines), elitism, fitness-proportional selection, single-state crossover, and random mutation of parameters and transitions.
• Workflow: Candidate machines are simulated (circpad-sim) on traces, classifier recall is evaluated via 10-fold cross-validation, and evolution proceeds over multiple generations.

Over four months, the best machine found (“April”) achieved recall $0.57$ at $206\%$ bandwidth overhead (precision $0.52$). Interspace, hand-tuned and incorporating probabilistic logic, achieves superior tradeoffs (Pulls, 2020).

4. Evaluation: Website and Circuit Fingerprinting Resistance

Padding machines are assessed against WF and circuit fingerprinting in closed- and open-world settings. Data from (Pulls, 2020):

• Baseline (unprotected): $\text{Recall}_{\max} \approx 0.88$, Precision $\approx 0.93$ (DF attack) on Tor traces.
• WTF-PAD: $178\%$ overhead, recall $\approx 0.70$.
• Spring: $210\%$ overhead, recall $\approx 0.47$ (standard), $285\%$/$0.42$ (safest).
• Interspace: $230\%$ overhead, recall $\approx 0.35$ (standard), $305\%$/$0.31$ (safest).

Probabilistic initialization of Interspace reduces DF's recall by $10$–$20\%$ relative to deterministic machines, assuming attackers cannot enumerate all machine variants. However, if attackers multiply their training data by generating defended traces exhaustively, recall can rebound to $0.60$, illustrating a defense/attack arms race (Pulls, 2020).

In separate evaluation focused on circuit fingerprinting (Kadianakis et al., 2021), adaptive padding frameworks based on WTF-PAD and “preemptive circuit padding” (PCP) are analyzed. Resulting adversary accuracies:

• Without defense: $98$–$99\%$.
• Delay-based padding: Accuracy $\approx c$ (the base clearnet rate), with modest induced latency (mean $3.34\,\mathrm{s}$) and bandwidth ($22.5\,\mathrm{KB}$).
• PCP: Zero added latency, overhead $\varphi\times22.5\,\mathrm{KB}$, guarantees indistinguishability as soon as $\varphi \geq (1/c) - 1$.

5. Analytical and Experimental Tradeoffs

Bandwidth and security tradeoffs are parameterized and evaluated with empirical and analytical methods:

Machine	Overhead (%)	Recall ($\text{DF}$)	Precision
None (baseline)	—	0.88	0.93
WTF-PAD	178	0.70	—
Spring	210/285	0.47/0.42	—
Interspace	230/305	0.35/0.31	—

Overhead and recall are linked along a Pareto frontier. For circuit fingerprinting defenses, the optimal parameter choice ensures the adversary’s accuracy does not exceed the base rate $c$, yielding “zero leakage.”

Statistical confidence is established with $10\,000$–$15\,000$ circuit samples and standard deviations below $2\%$. Experiments combine “Goodenough” datasets, varied security levels, and state-of-the-art classifiers (DF, SVM, DecTree) (Pulls, 2020, Kadianakis et al., 2021).

6. Probabilistic Padding Machines and Limitations

Probabilistic construction as in Interspace—randomizing automaton variants per session—significantly complicates attack model retraining and increases required attacker effort. This approach leverages unpredictability: empirical recall can drop by $10$–$20\%$ compared to deterministic analogues.

However, practical deployment faces several limitations:

• Evaluations are simulation-based; no live-network latency or resource analyses were performed.
• Design space exploration via GP was computationally expensive and limited in scope.
• Defenses target direction/size-based WF and circuit fingerprinting, not time-based attacks.

Future research avenues include:

• Live deployment with end-to-end overhead/latency measurement.
• Enlarged state machine designs and advanced search methodologies.
• Adaptive timers to counteract timing-based analyses.
• Black-box attacks and open-world classifier settings (Pulls, 2020).

7. Integration and Parameterization in Tor

Circuit-padding frameworks are now integrated into Tor (since 0.4.0.1-alpha), supporting dynamic negotiation and parameterization. Defenses can be adapted per-load using allowed_padding_count, max_padding_percent, and probabilistic initializations. Different strategies—delay-based, PCP—can be selected in response to observed network load and privacy preferences.

A plausible implication is that, by dynamically adjusting these parameters and machine selection probabilistically, systems can maintain indistinguishability guarantees under shifting adversary models—at least until attackers develop richer, multi-trace classifiers or the pace of machine retraining becomes tractable (Pulls, 2020, Kadianakis et al., 2021).