Common anonymity system designs fall into two categories. Some use a more reliable architecture relying on a fixed and relatively small set of core relays, while other use a dynamic peer-to-peer (P2P) infrastructure to draw an open-ended pool of relays and provide increased scalability. Both approaches have limitations. The first design has limited scalability and allows an adversary to focus on the few entry and exit points to infer traffic correlations, while the second design can be problematic in keeping the overall system stable and operating due to unpredictable user behavior and system complexity.

In this paper we propose a hybrid architecture for anonymity systems with the consideration of scalability, robustness and quality-of-service, by taking the advantages from both static and P2P designs as well as balancing the incurred tradeoffs. We describe the design in details and discuss its potential benefits.