To address location leakage and guard deployment attacks in Tor—stemming from geography-dependent guard relay selection—this paper proposes the first RPKI-based (leveraging Route Origin Authorizations and RPKI Origin Validation) geolocation-agnostic guard selection mechanism. Methodologically, it introduces two complementary algorithms: a lightweight Discount Selection and a high-assurance Matching Selection, both eliminating reliance on geographic metadata. Evaluated via customized Shadow network simulations atop real Internet topology, the approach achieves a 48.47% client-relay ROA-ROV match rate, significantly enhancing resistance to routing-layer traffic observation and deanonymization, while imposing negligible performance overhead. The core contribution lies in the first deep integration of the RPKI trust infrastructure into Tor’s path selection logic, thereby fundamentally eliminating location-based side channels and mitigating guard hijacking risks—achieving both practical deployability and strong security guarantees.

Tor is a well-known anonymous communication tool, used by people with various privacy and security needs. Prior works have exploited routing attacks to observe Tor traffic and deanonymize Tor users. Subsequently, location-aware relay selection algorithms have been proposed to defend against such attacks on Tor. However, location-aware relay selection algorithms are known to be vulnerable to information leakage on client locations and guard placement attacks. Can we design a new location-unaware approach to relay selection while achieving the similar goal of defending against routing attacks? Towards this end, we leverage the Resource Public Key Infrastructure (RPKI) in designing new guard relay selection algorithms. We develop a lightweight Discount Selection algorithm by only incorporating Route Origin Authorization (ROA) information, and a more secure Matching Selection algorithm by incorporating both ROA and Route Origin Validation (ROV) information. Our evaluation results show an increase in the number of ROA-ROV matched client-relay pairs using our Matching Selection algorithm, reaching 48.47% with minimal performance overhead through custom Shadow simulations and benchmarking.