Network-level Privacy

While PIR hides what a user is reading; the server nonetheless still sees the IP the request came from. This workstream closes that gap so servers cannot learn who is making the request — across two tracks:

  • TorJS — Tor's official Rust client compiled to WebAssembly, with a fetch()-compatible API for browsers and Node.js.
  • Abstract Access Layer — a pluggable interface that lets the edge (wallets, dApps, light clients) reach diverse anonymity-network infrastructures through one unified abstraction.

TorJS

TorJS is an npm module that compiles Arti — the Tor Project's next-generation Rust implementation of Tor — into WebAssembly. It exposes a standard fetch()-compatible API, making it trivial for wallet SDKs, frontends, and dApps to route requests through the Tor network with a simple toggle.

Why TorJS?

Even if you use PIR to hide what you are reading, the server still sees your IP address — and can correlate that with your identity. TorJS closes this gap by ensuring servers cannot learn who is making the request. Together, PIR + TorJS provide both dimensions of read privacy.

For the broader Ethereum ecosystem, TorJS means:

  • Wallet SDKs can offer a "private mode" toggle that routes RPC calls through Tor — no external proxy needed.
  • Frontends and dApps can protect users in censorship-heavy environments, accessing Ethereum RPC endpoints without revealing their location.
  • Light clients can fetch state proofs anonymously, preventing servers from profiling which accounts a user tracks.

Features

  • Fast Bootstrap — A Brotli-compressed ~3 MB bundle replaces fetching thousands of micro-descriptors, fundamentally improving cold-start times compared to the standard Tor bootstrap method.
  • Censorship Resistance — Built-in Snowflake pluggable transport support. WebRTC-based bridges allow connectivity even under heavy network filtering. Native WebRTC transport is a Q2 priority.
  • Multi-Runtime — Works in browsers (WASM) and Node.js (with native socket access matching raw Rust performance). Pluggable storage backends (IndexedDB, localStorage) reduce bootstrap latency on repeat visits.

Current Status

TorJS has achieved end-to-end WASM functionality and is published as tor-js on npm: [1] [2] [3] [4]. The Tor Project team is currently (2Q26) reviewing and merging the WASM compatibility work from 1Q26 into upstream Arti.

What's Next: WebRTC Transport

TorJS currently relies on Snowflake WebSocket bridges to reach the Tor network from the browser. This works, but WebSocket bridges are centralized infrastructure — a small number of bridge operators carry all the traffic, creating a bottleneck and a single point of failure. Replacing WebSocket with WebRTC as the default transport would allow peer-to-peer connections between browsers, removing this centralizing effect. Domain fronting for peer discovery still applies, and the anti-censorship properties carry over. This is a Q2 priority for both the team and the Tor Project, and it is also the foundation for the Abstract Access Layer below.

Resources

Abstract Access Layer

A pluggable interface between the edge (browser and native wallets, frontends, dApps) and anonymity-network infrastructure — for decentralized RPC access and beyond. The same access pattern can serve PIR servers, anonymity-network nodes, and Ethereum p2p nodes, with a WebRTC-driven transport kit as its common foundation.

The architecture grew out of work on WebRTC connectivity between embedded Arti and the Tor network, and the realization that this stack is orthogonal: once it is abstracted and packaged cleanly, a diverse set of anonymity routing solutions [0] [1] [2] [3] [4] [5] can plug into a unified abstraction, and the same edge↔infra channel can be used by Geth, other EL clients, Arti relays, Tor C nodes, and others.

Why?

  • Decouples wallets from any single anonymity network. The choice of routing layer becomes a configuration concern, not a code change.
  • Prevents ISP-level linkage. Traffic between wallet edges and Ethereum infrastructure stops being a fingerprintable side-channel.
  • Removes the dependency on centralized RPC providers. The same transport reaches PIR servers, p2p nodes, and onion/mixnet relays, so the edge does not need a single trusted backend.

Scope

  • Edge ↔ infra WebRTC transport kit. Cross-language (Go + Rust), browser- and Node-compatible, with standardized WASM-binary validation. First milestone: a polished WebRTC transport spec usable wherever the access layer plugs in.
  • Architecture and signaling. Foundational design for abstracted access to anonymization networks, including client-binary validation and signaling/discovery protocols.
  • Pilot deployment. Standard implementation exercising the wallet → Tor → EL node pathway end-to-end.

Status

Architecture and the WebRTC transport kit are in active development. Publication of the architecture and a community-feedback round are targeted for Q2 2026; see the roadmap for the full milestone list.

← Back to workstreams