To protect against timing analysis, Onion routing uses encrypted and padded links, and the connection between the user and his local onion router is assumed to be secure. Obviously, padding offers protection against external adversaries only. The onion routers themselves know when an anonymous connection is opened, how much data is transferred, and when it is closed. So in contrast to the mix net (where it is sufficient to use one honest mix in a chain), honest onion routers that are used between two cooperating onion routers do not offer additional protection. Onion routers have a fixed number of neighbours. If the first onion router does not have any honest neighbours, there is no anonymity. Generally, the maximal connected component of honest onion routers forms the anonymity set. Does that mean that every onion router needs to maintain many encrypted links, or is there a more efficient solution?