1. Overview
Garlic routing remains one of I2P’s core innovations, combining layered encryption, message bundling, and unidirectional tunnels.
While conceptually similar to onion routing, it extends the model to bundle multiple encrypted messages (“cloves”) in a single envelope (“garlic”), improving efficiency and anonymity.
The term garlic routing was coined by Michael J. Freedman in Roger Dingledine’s Free Haven Master’s Thesis (June 2000, §8.1.1).
I2P developers adopted the term in the early 2000s to reflect its bundling enhancements and unidirectional transport model, distinguishing it from Tor’s circuit‑switched design.
Summary: Garlic routing = layered encryption + message bundling + anonymous delivery via unidirectional tunnels.
2. The “Garlic” Terminology
Historically, the term garlic has been used in three different contexts within I2P:
- Layered encryption – tunnel‑level onion‑style protection
- Bundling multiple messages – multiple “cloves” inside a “garlic message”
- End‑to‑end encryption – formerly ElGamal/AES+SessionTags, now ECIES‑X25519‑AEAD‑Ratchet
While the architecture remains intact, the encryption scheme has been completely modernized.
3. Layered Encryption
Garlic routing shares its foundational principle with onion routing:
each router decrypts only one layer of encryption, learning only the next hop and not the full path.
However, I2P implements unidirectional tunnels, not bidirectional circuits:
- Outbound tunnel: sends messages away from the creator
- Inbound tunnel: carries messages back to the creator
A full round trip (Alice ↔ Bob) uses four tunnels:
Alice’s outbound → Bob’s inbound, then Bob’s outbound → Alice’s inbound.
This design halves correlation data exposure compared to bidirectional circuits.
For tunnel implementation details, see the Tunnel Specification
and the Tunnel Creation (ECIES) specification.
4. Bundling Multiple Messages (The “Cloves”)
Freedman’s original garlic routing envisioned bundling multiple encrypted “bulbs” within one message.
I2P implements this as cloves inside a garlic message — each clove has its own encrypted delivery instructions and target (router, destination, or tunnel).
Garlic bundling allows I2P to:
- Combine acknowledgments and metadata with data messages
- Reduce observable traffic patterns
- Support complex message structures without extra connections
Figure 1: A Garlic Message containing multiple cloves, each with its own delivery instructions.
Typical cloves include:
- Delivery Status Message — acknowledgments confirming delivery success or failure.
These are wrapped in their own garlic layer to preserve confidentiality. - Database Store Message — automatically bundled LeaseSets so peers can reply without re‑querying the netDb.
Cloves are bundled when:
- A new LeaseSet must be published
- New session tags are delivered
- No bundle has occurred recently (~1 minute by default)
Garlic messages achieve efficient end‑to‑end delivery of multiple encrypted components in a single packet.
5. Encryption Evolution
5.1 Historical Context
Early documentation (≤ v0.9.12) described ElGamal/AES+SessionTags encryption:
- ElGamal 2048‑bit wrapped AES session keys
- AES‑256/CBC for payload encryption
- 32‑byte session tags used once per message
That cryptosystem is deprecated.
5.2 ECIES‑X25519‑AEAD‑Ratchet (Current Standard)
Between 2019 and 2023, I2P migrated entirely to ECIES‑X25519‑AEAD‑Ratchet. The modern stack standardizes the following components:
| Layer | ECIES Primitive or Concept |
|---|---|
| Transport Layer (NTCP2, SSU2) | Noise_NX → X25519, ChaCha20/Poly1305, BLAKE2s |
| I2NP Delivery | ECIES‑X25519‑AEAD (ChaCha20/Poly1305) |
| Session Management | Ratchet with rekey records, per-clove key material |
| Offline Authentication | EdDSA (Ed25519) with LeaseSet2/MetaLeaseSet chains |
Benefits of the ECIES migration:
- Forward secrecy via per-message ratcheting keys
- Reduced payload size compared to ElGamal
- Resilience against cryptanalytic advances
- Compatibility with future post-quantum hybrids (see Proposal 169)
Additional details: see the ECIES Specification and EncryptedLeaseSet specification.
6. LeaseSets and Garlic Bundling
Garlic envelopes frequently include LeaseSets to publish or update destination reachability.
| Version | Type | Key Capabilities | Distribution Notes |
|---|---|---|---|
| 1 | LeaseSet (legacy) | Single encryption/signature pair | Accepted for backward compatibility |
| 3 | LeaseSet2 | Multiple crypto suites, offline signing keys | Default for modern routers |
| 5 | EncryptedLeaseSet | Access-controlled, destination hidden from floodfill | Requires shared decryption key |
| 7 | MetaLeaseSet | Aggregates multiple destinations or multi-homed services | Extends LeaseSet2 fields recursively |
All LeaseSets are distributed through the floodfill DHT maintained by specialized routers. Publications are verified, timestamped, and rate-limited to reduce metadata correlation.
See the Network Database documentation for details.
7. Modern “Garlic” Applications within I2P
Garlic-based encryption and message bundling are used throughout the I2P protocol stack:
- Tunnel creation and usage — layered encryption per hop
- End-to-end message delivery — bundled garlic messages with cloned-acknowledgment and LeaseSet cloves
- Network Database publishing — LeaseSets wrapped in garlic envelopes for privacy
- SSU2 and NTCP2 transports — underlay encryption using Noise framework and X25519/ChaCha20 primitives
Garlic routing is thus both a method of encryption layering and a network messaging model.
8. Current Documentation and References
I2P’s documentation hub is available here, maintained continuously.
Relevant living specifications include:
- ECIES Specification — ECIES‑X25519‑AEAD‑Ratchet
- Tunnel Creation (ECIES) — modern tunnel build protocol
- I2NP Specification — I2NP message formats
- SSU2 Specification — SSU2 UDP transport
- Common Structures — netDb and floodfill behavior
Academic validation:
Hoang et al. (IMC 2018, USENIX FOCI 2019) and Muntaka et al. (2025) confirm the architectural stability and operational resilience of I2P’s design.
9. Future Work
Ongoing proposals:
- Proposal 169: Hybrid post-quantum (ML-KEM 512/768/1024 + X25519)
- Proposal 168: Transport bandwidth optimization
- Datagram and streaming updates: Enhanced congestion management
Future adaptations may include additional message delay strategies or multi-tunnel redundancy at the garlic-message level, building on unused delivery options originally described by Freedman.
10. References
- Freedman, M. J. & Dingledine, R. (2000). Free Haven Master’s Thesis, § 8.1.1. Free Haven Papers
- Onion Router Publications
- Garlic Routing (Wikipedia)
- Tor Project
- Free Haven Anonbib
- Goldschlag, D. M., Reed, M. G., Syverson, P. F. (1996). Hiding Routing Information. NRL Publication.