<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 9, 2017 at 2:53 AM, dawuud <span dir="ltr"><<a href="mailto:dawuud@riseup.net" target="_blank">dawuud@riseup.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
I just wanted to make you all aware that I've published our design<br>
and specification documents for our mixnet project:<br>
<br>
<a href="https://github.com/Katzenpost/docs" rel="noreferrer" target="_blank">https://github.com/Katzenpost/<wbr>docs</a></blockquote><div>[...] </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<a href="https://github.com/Katzenpost/docs/tree/master/specs" rel="noreferrer" target="_blank">https://github.com/Katzenpost/<wbr>docs/tree/master/specs</a></blockquote><div>[...] </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<a href="https://github.com/Katzenpost/docs/blob/master/drafts/mixdesign.txt" rel="noreferrer" target="_blank">https://github.com/Katzenpost/<wbr>docs/blob/master/drafts/<wbr>mixdesign.txt</a></blockquote><div>[...] </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><a href="https://github.com/Katzenpost/docs/blob/master/drafts/user_interface.txt" rel="noreferrer" target="_blank">https://github.com/Katzenpost/<wbr>docs/blob/master/drafts/user_<wbr>interface.txt</a></blockquote><div><br></div><div><br></div><div>Hi David,</div><div><br></div><div>Hope you don't mind belated comments:</div><div><br></div><div>This is an ambitious protocol stack! I think the different layers and choices are something like:</div><div><br></div><div>Mix packet format = Sphinx</div><div>Mix strategy = Poisson Mix (a simplified "Stop-and-Go Mix")</div><div>Mixnet topology = Stratified</div><div>Dummy traffic strategy = Loopix</div><div>Reliability/retransmission = Stop-and-Wait ARQ</div><div>Congestion control = "Source Quench" from mixes to providers</div><div>Link protocol = TCP/Noise_XX</div><div>End-to-end protocol = Email/Noise_X</div><div><br></div><div>It's interesting to see everything needed for a full mixnet architecture. I imagine these decisions might be different for different applications, so I hope you're building modularity between components.</div><div><br></div><div>"Sphinx" and "Stop-and-Go mixes" seem particularly reusable within different architectures. High-quality specs and code for them would be one great outcome here.</div><div><br></div><div>(Though there's room for debate even within those components. For example, SURB support in Sphinx adds complexity and requires an unusual "large-block" cipher. SURBs don't seem necessary for Loopix, and I've wondered whether dropping SURB support would make things simpler [1])</div><div><br></div><div>Anyways, the hardest decisions are probably around "mixnet topology" and "dummy traffic", since this is where real-world economic and deployability concerns come in:</div><div> * Who is going to run mixes?</div><div> * How tolerable are latency and dummy-traffic requirements for real users?</div><div><br></div><div>The Loopix paper [2] presents examples with:</div><div> * Several independent mix nodes</div><div> * A server acting as "provider" for each few hundred users</div><div> * Each user sending a dummy message every few seconds (or faster!)</div><div> * Each user downloading messages or dummy traffic from their provider at a constant rate</div><div><br></div><div>Those all seem like difficult requirements for real systems, so I'm wondering about your thoughts on near-term deployment.</div><div><br></div><div>In general, the security vs. practicality tradeoffs seem pretty brutal for mixnets. Most papers (like Loopix) push the slider towards the security end so they can achieve their security goal, but with parameters unlikely to be deployed at any scale. I'd be more interested in the opposite sort of analysis: how much security can be eked out of "minimum viable" deployments.</div><div><br></div><div>Anyways, those are scattered thoughts. It's great to see people working in this area, keep us posted!</div><div><br></div><div>Trevor</div><div><br></div><div>[1] </div><div><a href="https://moderncrypto.org/mail-archive/messaging/2014/000456.html">https://moderncrypto.org/mail-archive/messaging/2014/000456.html</a> </div><div><a href="https://moderncrypto.org/mail-archive/messaging/2014/000471.html">https://moderncrypto.org/mail-archive/messaging/2014/000471.html</a></div><div><br></div><div>[2] <a href="https://arxiv.org/pdf/1703.00536.pdf">https://arxiv.org/pdf/1703.00536.pdf</a> </div><div><br></div></div></div></div>