[messaging] Panoramix decryption mixnet messaging spec and design documents
dawuud
dawuud at riseup.net
Fri Sep 22 17:05:10 PDT 2017
> On Sat, 2017-09-16 at 22:21 +0000, dawuud wrote:
> > On the other hand the Loopix design as described in the paper does not
> > include any message reliability mechanism at all. In our design we do
> > not use the SURBs to achieve any identity-hiding property like
> > Mixminion does. Instead we only use SURBs to send ACKnowledgements in
> > our Stop and Wait ARQ protocol from Client to Provider.
>
> I'm sure I've pointed this out to you guys before, David, but ACKs do
> not need SURBs per se. At least not if the ACK comes from the mail
> server as opposed to the user. You just send a packet in a loop, but
> execute a special command mid way that drops off the message and
> replaces it with the ACK. It only requires that packet building split
That is equivalent to using a SURB... although it has some
disadvantages which include extreme packet header overhead; that is to
say: If your Sphinx packet format ensures that each hop's routing info
slot is the same size then you end up with lots of wasted space when
you stuff a payload into one of those slots because all the other
slots must pad to the same size. Further this adds complexity to the
implementation of the Sphinx packet format because it means that the
header size will be variable instead of fixed size; you cannot stuff a
fixed size header inside another header which is fixed to the same
size!
Further, if you use Sphinx headers in this way you don't really need
the packet "body" at all which is originally specified to be encrypted
with an SPRP/wide-block cipher such as Lioness. You are essentially
decapitating the Sphinx, where all you are left with is a human head
that is no longer attached to the body of a lion ;-p
The reason I say they are equivalent is that ultimately both ideas are
about sending a packet with enough routing information for the ACK to
reach the source whence it came.
So I appear to be arguing here that our specification for ACKs via SURBs is a
better design than sending loops where the payload is contained in the
header... However, loops are great for other things such as
heartbeats to detect n-1 attacks and decoy traffic. Hence the name
Loopix which uses several kinds of looped messages in it's design.
> the key material between the two orientations. You could achieve that
> split by building a SURB, and doing so may simplify the code elsewhere
> or even enable multiple-ACKs, but it's nowhere near as messy as folks
> imagine when they hear you say SURB though.
Actually, I think the main obstable one encounters when mentioning
this stuff to various autistic crypto nerds is essentially a 10 year
old anti-mixnet prejudice by those who have not yet read the Loopix paper
which is clearly the most advanced published mixnet paper to date.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20170923/04c6d320/attachment.sig>
More information about the Messaging
mailing list