[messaging] Panoramix decryption mixnet messaging spec and design documents

dawuud dawuud at riseup.net
Sun Nov 19 09:42:48 PST 2017

> > If my understanding is correct, the answer is No. No we cannot prevent
> > longterm intersection attacks by using decoy traffic in the
> > katzenpost/loopix system because users will go offline and come back
> > online later which changes the anonymity set size and thus leaks
> > information to a global network observer.
> > 
> > I suspect that there are mixnet use cases which are not vulnerable or
> > less vulnerable to this... such that user or application behavior does not
> > form a "session" where users send multiple messages over long periods which
> > can be linked by a passive observer.
> > 
> What about a store-and-retrieve design? You don't send "to" the receiver (not even indirectly), you send to a mailbox at an unpredictable address (or addresses) in a DHT-like distributed storage system, which is always online. Later, the receiver logs on and retrieves their own messages from their mailbox.

(none of that prevents longterm intersection attacks)

oh yes i love these ideas... and i was previously discussing them with
str4d in the context of i2p bote mail which is described here:


This spec is a bit encumbered by crypto packet format details whereas
I would just use Sphinx.

> Storage nodes only store stuff for a fixed amount of time and then they drop it, to save space / prevent storage DoS attacks. Participants rely on end-to-end acks to guarantee reliability. If the recipient doesn't ack your message, you assume the network dropped it, and resend it, perhaps to a newly-generated unpredictable address.

Yeah that sounds good... although having client to client ACKs means they both have
to be online at the same time which is a constraint that is probably inconvenient
unless it's treated like a real-time chat application.

I like that this prevents some storage DoS attacks.

> Wasn't Jeff Burdges exploring designs in this area at some point? I vaguely remember him talking about it at various events a few years ago.

Yeah Jeff Burdges has been doing some very interesting mixnet research.
Some of his designs are here:


One of the things he's done is expand on George Danezis's previous work:

Forward Secure Mixes

Jeff has got a PQ ratchet design for forward secure mixes.

He also has a bunch of different designs for mixnet messaging systems
but so far none of them have an ARQ protocol scheme and therefore no reliability.
It might be possible to add an ARQ scheme to some of his designs.

In my opinion reliability is super important...
because "hey there's this new messaging app, but if you send a message
it might not make it to it's destination" does not sound appealing to use at all.

Also Jeff's designs seem to require SURBs with longish lifetimes whereas
our katzenpost/loopix thing uses SURBs with lifetimes of 3 hours... since
3 hours in our key rotation duration for mix keys. (it's good to have
MLAT aware path selection)

Having SURBs with long lifetimes increases vulnerability to compulsion attacks.
Although it might possibly be somewhat mitigated with the PQ forward secure mixes
if the ratchet state changes before "the man" compels the mix operator to give them
the private key material.

Which reminds me that there are some cool designs in this paper
that might help mitigate these kinds of attacks:

Compulsion Resistant Anonymous Communications

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20171119/5b3ba651/attachment.sig>

More information about the Messaging mailing list