Version Mildenberg

lecture: Practical Mix Network Design

Strong metadata protection for asynchronous messaging

Event large

We shall explain the renewed interest in mix networks. Like Tor, mix networks protect metadata by using layered encryption and routing packets between a series of independent nodes. Mix networks resist vastly more powerful adversary models than Tor though, including global passive adversaries. In so doing, mix networks add both latency and cover traffic. We shall outline the basic components of a mix network, touch on their roles in resisting active and passive attacks, and discuss how the latency impacts reliability, application design, and user experience.

Interest in privacy technologies has surged over the previous decade, due in part to the Snowden revelations as well as earlier revelations of warrantless wiretaping by the NSA. Tor has justifiably received considerable attention for protecting location metadata when using existing Internet protocols. We believe the time is right though to deploy far stronger systems that cover more specific use cases, especially email and monetary transactions.

There are serious limitations to the adversary models addressed by Tor, which manifests today as website fingerprinting attacks, but easily extend to devastating attacks on most use cases, including messaging systems like Briar and Ricochet.

Academics have proposed various anonymity technologies with far stronger threat models than Tor, but by far the most deployable and efficient option remains mix networks, which date to the founding of anonymity research by David Chaum in 1981. Tor was inspired by mix networks and shares some superficial similarities, but mix networks' are vastly stronger if they judiciously add latency and cover traffic.

There are several historical reasons why mixnets lost popularity and why Tor's onion routing won. Namely, Tor is
low latency and really good at being usable. This is in contrast to mix networks which are essentially an unreliable packet switching network. Historically mix networks achieved enough mix entropy by using long delays whereas it is becoming more widely understood that there exists a tradeoff between legit traffic, decoy traffic and latency.

We believe a strong anonymity network is urgently needed so that individuals can retain a core of control over what metadata they expose to traffic analysis. We further suspect the world is ready to pay for deploying it, and developing the specialized applications to exploit it, both for messaging privacy and for privacy preserving financial systems like ZCash or Taler.