Mix network

Simple decryption mix net. Messages are encrypted under a sequence of public keys. Each mix node removes a layer of encryption using its own private key. The node shuffles the message order, and transmits the result to the next node.

Mix networks^[1] are routing protocols that create hard-to-trace communications by using a chain of proxy servers known as mixes which take in messages from multiple senders, shuffle them, and send them back out in random order to the next destination (possibly another mix node). This breaks the link between the source of the request and the destination, making it harder for eavesdroppers to trace end-to-end communications. Furthermore, mixes only know the node that it immediately received the message from, and the immediate destination to send the shuffled messages to, making the network resistant to malicious mix nodes.^[2]^[3]

Each message is encrypted to each proxy using public key cryptography; the resulting encryption is layered like a Russian doll (except that each "doll" is of the same size) with the message as the innermost layer. Each proxy server strips off its own layer of encryption to reveal where to send the message next. If all but one of the proxy servers are compromised by the tracer, untraceability can still be achieved against some weaker adversaries.

The concept of mix networks first described by David Chaum in 1981.^[4] Applications that are based on this concept include anonymous remailers (such as Mixmaster) and onion routing (including Tor).

How it works

Participant A prepares a message for delivery to participant B by appending a random value R to the message, sealing it with the addressee's public key $K_b$ , appending B’s address, and then sealing the result with the mix's public key $K_m$ . M opens it with his private key, now he knows B’s address, and he sends $K_b(message, R)$ to B.

Message format

$K_m(R1,K_b(R0,message),B)\longrightarrow(K_b(R0,message),B)$

To accomplish this, the sender takes the mix’s public key ( $K_m$ ), and uses it to encrypt an envelope containing a random string ( $R1$ ), a nested envelope addressed to the recipient, and the email address of the recipient (B). This nested envelope is encrypted with the recipient’s public key ( $K_b$ ), and contains another random string (R0), along with the body of the message being sent. Upon receipt of the encrypted top-level envelope, the mix uses its secret key to open it. Inside, it finds the address of the recipient (B) and an encrypted message bound for B. The random string ( $R1$ ) is discarded.

$R0$ is needed in the message in order to prevent an attacker from guessing messages. It is assumed that the attacker can observe all incoming and outgoing messages. If the random string is not used (i.e. only $(K_b(message))$ is sent to $B$ ) and an attacker has a good guess that the message $message'$ was sent, he can test whether $K_b(message')=K_b(message)$ holds, whereby he can learn the content of the message. By appending the random string $R0$ the attacker is prevented from performing this kind of attack; even if he should guess the correct message (i.e. $message'=message$ is true) he won't learn if he is right since he doesn't know the secret value $R0$ . Practically, $R0$ functions as a salt.

Return Addresses

What is needed now is a way for B to respond to A while still keeping the identity of A secret from B.

A solution is for A to form an untraceable return address $K_m(S1, A), K_x$ where $A$ is its own real address, $K_x$ is a public one-time key chosen for the current occasion only, and $S1$ is a key that will also act as a random string for purposes of sealing. Then, A can send this return address to B as part of a message sent by the techniques already described.

B sends $K_m(S1, A), K_x (S0, response)$ to M, and M transforms it to $A, S1 (K_x (S0, response))$ .

This mix uses the string of bits $S1$ that it finds after decrypting the address part $K_m(S1, A)$ as a key to re-encrypt the message part $K_x(S0, response)$ . Only the addressee, A, can decrypt the resulting output because A created both $S1$ and $K_x$ . The additional key $K_x$ assures that the mix cannot see the content of the reply-message.

The following indicates how B uses this untraceable return address to form a response to A, via a new kind of mix:

The message from A $\longrightarrow$ B:

$K_m(R1, K_b(R0, message, K_m(S1, A), K_x ), B)\longrightarrow K_b(R0, message, K_m(S1, A), K_x )$

Reply message from B $\longrightarrow$ A:

$K_m(S1, A) , K_x(S0, response)\longrightarrow A, S1(K_x(S0, response))$

Where: $K_b$ = B’s public key, $K_m$ = the mix’s public key.

A destination can reply to a source without sacrificing source anonymity. The reply message shares all of the performance and security benefits with the anonymous messages from source to destination.

References

↑ Also known as "digital mixes"
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ David Chaum, Untraceable electronic mail, return addresses, and digital pseudonyms, Comm. ACM, 24, 2 (Feb. 1981); 84-90

[1] Also known as "digital mixes"

[2] Lua error in package.lua at line 80: module 'strict' not found.

[3] Lua error in package.lua at line 80: module 'strict' not found.

[chaum-4] David Chaum, Untraceable electronic mail, return addresses, and digital pseudonyms, Comm. ACM, 24, 2 (Feb. 1981); 84-90

[1]

[2]

[3]

[4]

Mix network

Contents

How it works

Message format

Return Addresses

References

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools