-
Notifications
You must be signed in to change notification settings - Fork 7
State Of The Art
The goal of privacy-preserving messaging, or often anonymous messaging, is to hide the relationship between sender and receiver of a message. This is necessary since, in some cases, it may happen that capturing metadata allows adversaries to derive the content of encrypted message.
The following preceeding sections describe common mechanisms to achieve that goal.
A naive approach to hide the actual recipient is to broadcast the message to all possible recipients. This leads to a huge anonymity set for the receiver and there a very strong receiver anonymity. However, this scheme doesn't hide the sender of packet since the packet is not altered during its journey through the network and an adversary that is able to observe the whole network will be able to track the path of the message to its origin.
The biggest disadvantage of that scheme is that message overhead and computational complexity for the participants grow with the number of participants since each participant receives all messages sent through network and each incoming message need to be decoded to check whether that node is the recipient of that message.
Broadcasting is currently used by e.g. Bitmessage and Whisper
A significant improvement concerning message overhead and computational complexity is achieved by using mix nets and onion routing.
Before a message is sent through the network, the sender of the message chooses a random path containing some predefined number of intermediate nodes that relay the message until it is finally delivered to the recipient.
Once a node receives a message, it alters that messages and determines afterwards the address of the next node in the path. To mitigate timing analyses, the node will add also a randomly chosen latency before it finally passes that message bundled with other messages to the next node. In case there are no other messages, the node might add some cover traffic to hide how many messages are forwarded to the next node.
The messages are prepared in a way such that each node is only able to derive the address of the next node. This is done by using onion encryption. Instead of encrypting the message with a single key, the sender encrypts it sequentially vice-versa in the direction of the chosen path with secret shared with that node. Each node is then able to remove one encryption layer and derive the address of the next hop.
It is necessary to switch a path that a packet takes before it is received by the intended recipient. There exist multiple ways to do this. Each of them comes with several advantages and disadvantages.
Circuit switching means that the sender selects a predefined number of nodes and uses them to create a path through the network. The sender establishes a secure connection to the first node. Then asks that node to extend the path to the next node by forwarding a connection request to the next node. That mechanism is then repeated for the preceeding nodes along that path such that the sender possesses a shared secret with each of the nodes along the path.
That path, which is also called a circuit, is then used for some amount of time to encrypt all upcoming messages. After that amount of time, the sender selects a new path and negotiates a shared secret with each node of the new path.
The advantage of that construction is that it only uses slow asymmetric cryptography during the establishment of a new circuit. Apart from that, this construction gets along with fast symmetric cryptography.
A big problem of that construction is that sticking to one circuit for some amount of time gives a potential adversary the opportunity to perform timing analyses on packets sent through that circuit.
A famous application that uses circuit switching is TOR.
In contrast to circuit switching, each packet is routed separately through the network. Once a party wants to send a message through the network, it splits the message in pieces that have a previously specified length and sends each message independently over randomly chosen paths through the network.
The advantage is that this construction does not allow any timing analyses to deanonymize sender and/or receiver since each packet takes different routes.
A disadvantage of this construction is increased computational overhead since each packet requires several asymmetric cryptographic operations to create the packet and at each hop to derive the keys required to determine the address of the next hop. It also leads to an unpredictable order in which the fragments of the message receive at the final receiver.
Packet switching is used by HOPR and constructions based on I2P like Monero Chat.
Since the forwarding of messages does not only require bandwidth but also computational ressources to alter the message and to determine the sender of the message, it is reasonable to compensate the nodes along the path for their work. For that reason, there need to be a way to transfer assets to these parties while preserving the privacy provided by the message delivery mechanism.
Coming soon
Coming soon