The katzenpost 😼 mixnet

Last week several of us went to Athens (Greece) for a hackathon around katzenpost. Katzenpost is a mix network, based on the Loopix anonymity system, developed as part of the european union project PANORAMIX.

Mix networks are great tools to provide anonymity. In contrast with Tor, a mix network provides better anonymity at the cost of getting a higher latency. A mix network is not usually a good fit for web browsing or streaming, but it can be a great fit for cases like messaging or email that have better tolerances to latency. And still, we are talking about very acceptable times, so it is a very good tradeoff! The mix network protects users against global adversaries that can see all the traffic of the internet (yes, like those three letter agencies). Even a powerful global adversary cannot discover who in a mix network is sending messages to whom.

Mix networks achieve the anonymity goal by setting up a path that messages will travel by jumping from one mix node to another, and delaying the messages in each node by some unpredictable time. The size of each packet in the mixnet is constant, fragmenting and padding the messages into several packets if needed. The way in which messages get mixed in the nodes produces that an external observer is not able to correlate the messages that enter the system with the outgoing ones. This is improved by adding decoy traffic, which is dummy traffic that is generated to produce a constant flow of messages in the nodes.

All this nice properties hold on as long as at least one node of the path of the message is not compromised.

There have been other mix networks in the past, like mixminion or mixmaster. Until today, no mix network did achieve much traction, among other things because email would take hours, days or never arrive. One of the great advantages of Loopix is that the sender’s software has an estimation of how long it will take for the message to arrive. The other is that one can tune the parameters of the mix to optimize for different types of messages (ie, instant messaging or email).

Katzenpost uses Loopix in a clever way. Each message gets introduced in the mix network by an agent sitting on the user’s client (for example Bitmask), and it arrives to the destination provider. The messages include a SURB (Single-Use Reply Block), some nifty kind of crypto packet that allows the recipient (in this case the provider, right before delivering it to the “inbox” of the real recipient) to craft a reply without knowing the real identity of the sender. Using the SURBs, the destination provider can send ACKs to the sender client, so the client knows if the message has arrived or if it should retransmit. The whole return path for this ACK mechanism is chosen by the sender.

The destination provider sees how many messages each user receives, but does not know how many were sent from where, or even if they are real or dummy messages used for cover traffic. For what the destination provider can tell, and given that the actual message payloads are end-to-end encrypted, it might well be that the recipient is injecting decoy traffic into its own mailbox. For sending, the katzenpost client always chooses its own provider as the first mix in the path, so only authenticated users can introduce messages into the network.

The katzenpost software is still in a heavy development phase. Last week we succeded for the first time on running a full testbed mixnet with two providers and 4 mixes, spanning across Amsterdam, Hong Kong, Berlin and Washington DC. We created bindings to be able to write clients in go, python and java. We started the integration in bitmask, K9 and a custom fork of Telegram. And started seeing messages being delivered in the network.

There is still a lot of work to be done to get a full stable mix network based on katzenpost. But we are one step closer to making a usable mixnet.