Mix network

Mix networks are routing protocols that create hard-to-trace communications by using a chain of proxy servers known as mixes which take in messages from multiple senders, shuffle them, and send them back out in random order to the next destination. This breaks the link between the source of the request and the destination, making it harder for eavesdroppers to trace end-to-end communications. Furthermore, mixes only know the node that it immediately received the message from, and the immediate destination to send the shuffled messages to, making the network resistant to malicious mix nodes.
Each message is encrypted to each proxy using public key cryptography; the resulting encryption is layered like a Russian doll with the message as the innermost layer. Each proxy server strips off its own layer of encryption to reveal where to send the message next. If all but one of the proxy servers are compromised by the tracer, untraceability can still be achieved against some weaker adversaries.
The concept of a mix "cryptosystem" in the context of electronic mail was first described by David Chaum in 1981 because of the "traffic analysis problem". Applications that are based on this concept include anonymous remailers, onion routing, garlic routing, and key-based routing. Large-scale implementations of the mix network concept began to emerge in the 2020s, driven by advancements in privacy-preserving technologies and decentralized infrastructure.

History

published the concept of "mixes" in 1979 in a paper for his master's degree thesis work, shortly after he was first introduced to the field of cryptography through the work of public key cryptography, Martin Hellman, Whitfield Diffie and Ralph Merkle. While public key cryptography encrypted the security of information, Chaum believed there to be personal privacy vulnerabilities in the meta data found in communications. Some vulnerabilities that enabled the compromise of personal privacy included time of messages sent and received, size of messages and the address of the original sender. He cites Martin Hellman and Whitfield's paper in his work.

1990s: Cypherpunk movement

Innovators like Ian Goldberg and Adam Back made huge contributions to mixnet technology. This era saw significant advancements in cryptographic methods, which were important for the practical implementation of mixnets. Mixnets began to draw attention in academic circles, leading to more research on improving their efficiency and security. However, widespread practical application was still limited, and mixnets stayed largely within experimental stages. A "cypherpunk remailer" software was developed to make it easier for individuals to send anonymous emails using mixnets.

2000s: Inspiration for other anonymous networks

In the 2000s, the increasing concerns about internet privacy highlighted the significance of mix networks. This era was marked by the emergence of Tor around the mid-2000s. Although Tor was not a straightforward implementation of a mixnet, it drew heavily from David Chaum's foundational ideas, particularly utilizing a form of onion routing akin to mixnet concepts. This period also witnessed the emergence of other systems that incorporated mixnet principles to various extents, all aimed at enhancing secure and anonymous communication.

2010s: Renewed academic interest in mix networks

Entering the 2010s, there was a significant shift towards making mixnets more scalable and efficient. This change was driven by the introduction of new protocols and algorithms, which helped overcome some of the primary challenges that had previously hindered the widespread deployment of mixnets. The relevance of mixnets surged, especially after 2013, following Edward Snowden's disclosures about extensive global surveillance programs. This period saw a renewed focus on mixnets as vital tools for protecting privacy.
The Loopix architecture, introduced in 2017, integrated several pre-existing privacy-enhancing techniques to form a modern mix network design. Key elements of Loopix included:

"Sphinx" packet format, ensuring unlinkability and layered encryption
Poisson-process-based packet transmission, introducing randomness to prevent traffic correlation attacks.
Exponential mixing delays, making traffic analysis more difficult.
Loop-based cover traffic, where dummy packets are continuously injected to obscure real data flows.
Stratified mix node topology, optimizing anonymity while maintaining network efficiency.

The rise of blockchain technologies opened new possibilities for scalable decentralized systems, paving the way for large-scale, distributed mix networks.

2020s: First large-scale implementations

Throughout the 2020s, various public and private research and development programs contributed to the realization of the first large-scale mix networks. By 2025, multiple projects—including 0KN, HOPR, Katzenpost, Nym, and xx.network —are under active development, aiming to enhance privacy-preserving communication on a broader scale.

How it works

Participant A prepares a message for delivery to participant B by appending a random value R to the message, sealing it with the addressee's public key, appending B's address, and then sealing the result with the mix's public key.
M opens it with his private key, now he knows B's address, and he sends to B.

Message format

To accomplish this, the sender takes the mix's public key, and uses it to encrypt an envelope containing a random string, a nested envelope addressed to the recipient, and the email address of the recipient. This nested envelope is encrypted with the recipient's public key, and contains another random string, along with the body of the message being sent. Upon receipt of the encrypted top-level envelope, the mix uses its secret key to open it. Inside, it finds the address of the recipient and an encrypted message bound for B. The random string is discarded.
is needed in the message in order to prevent an attacker from guessing messages. It is assumed that the attacker can observe all incoming and outgoing messages. If the random string is not used and an attacker has a good guess that the message was sent, he can test whether holds, whereby he can learn the content of the message. By appending the random string the attacker is prevented from performing this kind of attack; even if he should guess the correct message he won't learn if he is right since he doesn't know the secret value. Practically, functions as a salt.

Return addresses

What is needed now is a way for B to respond to A while still keeping the identity of A secret from B.
A solution is for A to form an untraceable return address where is its own real address, is a public one-time key chosen for the current occasion only, and is a key that will also act as a random string for purposes of sealing. Then, A can send this return address to B as part of a message sent by the techniques already described.
B sends to M, and M transforms it to.
This mix uses the string of bits that it finds after decrypting the address part as a key to re-encrypt the message part. Only the addressee, A, can decrypt the resulting output because A created both and.
The additional key assures that the mix cannot see the content of the reply-message.
The following indicates how B uses this untraceable return address to form a response to A, via a new kind of mix:
The message from A ''B:
Reply message from B''''A:
Where: = B''’s public key, = the mix's public key.
A destination can reply to a source without sacrificing source anonymity. The reply message shares all of the performance and security benefits with the anonymous messages from source to destination.

Vulnerabilities

Although mix networks provide security even if an adversary is able to view the entire path, mixing is not absolutely perfect. Adversaries can provide long term correlation attacks and track the sender and receiver of the packets.

Threat model

An adversary can perform a passive attack by monitoring the traffic to and from the mix network. Analyzing the arrival times between multiple packets can reveal information. Since no changes are actively made to the packets, an attack like this is hard to detect. In a worst case of an attack, we assume that all the links of the network are observable by the adversary and the strategies and infrastructure of the mix network are known.
A packet on an input link cannot be correlated to a packet on the output link based on information about the time the packet was received, the size of the packet, or the content of the packet. Packet correlation based on packet timing is prevented by batching and correlation based on content and packet size is prevented by encryption and packet padding, respectively.
Inter-packet intervals, that is, the time difference between observation of two consecutive packets on two network links, is used to infer if the links carry the same connection. The encryption and padding does not affect the inter-packet interval related to the same IP flow. Sequences of inter-packet interval vary greatly between connections, for example in web browsing, the traffic occurs in bursts. This fact can be used to identify a connection.

Active attack

Active attacks can be performed by injecting bursts of packets that contain unique timing signatures into the targeted flow. The attacker can perform attacks to attempt to identify these packets on other network links. The attacker might not be able to create new packets due to the required knowledge of symmetric keys on all the subsequent mixes. Replay packets cannot be used either as they are easily preventable through hashing and caching.