Announcing Meson: An Ethereum Mixnet To Rule Them All

HashCloak, Fri 15 November 2019, Annoucements

annoucements

One of the Achille's heels of Ethereum is its lack of privacy guarantees, both on-chain and at the network layer. Although the former has been addressed by a few well-known projects, very little has been focused on the latter. Being able to provide censorship and metadata-resistant network privacy is important for protecting Ethereum users' privacy. This lack of network layer privacy doesn't only affect Ethereum, it affects ALL Ethereum-based chains i.e. forks of Ethereum. In order to address this, we are announcing Meson, a mix network for all Ethereum-based networks.

What is a Mix Network?

A mix network (mixnet for short) is a kind of anonymous communication network that aims to be resistant to traffic analysis and censorship. They are designed to be resistant against a global passive adversary (think 3 letter agencies in your country of choice). A mixnet consists of a series of cryptographic relays that remove linkability of sender to receiver of messages through layered encryption and cryptographic shuffling techniques. This means that mixnets provide anonymity for modern, realistic threats. Mixnets were first introduced by David Chaum in 1981 and has inspired the design of many anonymous communication protocols used today.

Meson is built upon the Katzenpost mix network. Katzenpost is a project funded by the EU's Horizon R&D programme.It's development is led by a team of anonymous communications experts. It uses many recently designed constructs such as the SPHINX packet format and uses elements from well-known protocols for its design such as the Loopix Anonymity System and Tor. For an introduction to the Katzenpost mixnet, this video by David Stainton provides a great overview of the system and its tradeoffs.

In particular, providers will run multiple instances of the Meson plugin, configured for as many Ethereum-based chains it wants i.e. for multiple chain IDs. Clients can compose a SPHINX packet that contains a raw Ethereum transaction as its payload. This packet gets sent to the mixnet, to one of the providers running the Meson plugin. The providers then relay this transaction to the Ethereum mainnet (or one of its derived chains). This act removes a user's network interactions with its on-chain interactions. A great compliment to the recent advances to on-chain privacy on Ethereum!

If you want to learn more about mix networks and anonymous communication protocols in general, this talk by Claudia Diaz is a great introduction.

Why a Mix Network? Can't you just use Tor?

Short answer: Yes, you can but ... probably shouldn't! It's complicated!

Long answer:

Tor is a well-known low-latency anonymous communication network that makes use of onion routing for masking traffic. To access Tor, users usually download the Tor browser and browse the Internet through that. There are 3 mains reasons that we'll go into for why Tor isn't a good idea for crypocurrency transactions: its scaling problems, its threat model and the fact that using Tor in non-recommended ways can do more harm than good.

First, scaling in Tor is actually an important issue. Although it has improved tremendously in the past few years, it's still a problem for regular users. One of the main reasons for this is that Tor uses source routing to route messages through its network. This means that at the start of communication, the initiator has to choose the full path in which traffic gets sent to. The use of source routing actually makes Tor resistant to failure of routers. However, it does mean that initiators need a complete view of the network at any given time. This translates to users having to periodically download a bunch of router specific information such as the full list of routers, their public keys, etc.

Second, Tor's threat model doesn't handle global passive adversaries. For many users, this may not be of concern. But, as recent news shows, global passive adversaries have been able to figure out a bunch about Tor users activities through metadata leakage. So, this kind of threat is no longer mythical but indeed realistic.

Lastly, the best way to use and access Tor is through its bundled browser. If you do everything right and given that you have a reasonable threat model, accessing Tor through the Tor browser is pretty safe. The Tor team has done a great job at making it Tor usable and accessible through its browser. However, once one leaves this nice sandbox, it's very easy to mess up and undo all this hard work. There has been efforts to make torifying applications easier such as Torsocks, it's still pretty easy to mess this up. One of the main goals of Meson is to make it easy to integrate network-level anonymity in a developer's mixer or wallet app. Having to learn the intricacies of the Tor network increases the burden on the developers. Although, it is noted that one should have a decent understanding on these networks anyway! Moreover, it has been shown that using Tor for cryptocurrency transactions can be bad for the network. Even though that paper specifically talks about Bitcoin, the lessons can apply to many other networks.

Roadmap

Meson is a work-in-progress. The first step towards making Meson a reality is a long-lived testnet. This will help us find what configurations we need for a production ready mixnet and help the Katzenpost team with the development of their software. Other things in our roadmap include:

Special thanks to David Staiton for taking the time to help us through Katzenpost and Goncalo Pestana for the helpful discussions and PR reviews!

Since the posting of this announcement, it has been brought to our attention several errors in our comparison between Katzenpost and Tor. Special thanks to Chelsea H Komlo for pointing them out and expanding on them in this twitter thread.