cMix: Mixing with Minimal Real-Time Asymmetric Cryptographic Operations

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10355)


We introduce cMix, a new approach to anonymous communications. Through a precomputation, the core cMix protocol eliminates all expensive real-time public-key operations—at the senders, recipients and mixnodes—thereby decreasing real-time cryptographic latency and lowering computational costs for clients. The core real-time phase performs only a few fast modular multiplications.

In these times of surveillance and extensive profiling there is a great need for an anonymous communication system that resists global attackers. One widely recognized solution to the challenge of traffic analysis is a mixnet, which anonymizes a batch of messages by sending the batch through a fixed cascade of mixnodes. Mixnets can offer excellent privacy guarantees, including unlinkability of sender and receiver, and resistance to many traffic-analysis attacks that undermine many other approaches including onion routing. Existing mixnet designs, however, suffer from high latency in part because of the need for real-time public-key operations. Precomputation greatly improves the real-time performance of cMix, while its fixed cascade of mixnodes yields the strong anonymity guarantees of mixnets. cMix is unique in not requiring any real-time public-key operations by users. Consequently, cMix is the first mixing suitable for low latency chat for light-weight devices.

Our presentation includes a specification of cMix, security arguments, anonymity analysis, and a performance comparison with selected other approaches. We also give benchmarks from our prototype.



We thank the anonymous reviewers for their comments. We also thank the following people for helpful suggestions: David Delatte, Russell Fink, Bryan Ford, Moritz Neikes, and Dhananjay Phatak.

Sherman was supported in part by the National Science Foundation under SFS grant 1241576 and a subcontract of INSuRE grant 1344369, and by the Department of Defense under CAE-R grant H98230-15-10294. Krasnova conducted this research within the Privacy and Identity Lab (PI.lab, funded by (


  1. 1.
    Adida, B., Wikström, D.: Offline/online mixing. In: Arge, L., Cachin, C., Jurdziński, T., Tarlecki, A. (eds.) ICALP 2007. LNCS, vol. 4596, pp. 484–495. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-73420-8_43 CrossRefGoogle Scholar
  2. 2.
    Backes, M., Goldberg, I., Kate, A., Mohammadi, E.: Provably secure and practical onion routing. In: Proceeding of the 25th IEEE Computer Security Foundations Symposium (CSF), pp. 369–385 (2012)Google Scholar
  3. 3.
    Backes, M., Kate, A., Mohammadi, E.: Ace: an efficient key-exchange protocol for onion routing. In: Proceeding of the 11th ACM Workshop on Privacy in the Electronic Society (WPES), pp. 55–64 (2012)Google Scholar
  4. 4.
    Benaloh, J.: Simple verifiable elections. In: Proceeding of USENIX/Accurate Electronic Voting Technology Workshop (EVT), p. 5 (2006)Google Scholar
  5. 5.
    Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.Y.: High-speed high-security signatures. J. Cryptogr. Eng. 2(2), 77–89 (2012)CrossRefzbMATHGoogle Scholar
  6. 6.
    Berthold, O., Pfitzmann, A., Standtke, R.: The disadvantages of free MIX routes and how to overcome them. In: Federrath, H. (ed.) Designing Privacy Enhancing Technologies. LNCS, vol. 2009, pp. 30–45. Springer, Heidelberg (2001). doi: 10.1007/3-540-44702-4_3 CrossRefGoogle Scholar
  7. 7.
    Boneh, D., Lewi, K., Montgomery, H., Raghunathan, A.: Key homomorphic PRFs and their applications. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 410–428. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40041-4_23 CrossRefGoogle Scholar
  8. 8.
    Camenisch, J., Lysyanskaya, A.: A formal treatment of onion routing. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 169–187. Springer, Heidelberg (2005). doi: 10.1007/11535218_11 CrossRefGoogle Scholar
  9. 9.
    Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 4(2), 84–88 (1981)CrossRefGoogle Scholar
  10. 10.
    Chaum, D., Das, D., Javani, F., Kate, A., Krasnova, A., Ruiter, J.D., Sherman, A.T.: cMix: mixing with minimal real-time asymmetric cryptographic operations. Cryptology ePrint Archive, Report 2016/008 (2016).
  11. 11.
    Chen, C., Asoni, D.E., Barrera, D., Danezis, G., Perrig, A.: HORNET: high-speed onion routing at the network layer. In: Proceeding of the 22nd ACM Conference on Computer and Communications Security, pp. 1441–1454 (2015)Google Scholar
  12. 12.
    Danezis, G.: The traffic analysis of continuous-time mixes. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 35–50. Springer, Heidelberg (2005). doi: 10.1007/11423409_3 CrossRefGoogle Scholar
  13. 13.
    Danezis, G., Diaz, C., Troncoso, C.: Two-sided statistical disclosure attack. In: Borisov, N., Golle, P. (eds.) PET 2007. LNCS, vol. 4776, pp. 30–44. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-75551-7_3 CrossRefGoogle Scholar
  14. 14.
    Danezis, G., Serjantov, A.: Statistical disclosure or intersection attacks on anonymity systems. In: Fridrich, J. (ed.) IH 2004. LNCS, vol. 3200, pp. 293–308. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30114-1_21 CrossRefGoogle Scholar
  15. 15.
    Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. In: Proceeding of the 13th USENIX Security Symposium, pp. 303–320 (2004)Google Scholar
  16. 16.
    Dingledine, R., Shmatikov, V., Syverson, P.: Synchronous batching: from cascades to free routes. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 186–206. Springer, Heidelberg (2005). doi: 10.1007/11423409_12 CrossRefGoogle Scholar
  17. 17.
    Dolev, D., Reischuk, R., Strong, H.R.: Early stopping in byzantine agreement. J. ACM 37(4), 720–741 (1990)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Evans, N.S., Dingledine, R., Grothoff, C.: A practical congestion attack on tor using long paths. In: Proceeding of the 18th USENIX Security Symposium, pp. 33–50 (2009)Google Scholar
  19. 19.
    Galteland, H., Mjølsnes, S.F., Olimid, R.F.: Attacks on cMix - some small overlooked details. Cryptology ePrint Archive, Report 2016/729 (2016).
  20. 20.
    Goldberg, I., Stebila, D., Ustaoglu, B.: Anonymity and one-way authentication in key exchange protocols. Des. Codes Crypt. 67(2), 245–269 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Goldschlag, D.M., Reed, M.G., Syverson, P.F.: Onion routing. Commun. ACM 42(2), 39–41 (1999)CrossRefGoogle Scholar
  22. 22.
    Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1995)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Golle, P., Jakobsson, M., Juels, A., Syverson, P.: Universal re-encryption for mixnets. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 163–178. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-24660-2_14 CrossRefGoogle Scholar
  24. 24.
    Halevi, S., Micali, S.: Practical and provably-secure commitment schemes from collision-free hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 201–215. Springer, Heidelberg (1996). doi: 10.1007/3-540-68697-5_16 Google Scholar
  25. 25.
    Jakobsson, M.: Flash mixing. In: Proceedings of 18th Annual ACM Symposium on Principles of Distributed Computing (PODC), pp. 83–89 (1999)Google Scholar
  26. 26.
    Jakobsson, M., Juels, A.: An optimally robust hybrid mix network. In: Proceedings of 20th Annual ACM Symposium on Principles of Distributed Computing, pp. 284–292 (2001)Google Scholar
  27. 27.
    Jansen, R., Tschorsch, F., Johnson, A., Scheuermann, B.: The sniper attack: anonymously deanonymizing and disabling the Tor network. In: Proceedings of Network and Distributed System Security Symposium (NDSS 2014) (2014)Google Scholar
  28. 28.
    Kate, A., Goldberg, I.: Using Sphinx to improve onion routing circuit construction. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 359–366. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14577-3_30 CrossRefGoogle Scholar
  29. 29.
    Kate, A., Zaverucha, G.M., Goldberg, I.: Pairing-based onion routing with improved forward secrecy. ACM Trans. Inf. Syst. Secur. 13(4), 29:1–29:32 (2010)CrossRefGoogle Scholar
  30. 30.
    Khazaei, S., Wikström, D.: Randomized partial checking revisited. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 115–128. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-36095-4_8 CrossRefGoogle Scholar
  31. 31.
    Kwon, A., Lazar, D., Devadas, S., Ford, B.: Riffle: an efficient communication system with strong anonymity. PoPETs 2016(2), 115–134 (2016)Google Scholar
  32. 32.
    Murdoch, S.J., Danezis, G.: Low-cost traffic analysis of Tor. In: Proceedings of 26th IEEE Symposium on Security and Privacy, pp. 183–195 (2005)Google Scholar
  33. 33.
    Ohkubo, M., Abe, M.: A length-invariant hybrid mix. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 178–191. Springer, Heidelberg (2000). doi: 10.1007/3-540-44448-3_14 CrossRefGoogle Scholar
  34. 34.
    Øverlier, L., Syverson, P.: Improving efficiency and simplicity of tor circuit establishment and hidden services. In: Borisov, N., Golle, P. (eds.) PET 2007. LNCS, vol. 4776, pp. 134–152. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-75551-7_9 CrossRefGoogle Scholar
  35. 35.
    Øverlier, L., Syverson, P.F.: Locating hidden servers. In: Proceedings of 27th IEEE Symposium on Security and Privacy, pp. 100–114 (2006)Google Scholar
  36. 36.
    Park, C., Itoh, K., Kurosawa, K.: Efficient anonymous channel and all/nothing election scheme. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 248–259. Springer, Heidelberg (1994). doi: 10.1007/3-540-48285-7_21 CrossRefGoogle Scholar
  37. 37.
    Pfitzmann, A., Waidner, M.: Networks without user observability – design options. In: Pichler, F. (ed.) EUROCRYPT 1985. LNCS, vol. 219, pp. 245–253. Springer, Heidelberg (1986). doi: 10.1007/3-540-39805-8_29 CrossRefGoogle Scholar
  38. 38.
    Pfitzmann, B.: Breaking an efficient anonymous channel. In: Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 332–340. Springer, Heidelberg (1995). doi: 10.1007/BFb0053448 Google Scholar
  39. 39.
    Raymond, J.-F.: Traffic analysis: protocols, attacks, design issues, and open problems. In: Federrath, H. (ed.) Designing Privacy Enhancing Technologies. LNCS, vol. 2009, pp. 10–29. Springer, Heidelberg (2001). doi: 10.1007/3-540-44702-4_2 CrossRefGoogle Scholar
  40. 40.
    Reed, M., Syverson, P., Goldschlag, D.: Anonymous connections and onion routing. IEEE J-SAC 16(4), 482–494 (1998)Google Scholar
  41. 41.
    Ruffing, T., Moreno-Sanchez, P., Kate, A.: P2P mixing and unlinkable Bitcoin transactions. In: NDSS 2017 (2017)Google Scholar
  42. 42.
    Serjantov, A., Dingledine, R., Syverson, P.: From a trickle to a flood: active attacks on several mix types. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 36–52. Springer, Heidelberg (2003). doi: 10.1007/3-540-36415-3_3 CrossRefGoogle Scholar
  43. 43.
    Serjantov, A., Sewell, P.: Passive attack analysis for connection-based anonymity systems. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 116–131. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-39650-5_7 CrossRefGoogle Scholar
  44. 44.
    Srikanth, T.K., Toueg, S.: Simulating authenticated broadcasts to derive simple fault-tolerant algorithms. Distrib. Comput. 2(2), 80–94 (1987)CrossRefGoogle Scholar
  45. 45.
    Sun, Y., Edmundson, A., Vanbever, L., Li, O., Rexford, J., Chiang, M., Mittal, P.: Raptor: routing attacks on privacy in Tor. In: Proceedings of 24th USENIX Security Symposium, pp. 271–286 (2015)Google Scholar
  46. 46.
    The Tor project (2003). Accessed April 2017

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Voting Systems InstituteLos AngelesUSA
  2. 2.Purdue UniversityWest LafayetteUSA
  3. 3.Cyber Defense LabUMBCBaltimoreUSA
  4. 4.Radboud UniversityNijmegenNetherlands

Personalised recommendations