
CMix: Anonymization by High-Performance Scalable Mixing [pdf] - 882542F3884314B
http://eprint.iacr.org/2016/008.pdf
======
JackC
One thing I'd like to better understand about cMix is the practical
implications for flow analysis attacks (watching who participates in each
round and trying to correlate senders and receivers based on participation in
the same rounds).

cMix seems to accept more likelihood of a worst-case adversary in order to
maximize efficiency. For example, the paper says: "Another notable difference
between cMix and most previous mixnets is that each mix node knows all
senders. This difference does not weaken the adversarial model because the
adversary is expected to know all participants of the mixing round, and in
cMix the unlinkability between a sender and a receiver is still ensured, by
even any one uncorrupted mix node. On the other hand, this can empower cMix
nodes to perform other tasks such as end-to-end secure messaging without
introducing a public-key infrastructure of the participants."

It's true that _in theory_ mixnets are often modeled by assuming a perfect
adversary who sees every message enter and exit the net and can perfectly
match it to an ongoing participant over time. But I believe that they don't
claim to offer perfect protection against such an adversary, and in practice
benefit from mostly not having to. It seems like cMix makes it easy for a
compromised Network Handler, or maybe any one compromised mix node(?), to
serve as that perfect adversary.

So ... does the design of cMix make it more likely that, in practice, it will
have to actually face a worst-case adversary that most mix networks don't have
to face?

