Loop cover by Nomos node

• Purpose: Sender online unobservability and Receiver unobservability

• A loop cover message are routed through the mixnet and looped back to the sender.

  • The sender specifies a SURB (Single Use Reply Block) in the payload, which describes the loop-back route.
    • SURB is a Sphinx packet that is pre-created by the original message sender, which includes a loop-back route and a recipient (= message sender). For the detailed structure, please see ‣.
      • One thing different from the regular message delivery is that a loop-back message is finally delivered to a single recipient (not via broadcasting).
    • Sphinx packet format guarantees that the mix destionation (who is a source of the loop-back message) cannot know the loop-back destionation (who is a source of the original message).

• Sphinx packet creation

  • The process is the same as the one for regular messages, except a payload content.

  • Cover content

    • A static common data is used for all cover content (e.g. this is a cover\\0\\0..).
      • The size should be the same as a regular payload (1KiB).
    • To ensure the cover traffic indistinguishability (except the mix destination), the sender encrypts the payload by a shared key derived from a random ephemeral key.

    recipient_pubkey = my_pubkey  # NOTE: recipient == me, in loop cover
    ephemeral_keypair = ed25519_new()
    shared_key = diffie_hellman(ephemeral_keypair.private(), recipient_pubkey)
    
    cover_content = "this is a cover\\0\\0..."
    encrypted_cover_content = aes128_encrypt(cover_content, shared_key)
    

• Mix delay: same as ‣ of real traffic

• Interval

  • Loop cover is generated by both strategy 1 and 2.

  • Strategy 1: According to the λp of ‣ , generate loop cover if there is any scheduled real message to be sent out.

  • Strategy 2: Independently with the strategy 1, generate a separate stream of loop cover in Poisson distribution with a parameter λL (average loop cover stream delay. default 200ms).

    # TODO: this is async-style psuedo-code. convert this to sync-style python.
    def poll_poisson(λL):
    	if next_delay_ns is None:
    		# we never set an initial delay - let's do it now
    		next_delay = async_sleep(numpy.random.poisson(lam=λL, size=1))
    		return PENDING
    	if next_delay.is_pending():
    		return PENDING
    
    	# we know it's time to send a msg, so let's prepare delay for the next one
    	next_delay = async_sleep(
    		next_delay.deadline() + numpy.random.poisson(lam=λp, size=1)
    	)
    
    	return READY  # so that a loop cover can be generated
    

Drop cover by Nomos node

• Purpose: Sender online unobservability

  • Regardless of whether a Nomos node actually wants to send a message or not, drop cover traffic guarantees that there is always a stream of messages being sent.

• A mix client generates and sends drop cover traffic through mixnet, in the same manner as a regular message, except that a “drop” flag is encapsulated into the packet header.

  • Only a mix destination can detects the drop flag and drops it, instead of broadcasting it.

• Interval

  • Drop cover is generated by both strategy 1 and 2.
  • Strategy 1: According to the λp of ‣ , generate loop cover if there is any scheduled real message to be sent out.
  • Strategy 2: Independently with the strategy 1, generate a separate stream of drop cover in Poisson distribution with a parameter λD (average drop cover stream delay).

  <aside> ℹ️ Actually, Nym doesn’t produce drop cover. Instead, it produces only loop cover as desribed in ‣. I guess that it is because loop cover is not only basically the same as drop cover, but it also achieves the receiver unobservability additionally.

  TBD/TBR: We need to check if it’s okay to skip this. Note that, by increasing λD and λL, users can maintain strong anonymity with low message delay. (Loopix 4.2)

  </aside>

Loop cover by mix node

• Purpose: To ensure that there is sufficient traffic in the mixnet over time, which guarantees large anonymity sets and high levels of privacy.
• All mix nodes injects their own loop cover traffic at the Poisson rate λm, similar as loop cover by Nomos node (Strategy 2).

<aside> ℹ️ Actually, Nym doesn’t produce loop cover by mix node. I guess that it is because loop cover by user also makes traffics in the mixnet over time.

But, from the Loopix paper, they said (at 4.1.3): > “The number of messages in each mix node at any time will on average be λ/μ. However, an adversary observing the messages flowing into and out of a single mix node could estimate the exact number of messages within a mix with better accuracy - hindered only by the mix loop cover traffic.”

> “We conclude that the loops generated by the mix node obfuscate the adversary’s view and decrease the probability of successfully linking input and output of the mix node.”

TBD/TBR: We need more investigations to decide whether this is needed in our architecture.

</aside>

• This is especially useful to prevent the n-1 attack, according to Loopix 4.2.1.
  • n-1 attack: An attack at a mix node where an adversary blocks all but a target message from entering in order to follow the target message when it exits the mix node.
  • TBD: We can devise a public parameter r, which is a fraction of the number of loops that are expected to return. If the mix node doesn’t see this fraction of loops returning, they alter their behaviour. A gentle approach involves generating more cover traffic on outgoing links.
    • Therefore, an adversary must distinguish loop cover traffic from other types of traffic when blocking messages, to ensure that a fraction r of loops return to the mix node.
      • However, loop traffic is indistinguishable from other traffic because the loop flag is encapsulated only for the mix node (the loop sender).