Open in app

Sign up

Sign in

Write

Sign up

Sign in

Follow the packet (spoiler: you can’t)

Journey along to learn how mixnets protect patterns of communication enabling real online privacy

Nym
nymtech

--

It is that time of the year for deep reflection, setting intentions and deciding what is the most important focus for 2024. Nym has a singular focus:

  • Getting the power of mixnet technology into the hands of ordinary people by launching Nym’s first commercial app, the NymVPN.

But what is mixnet technology and what can it actually do for people?

Languages: 日本 // Русский // Português // Español // Bahasa Indonesia // 中文 // Française // Türkçe

There is a problem at the core of the internet. Some of you will already know about it. You might even have heard of how this problem can be fixed and have joined the community working together to fix it. For the rest of you, it’s time you’re also let in on the secret. This is for you: discover exactly what happens to your data and come along for a five-hop ride through the maze of mixnet technology.

The internet is a wild and wonderful place. An immense, global network of information, gossip and chatter, broken into little packets and routed through networks organised by protocols: TCP/IP, HTTP, UDP, FTP, TLS, DNS…

Billions of packets are routed through the internet every minute using these common protocols. But here’s the problem: the packets can be traced. It doesn’t matter that the content is encrypted, packets can still be watched to see who is speaking to who, how often, and from where. The standard protocols of the internet leave your patterns of communication fully visible to anyone watching parts of or the whole network. This includes internet service providers, VPN providers, internet exchanges, autonomous systems, BGP routers, even WiFi routers, LAN, and famously, the NSA and other security agencies.

So what can be done about it?

The obvious thing would be to immediately throw a cover over the internet to protect these packets. After all, it’s ludicrous that one of the main vehicles of communication for the entire world allows all kinds of people, companies and agencies to watch your communication without your knowledge. This is really not a normal state of affairs. And it’s about time it changes.

A mixnet is an ‘overlay network’ and provides just such a cover for internet traffic.

A novel update to the decades-old concept of mixed networks, the Nym mixnet scrambles traffic patterns to prevent corporate and government surveillance — and is designed for scale, usability, and anonymity.

Mixnets send your packets through several hops and mix them so that it becomes nearly impossible to trace these patterns of communication from one end to the other. Let’s go on a journey through the five hops of the Nym mixnet to learn more about exactly how that happens.

Here’s the TL;DR overview of the full journey:

  • The Nym client (this lives on your device to encrypt your packets before they get sent to the mixnet)
  • The entry gateway (this is the first hop and entry point to the magical world of mixnets)
  • The three mix nodes (these perform packet shuffling, scrambling communications)
  • The exit gateway (where data is sent out from the mixnet)
  • Hello world! Your packet has now entered the internet with no traceability back to you.

Nym mixnet traffic flow step one: the Nym client

The Nym client lives on your device. It takes any outbound traffic before it leaves your device and wraps each packet in layers of encryption. A packet is simply a piece of data that’s built using cryptographic primitives. The Nym mixnet uses a special type of packet called Sphinx, which is different from a TCP/IP packet. The way a Sphinx packet is designed is to ensure the confidentiality of your content or communications. Each Sphinx packet looks identical to others, to make them untraceable within the network based on their binary pattern.

Diagram of the traffic sent by the Nym WebAssembly Client

At the high level, a Sphinx packet is composed of two independent parts, a header and a body/payload part.

The header encapsulates all routing information needed to route the packet through the mixnet to the recipient. The payload contains the content of the communication, for example our ‘Hello World!’ message that we want to send through the mixnet. Both the header and the payload are independently layer-encrypted, meaning that there is a separate layer of encryption for each hop in the route. This also means that if your client has selected mix nodes A, B, C for your packet P, no other nodes can successfully process your packet P. And for each packet sent through the Nym mixnet, a Sphinx acknowledgment is received by the previous node, so they know it has arrived.

Sphinx encryption is a novel type of onion encryption, named for the lustrous layers of the root vegetable protecting its tiny core. Onion encryption ensures ‘bitwise-unlinkability’. In short, this means that when your packet traverses a mixnode, it changes its binary appearance. Neither the nodes in the route, nor a global surveillance actor observing the whole network, can link sender to receiver. For example, even if an entry and exit node collude, neither of them can tell whether they processed any common packets because of the changing binary pattern. Traditional TCP or UDP packets do not provide such a property, i.e. they look the same ‘going in’ as they do ‘going out’.

In addition to unlinkability, Sphinx provides ‘integrity protection’. What this means is that if a malicious node tries to malform a packet, Sphinx detects it and the packet is dropped in the network to prevent the tracing of tainted packets. Moreover, the Sphinx protocol also offers Single-Use-Reply-Blocks as a tool for anonymous replies, so the recipient of a packet can reply to the original sender without the need to learn their network location (i.e., IP).

To summarize, the Nym client lives on a user’s device or in an app. The Nym client manages the secure connection with the selected gateway, encrypts your communications and facilitates sending packets through the Nym mixnet. It also does things like storing a user’s private keys and NYM tokens to facilitate bandwidth credentials and more — but that’s for another time!

Nym mixnet traffic flow step two: the entry gateway

A gateway is the entry point to the mixnet. It acts as a proxy between the Nym client and the Nym mixnet and checks that a user has the necessary credentials to use the mixnet — whether they or the app they’re using have paid for fair usage.

All gateways are operated by the Nym community to ensure complete decentralization of the mixnet system. There are currently 70 gateways, which can be viewed on Nym Explorer along with metrics like routing score and reliability.

The gateways are necessary for a few reasons:

  • Gateways check bandwidth credentials to ensure that a particular user has a right to use the Nym mixnet — i.e., that they paid for it. This also limits Denial of Service attacks and free-riding, where people squeeze resources from networks without contributing to them.
  • Secondly, gateways also act as offline storage for incoming packets — so if a client is offline, the gateway stores this incoming communication until it gets back online.
  • And third, the gateway is your, well, gateway into the mixnet from the Nym client. This also means that the gateway can potentially see the client’s IP address. But they do not know anything about the destination of the packet, nor its content or metadata.

For super users, it’s possible to run your own gateway if you don’t want to expose the IP to that first hop.

Nym mixnet traffic flow step three: the three mix nodes

Your packet has now been Sphinx encypted by your client and sent to the entry gateway. Now what? This is where the magic ‘mixing’ happens. The entry gateway decrypts one layer of Sphinx to check which mix node to send your packet to first. What is a mix node? An independently run server that someone in the Nym community has created, also called a ‘hop’. All mix nodes are visible on the Nym Explorer.

This hop depends on a number of factors including geographical proximity and which mix nodes have been selected for the ‘active set’. The active set is simply the amount of nodes that are currently active and mixing traffic: 240 at any given time.

This ‘active set’ changes every ‘epoch’ — one epoch lasts an hour — and a selection algorithm checks the performance and reputation of nodes. This ensures traffic paths are continuously changing and malicious paths cannot be established by hostile node operators.

What is a ‘layer’ in the mixnet? Well, the mixnet arranges nodes into something called a ‘stratified topology’, which just means that the nodes are grouped into three layers, with the three hops distributed across these layers. This is to ensure horizontal scalability, efficiency, and anonymity by design.

When a data packet is routed, a mix node is picked at random from each layer, and a path is composed that has three hops. Take a look at this gif:

These mechanisms alone vastly improve user anonymity compared to traditional VPNs or even other decentralized privacy-preserving technologies.

But that’s not all: there are two very important features that make ‘following the packet’ even more difficult. These are timing obfuscation and cover traffic.

POV: you’re the NSA trying to track a data packet on the mixnet.

Timing obfuscation means that the order of packets are shuffled and reordered by each of the three mix nodes. This makes it near impossible for an observer to correlate an incoming to an outgoing packet. These intervals are practically imperceptible to humans.

Adding even further anonymity, all real data packets are mixed in with cover traffic. These are empty data packets that are the same size as real data packets. They’re useful for privacy because they create a “crowd” of packets obscuring any traffic patterns in a flurry of fake communication that’s useless to anyone snooping on the network.

Nym mixnet traffic flow step four: The exit gateway

Your packet has now reached the final hop in its journey: the exit gateway. The exit gateway will decrypt the final destination of the packet, working in tandem with a service provider that will connect the packet to whichever ‘clearnet’ website or app you are trying to reach.

The gateway can see the final destination. However, your data is routed on a per packet basis. This means that even in the event a malicious exit gateway was set up and was picked for the active set, it would only see a tiny portion of your traffic. Furthermore, the gateway does not see any plaintext. Content is still end-to-end encrypted by the original sender and is only decrypted by the receiving client.

Nym mixnet traffic flow step five: Hello world!

Your packet has now reached the rest of the world, passing through the protective cover of the mixnet. The patterns of your traffic have been protected, your data end to end encrypted, and any snoopers will have surely lost your packet by now. But this journey is just for a packet going out. But what about replies? And what if an app wants to fetch information via the mixnet?

Nym uses something called Single Use Reply Blocks, or SURBs. These allow applications to interact with other applications anonymously via the mixnet.

Say a client application needs to interact with an online service or a P2P application on another person’s machine. To avoid revealing any gateway or client keys (and defeating the point of anonymity via the mixnet), SURBs allow for anonymous interactions.

A SURB is a layer-encrypted set of Sphinx headers that detail a reply path that ends in the original application’s address. These are encrypted by the senders’ client so that a receiving service or application can attach its response and send back a Sphinx packet, without knowing who it is replying to.

In the case of larger anonymous replies like files, the mixnet uses something called ‘MultiSURBs’ — where a bundle of SURBs are created rather than just the one to handle bigger data capacity.

There is much more to the story, so stick around for next week’s deep-dive into the Nym client.

The power of the mixnet will soon reach ordinary people: NymVPN is launching later this year.

Join the Nym Community

Discord // Telegram // Element // Twitter

Privacy loves company

English // 中文 // Русский // Türkçe // Tiếng Việt // 日本 // Française // Español // Português // 한국인

The Nym mixnet is run by a wonderful community of operators all over the world. Some nodes donate their rewards to local community centres and social good projects, others run professional infrastructure services for profit. It is a growing and flourishing community with plenty of opportunities to get involved! If you are interested, start with reading the:

The right to privacy and anonymity online often comes under attack unfortunately. And this, despite the fact that strong privacy is the basis of better security online for everyone. Our friends at Tor who run exit gateways have experienced having their exit gateways seized. For this reason, the Nym operator community has started a legal forum to begin sharing best practices across the world.

Nym News
Mixnet
Privacy
Nym
Privacy Protection

--

--

Nym
nymtech
Follow

Written by Nym

4.1K Followers
Editor for

Building the next generation of privacy infrastructure… Check our publication for more content: https://medium.com/nymtech

Follow

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams