Pith. sign in

REVIEW 2 major objections 1 minor 24 references

Reviewed by Pith at T0; open to challenge.

T0 means a machine referee read the full paper against a public rubric. The mark states how deep the mechanical check went, never who wrote it. the ladder, T0–T4 →

T0 review · grok-4.3

TrustMix provides anonymity in mobile ad hoc networks by shuffling messages within groups of locally trusted parties without a central authority.

2026-06-26 17:16 UTC pith:N63252BH

load-bearing objection TrustMix gives a concrete group-shuffle design for MANET anonymity without central parties or topology knowledge, but the mobility and loss issues are not shown to be handled. the 2 major comments →

arxiv 2606.20251 v1 pith:N63252BH submitted 2026-06-18 cs.CR

TrustMix: How to Mix Messages in a Mobile Ad-hoc Network

classification cs.CR
keywords mix networksMANETsanonymitylinkable ring signaturesmobile ad hoc networksprivacy protocolsrate limiting
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved

The pith

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents TrustMix, a protocol that enables anonymous message forwarding in mobile ad hoc networks. Users identify a nearby party they trust and send messages to that party's group, where all members shuffle the messages before forwarding them further through other groups. This design ensures that the sender and the outgoing message cannot be linked unless every member of the group is adversarial. Linkable ring signatures are used to enforce rate limits on message sending while preserving anonymity. The protocol's security is established in the random oracle model, with simulations showing improved anonymity and a mobile implementation demonstrating practical throughput.

Core claim

TrustMix allows parties to form groups and forward messages through multiple such groups for anonymity. A user forwards a message to a nearby trusted party's group, where the group shuffles messages so that the incoming and outgoing messages cannot be linked. Anonymity is preserved as long as not all parties in the group are adversarial. Rate limits are enforced using linkable ring signatures that detect excessive sending without revealing who is sending. The security is proven in the random oracle model.

What carries the argument

The group-based message shuffling, where messages are mixed by all parties in a group before forwarding to other groups.

Load-bearing premise

A user can reliably locate at least one nearby party they subjectively consider trusted, and the group shuffling prevents linking even with mobility and packet loss.

What would settle it

An experiment demonstrating that messages can be linked by an adversary who controls only some members of a group, or a scenario where no trusted party is available within communication range.

Watch this falsifier — get emailed when new claim-graph text bears on it.

If this is right

  • Users need only one locally trusted contact to participate.
  • Adversaries must compromise entire groups to de-anonymize messages.
  • Rate limits can be maintained without exposing user identities.
  • The system works on standard mobile devices with acceptable performance.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Similar group shuffling could apply to other decentralized communication systems.
  • Real-world deployment would require robust ways to discover and select trusted parties.
  • Further tests could examine performance under high mobility or with more devices.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit.

Referee Report

2 major / 1 minor

Summary. The paper proposes TrustMix, a mix protocol for mobile ad-hoc networks (MANETs) without a central trusted party. Parties form groups; messages are forwarded through multiple groups where group members collectively shuffle them to provide unlinkability. A user needs only one nearby party they subjectively trust; anonymity is preserved unless the entire group is adversarial. Rate limiting is enforced via linkable ring signatures that detect excess messages without revealing identities. Security is claimed to be proven in the random oracle model. Anonymity is evaluated in an existing mix-network simulator (showing improvement), and a proof-of-concept Android implementation on 5 devices reports acceptable throughput.

Significance. If the central claims hold, the work is significant because it extends mix-network techniques to infrastructure-less MANETs, a setting where prior solutions require topology knowledge or trusted infrastructure. The group-shuffling approach and use of linkable ring signatures for decentralized rate limiting are technically interesting. Explicit strengths include the stated ROM security proof, use of an existing simulator for quantitative anonymity evaluation, and a real Android implementation demonstrating feasibility.

major comments (2)
  1. [Abstract / Security Proof] Abstract and security analysis: the unlinkability claim (anonymity holds unless the entire group is adversarial) is load-bearing for the central contribution, yet the ROM proof is stated without any indication that the model incorporates MANET channel dynamics (mobility-induced topology changes, packet loss, or dynamic group membership). This leaves open whether timing, path, or loss patterns can link messages even with honest group members.
  2. [Evaluation] Evaluation section: the simulator results are reported to show improved anonymity, but the description gives no evidence that the simulator was extended with MANET mobility models or lossy links; without this, the results do not directly support the claim that group shuffling works under the conditions stated in the weakest assumption.
minor comments (1)
  1. [Abstract] The abstract states that 'an existing mix-network simulator' is used but does not name the simulator or provide parameter settings; adding this would improve reproducibility.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We appreciate the referee's comments on the security model and evaluation. We address each point below and will make revisions to improve clarity on the assumptions in the security proof and the scope of the simulator evaluation.

read point-by-point responses
  1. Referee: [Abstract / Security Proof] Abstract and security analysis: the unlinkability claim (anonymity holds unless the entire group is adversarial) is load-bearing for the central contribution, yet the ROM proof is stated without any indication that the model incorporates MANET channel dynamics (mobility-induced topology changes, packet loss, or dynamic group membership). This leaves open whether timing, path, or loss patterns can link messages even with honest group members.

    Authors: The security proof establishes unlinkability under the assumption that messages reach the group members for collective shuffling. The random oracle model captures the cryptographic properties but abstracts the MANET channel as providing the necessary delivery for the protocol steps. We agree that the paper should more explicitly state these assumptions to address potential concerns about timing or loss-based linking. We will revise the security analysis to include a clear statement of the network model assumptions and explain why the group-based shuffling mitigates such attacks even in dynamic settings. revision: yes

  2. Referee: [Evaluation] Evaluation section: the simulator results are reported to show improved anonymity, but the description gives no evidence that the simulator was extended with MANET mobility models or lossy links; without this, the results do not directly support the claim that group shuffling works under the conditions stated in the weakest assumption.

    Authors: The evaluation demonstrates the anonymity gains from the multi-group shuffling mechanism using a standard mix network simulator. We acknowledge that the simulator does not incorporate MANET-specific features like mobility or packet loss. The real-world feasibility is instead shown through the Android prototype on mobile devices. We will update the evaluation section to clarify the purpose and limitations of the simulator results and discuss their relation to the MANET setting. revision: yes

Circularity Check

0 steps flagged

No circularity in derivation chain

full rationale

The paper defines a protocol for group-based mixing in MANETs, states a security proof in the random oracle model, evaluates anonymity via an existing external simulator, and reports an Android implementation. None of these steps reduce by construction to the protocol inputs; the ROM proof is a standard modeling technique external to the equations, the simulator is pre-existing, and no fitted parameters are renamed as predictions or self-citations invoked as load-bearing uniqueness results. The derivation chain is therefore self-contained.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The security argument rests on the random oracle model; no free parameters or new invented entities are mentioned in the abstract.

axioms (1)
  • standard math Random oracle model
    Security is proven in the random oracle model as stated in the abstract.

pith-pipeline@v0.9.1-grok · 5799 in / 1362 out tokens · 26112 ms · 2026-06-26T17:16:35.788176+00:00 · methodology

0 comments
read the original abstract

Mix networks are a highly effective way to achieve anonymity, defending against a wide range of traffic-analysis attacks. However, mix networks are usually designed for infrastructure networks and cannot be directly applied in the context of mobile ad hoc networks (MANETs). The few existing solutions for MANETs require advance knowledge of the topology or a trusted central party. In this paper, we present TrustMix, a mix protocol for MANETs that operates without any central trusted party. In TrustMix, parties join groups and then messages are forwarded via multiple groups to provide anonymity. With TrustMix, users only need to find a party nearby that they consider trusted. They then forward the message to this party's group, and the party shuffles messages before forwarding to other groups, meaning that the original message and the forwarded message cannot be linked. Furthermore, even if the chosen party is adversarial, they can only break the anonymity if all parties in their group are adversarial as all of them contribute to the shuffling. In addition to anonymity, TrustMix also enforces rate limits on the number of messages through the use of linkable ring signatures, which allows detecting that parties send more messages that allowed without revealing identities. We prove the security of our protocol in the random oracle model. We evaluate its anonymity using an existing mix-network simulator and show that TrustMix significantly improves message anonymity. Finally, we present a proof-of-concept Android implementation and show that TrustMix achieves acceptable throughput with 5 mobile devices.

Figures

Figures reproduced from arXiv: 2606.20251 by Aiswarya Walter, Stefanie Roos, Yu Shen.

Figure 1
Figure 1. Figure 1: Time consumption to mix 100 messages with different [PITH_FULL_IMAGE:figures/full_fig_p010_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Anonymity entropy of TrustMix with a varying pool [PITH_FULL_IMAGE:figures/full_fig_p010_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Anonymity entropy of TrustMix under different adver [PITH_FULL_IMAGE:figures/full_fig_p011_3.png] view at source ↗

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

24 extracted references · 1 canonical work pages · 1 internal anchor

  1. [1]

    Albrecht, Jorge Blasco, Rikke Bjerg Jensen, and Lenka Marekov´a

    Martin R. Albrecht, Jorge Blasco, Rikke Bjerg Jensen, and Lenka Marekov´a. Collective information security in large-scale urban protests: the case of hong kong. In Michael D. Bailey and Rachel Greenstadt, editors,30th USENIX Security Symposium, USENIX Security 2021, August 11-13, 2021, pages 3363–3380. USENIX Association, 2021

  2. [2]

    Albrecht, Raphael Eikenberg, and Kenneth G

    Martin R. Albrecht, Raphael Eikenberg, and Kenneth G. Paterson. Breaking bridgefy, again: Adopting libsignal is not enough. In Kevin R. B. Butler and Kurt Thomas, editors,31st USENIX Security Sympo- sium, USENIX Security 2022, Boston, MA, USA, August 10-12, 2022, pages 269–286. USENIX Association, 2022

  3. [3]

    https://anonymous.4open.science/r/trustmix-e4a7

    Anonymous. https://anonymous.4open.science/r/trustmix-e4a7. Anony- mous code repository, 2026. Accessed: 2026-01

  4. [4]

    Succinct non-interactive zero knowledge for a von neumann architecture

    Eli Ben-Sasson, Alessandro Chiesa, Eran Tromer, and Madars Virza. Succinct non-interactive zero knowledge for a von neumann architecture. In Kevin Fu and Jaeyeon Jung, editors,Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20-22, 2014, pages 781–796. USENIX Association, 2014

  5. [5]

    Wallet databases with observers

    David Chaum and Torben Pryds Pedersen. Wallet databases with observers. In Ernest F. Brickell, editor,Advances in Cryptology - CRYPTO ’92, 12th Annual International Cryptology Conference, Santa Barbara, California, USA, August 16-20, 1992, Proceedings, volume 740 ofLecture Notes in Computer Science, pages 89–105. Springer, 1992

  6. [6]

    Frank Denis, Edward Eaton, Tancr `ede Lepoint, and Christopher A. Wood. Key blinding for signature schemes. Internet-Draft draft-irtf- cfrg-signature-keyblinding-03, Internet Engineering Task Force, 2023

  7. [7]

    Toward A practical multi-party private set union.Proc

    Jiahui Gao, Son Nguyen, and Ni Trieu. Toward A practical multi-party private set union.Proc. Priv. Enhancing Technol., 2024(4):622–635, 2024

  8. [8]

    Secure distributed key generation for discrete-log based cryptosystems

    Rosario Gennaro, Stanislaw Jarecki, Hugo Krawczyk, and Tal Rabin. Secure distributed key generation for discrete-log based cryptosystems. In Jacques Stern, editor,Advances in Cryptology - EUROCRYPT ’99, International Conference on the Theory and Application of Crypto- graphic Techniques, Prague, Czech Republic, May 2-6, 1999, Proceed- ing, volume 1592 ofL...

  9. [9]

    Nationalizing the internet to break a protest movement: Internet shut- down and counter-appropriation in iran of late 2019.Proc

    Margarita Grinko, Sarvin Qalandar, Dave Randall, and V olker Wulf. Nationalizing the internet to break a protest movement: Internet shut- down and counter-appropriation in iran of late 2019.Proc. ACM Hum. Comput. Interact., 6(CSCW2):1–21, 2022

  10. [10]

    Verifiable shuffle of large size ciphertexts

    Jens Groth and Steve Lu. Verifiable shuffle of large size ciphertexts. In Tatsuaki Okamoto and Xiaoyun Wang, editors,Public Key Cryp- tography - PKC 2007, 10th International Conference on Practice and Theory in Public-Key Cryptography, Beijing, China, April 16-20, 2007, Proceedings, volume 4450 ofLecture Notes in Computer Science, pages 377–392. Springer, 2007

  11. [11]

    Mixim: Mixnet design decisions and empirical evaluation

    Iness Ben Guirat, Devashish Gosain, and Claudia D ´ıaz. Mixim: Mixnet design decisions and empirical evaluation. InWPES ’21: Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society, Virtual Event, Korea, 15 November 2021, pages 33–37. ACM, 2021

  12. [12]

    Nym credentials: Privacy-preserving decentralized iden- tity with blockchains

    Harry Halpin. Nym credentials: Privacy-preserving decentralized iden- tity with blockchains. InCrypto Valley Conference on Blockchain Technology, CVCBT 2020, Rotkreuz, Switzerland, June 11-12, 2020, pages 56–67. IEEE, 2020

  13. [13]

    Springer, 2004

    Darryl Hankerson, Alfred Menezes, and Scott Vanstone.Guide to Elliptic Curve Cryptography. Springer, 2004

  14. [14]

    Jois, Nelly Fazio, and James Mickens

    David Inyangson, Sarah Radway, Tushar M. Jois, Nelly Fazio, and James Mickens. Amigo: Secure group mesh messaging in realistic protest settings. In Chun-Ying Huang, Jyh-Cheng Chen, Shiuh-Pyng Shieh, David Lie, and V´eronique Cortier, editors,Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, CCS 2025, Taipei, Taiwan, Oc...

  15. [15]

    Anix: Anonymous blackout-resistant microblogging with message endorsing

    Sina Kamali and Diogo Barradas. Anix: Anonymous blackout-resistant microblogging with message endorsing. In Marina Blanton, William Enck, and Cristina Nita-Rotaru, editors,IEEE Symposium on Security and Privacy, SP 2025, San Francisco, CA, USA, May 12-15, 2025, pages 1381–1399. IEEE, 2025

  16. [16]

    ANODR: anonymous on demand rout- ing with untraceable routes for mobile ad-hoc networks

    Jiejun Kong and Xiaoyan Hong. ANODR: anonymous on demand rout- ing with untraceable routes for mobile ad-hoc networks. InProceedings of the 4th ACM Interational Symposium on Mobile Ad Hoc Networking and Computing, MobiHoc 2003, Annapolis, Maryland, USA, June 1-3, 2003, pages 291–302. ACM, 2003

  17. [17]

    Atom: Horizontally scaling strong anonymity

    Albert Kwon, Henry Corrigan-Gibbs, Srinivas Devadas, and Bryan Ford. Atom: Horizontally scaling strong anonymity. InProceedings of the 26th Symposium on Operating Systems Principles, Shanghai, China, October 28-31, 2017, pages 406–422. ACM, 2017

  18. [18]

    Rangzen: Anonymously Getting the Word Out in a Blackout

    Adam Lerner, Giulia Fanti, Yahel Ben-David, Jesus Garcia, Paul Schmitt, and Barath Raghavan. Rangzen: Anonymously getting the word out in a blackout.CoRR, abs/1612.03371, 2016

  19. [19]

    Piotrowska, Jamie Hayes, Tariq Elahi, Sebastian Meiser, and George Danezis

    Ania M. Piotrowska, Jamie Hayes, Tariq Elahi, Sebastian Meiser, and George Danezis. The loopix anonymity system. In Engin Kirda and Thomas Ristenpart, editors,26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, August 16-18, 2017, pages 1199–1216. USENIX Association, 2017

  20. [20]

    Choffnes, Stevens Le Blond, and Bryan Ford

    Amogh Pradeep, Hira Javaid, Ryan Williams, Antoine Rault, David R. Choffnes, Stevens Le Blond, and Bryan Ford. Moby: A blackout- resistant anonymity network for mobile devices.Proc. Priv. Enhancing Technol., 2022(3):247–267, 2022

  21. [21]

    Towards an information theoretic metric for anonymity

    Andrei Serjantov and George Danezis. Towards an information theoretic metric for anonymity. InInternational Workshop on Privacy Enhancing Technologies, pages 41–53. Springer, 2002

  22. [22]

    ARM: anonymous routing protocol for mobile ad hoc networks.Int

    Stefaan Seys and Bart Preneel. ARM: anonymous routing protocol for mobile ad hoc networks.Int. J. Wirel. Mob. Comput., 3(3):145–155, 2009

  23. [23]

    Vuvuzela: scalable private messaging resistant to traffic analysis

    Jelle van den Hooff, David Lazar, Matei Zaharia, and Nickolai Zel- dovich. Vuvuzela: scalable private messaging resistant to traffic analysis. In Ethan L. Miller and Steven Hand, editors,Proceedings of the 25th Symposium on Operating Systems Principles, SOSP 2015, Monterey, CA, USA, October 4-7, 2015, pages 137–152. ACM, 2015

  24. [24]

    Efficient linkable ring signatures: New framework and post-quantum instanti- ations

    Yuxi Xue, Xingye Lu, Man Ho Au, and Chengru Zhang. Efficient linkable ring signatures: New framework and post-quantum instanti- ations. In Joaqu ´ın Garc´ıa-Alfaro, Rafal Kozik, Michal Choras, and Sokratis K. Katsikas, editors,Computer Security - ESORICS 2024 - 29th European Symposium on Research in Computer Security, Bydgoszcz, Poland, September 16-20, 2...