HashCloak's Blog

After a lot of teasing and many months of research and fumbling around Cairo, we are thrilled to announce Starkacy, a library specifically crafted to deliver starknet-friendly privacy primitives. Our goal is to provide a set of easy to use and understand primitives that can help developers achieve specific privacy goals depending on their application. Starkacy currently targets Cairo 0.10.

Why Starkacy?

We noticed that many efforts in the Starknet ecosystem for providing developers privacy revolved around porting well-known cryptographic primitives to work directly within Cairo. Libraries such as Garaga focus on optimizing well-known zkSNARK primitives to be executed efficiently in Cairo. We believe that this is a reasonable approach to take for several reasons. First, zkSNARKs researchers and developers have spent the past decade inventing and implementing ZK friendly primitives to the point that we now have standard curves, hash functions, etc used solely for this purpose. Second, integrating with well-established frameworks such as circom and arkworks bridges the gap for developers that are already familiar with those popular zkSNARK development frameworks. However, this approach doesn't intrinsically leverage the environment Cairo provides, namely, a STARK-based VM with a tailored cryptography stack. Hence, this is where Starkacy comes in!

What does Starkacy provide?

Starkacy aims to leverage Cairo's environment in order to build purpose built privacy primitives for the Starknet ecosystem.

So far, we have built and designed the following for Starkacy:

• Starkjub: A twisted edwards curve in which the underlying field is the stark curve.

• Lokum: A pairing-friendly curve generated using cocks-pinch that embeds the stark curve

• Schnorr signatures: A signature scheme that is a common building block for many privacy preserving applications (e.g. PrivacyPass)

And more to come...

Next Steps

Starkacy is currently in research and development phase. As such, the protocols we end up adding to Starkacy are based upon the feedback we receive from Starknet developers, researchers and other community members. Community engagement is a cornerstone of this endeavor, as we highly value your input. We invite developers, researchers, and StarkNet enthusiasts to share their privacy concerns and needs, which will play a pivotal role in refining Starkacy's capabilities. Your contributions will be instrumental in shaping Starkacy as a cutting-edge privacy solution within the StarkNet ecosystem.

Looking forward, we are committed to continually updating and expanding Starkacy. Our roadmap includes the integration of additional cryptographic primitives, refining existing features, and adapting to newer Cairo versions. Collaboration is also a key driver for us. We welcome partnerships with projects and institutions that share our goal of a secure and privacy-centric StarkNet. By pooling our resources, we can expedite Starkacy's progress and contribute to an even more robust and user-centric decentralized ecosystem.

You can check out Starkacy's Github repository here.

By Brian Sutioso

Any development team will come across many different kinds of bugs that are hard to eliminate. In this post, we will try to tackle one of the most common problems most programmers will face: race conditions. Using multiple threads in a computer program may serve as a convenient way of increasing performance by allowing tasks to run in parallel. This is especially useful in computers with multiple processors but it comes with the cost of potential race condition errors.

What are race conditions?

Data races occur when a system outputs an undesirable result due to improper sequencing of events. In Go, this happens when more than one goroutine accesses a value more than once. This results in a ‘race’ to modify the value which, when executed incorrectly, will cause a logical error.

For example, consider a program with the following order. We start with an integer 100, subtract 50, then divide the result by 2. Now if we put the first and second operation into separate goroutines and run them in parallel, chances are that the final integer will end up being 0 instead of 25.

Mutexes and WaitGroup

When performing an audit, it is important to note the uses of mutexes and waitgroups. Also note that there are two forms of locking in Go: coarse-grained and fine-grained. Coarse-grained locking involves locking an entire data structure with one lock while fine-grained locking focuses on locking individual components of a data structure.

Mutexes provide a thread safe way of accessing a shared resource. Think of mutexes as locks with a single key scenario. When a goroutine attempts to manipulate a particular value, mutexes ensure that it is unlocked before allowing any modifications. It then locks the data value to prevent other goroutines from making changes. This ensures that operations flow in the correct order as intended.

WaitGroup allows a program to wait for a set of concurrent operations to complete before executing the following lines of code. It emulates a thread-safe counter which keeps track of the number of goroutines to complete before it exits. This is done by using the Add function to increment the counter and calling the Done function within a goroutine to decrement it. The Wait function is used to block until the counter hits 0.

How to find race conditions in Go programs

1. Extensive logging: Verbosely printing out every variable manipulation proves a simple but effective manner of keeping race conditions in check. In the event of a blocking program, you would be able to pinpoint the location of error easily by looking at debug logs and mapping out what happens sequentially.

2. Go -race flag: Go provides a race detector you can use to check for race conditions. Add a -race flag in the command line and let Go do the work. (Note: Go only detects race conditions when it is consistently occurring)

3. Concurrent test cases: It’s as simple as it sounds. Running a function in a goroutine 20 times tests for concurrency well. Especially when done with extensive logging.

4. Read through the code: Make sure every value is properly locked before manipulating it in a goroutine. Refer to Mutexes and WaitGroups to see how concurrency can be achieved in a multithreaded scenario.

Let’s take a look at Meson as an example

One of the important ways of ensuring concurrency is by making sure every data structure is thread-safe. We can take a look at a queue data structure within the Meson codebase that is specially designed as an egress FIFO queue for messages sent by the client.

// Queue is our in-memory queue implementation used as our egress FIFO queue

// for messages sent by the client.

type Queue struct {

sync.Mutex

content   \[constants.MaxEgressQueueSize\]Item

readHead  int

writeHead int

len       int

}

// Push pushes the given message ref onto the queue and returns nil

// on success, otherwise an error is returned.

func (q *Queue) Push(e Item) error {

q.Lock()

defer q.Unlock()

if q.len >= constants.MaxEgressQueueSize {

	return ErrQueueFull

}

q.content\[q.writeHead\] = e

q.writeHead = (q.writeHead + 1) % constants.MaxEgressQueueSize

q.len++

return nil

}

// Pop pops the next message ref off the queue and returns nil

// upon success, otherwise an error is returned.

func (q *Queue) Pop() (Item, error) {

q.Lock()

defer q.Unlock()

if q.len <= 0 {

	return nil, ErrQueueEmpty

}

result := q.content\[q.readHead\]

q.content\[q.readHead\] = &Message{}

q.readHead = (q.readHead + 1) % constants.MaxEgressQueueSize

q.len--

return result, nil

}

// Peek returns the next message ref from the queue without

// modifying the queue.

func (q *Queue) Peek() (Item, error) {

q.Lock()

defer q.Unlock()

if q.len <= 0 {

	return nil, ErrQueueEmpty

}

result := q.content\[q.readHead\]

return result, nil

}

From this code snippet, we can clearly see that the data structure requires the employment of coarse-grained locking. For every push, pop, or peek operation, the queue needs to be locked and unlocked. This prevents any of the fields in the data structure from being modified in multiple threads at the same time.

However, more concretely, how do we test for concurrency issues? If we scan through the codebase, the main potential for race conditions would lie in the send functions in client/send.go.

func (s *Session) sendDropDecoy() {
	s.log.Info("sending drop decoy")
	serviceDesc, err := s.GetService(cConstants.LoopService)
	if err != nil {
		s.fatalErrCh <- errors.New("failure to get loop service")
		return
	}
	payload := make([]byte, constants.UserForwardPayloadLength)
	id := [cConstants.MessageIDLength]byte{}
	_, err = io.ReadFull(rand.Reader, id[:])
	if err != nil {
		s.fatalErrCh <- errors.New("failure to generate message ID for drop decoy")
		return
	}
	msg := &Message{
		ID:        &id,
		Recipient: serviceDesc.Name,
		Provider:  serviceDesc.Provider,
		Payload:   payload[:],
		WithSURB:  false,
		IsDecoy:   true,
	}
	s.doSend(msg)
}

func (s *Session) sendLoopDecoy() {
	s.log.Info("sending loop decoy")
	serviceDesc, err := s.GetService(cConstants.LoopService)
	if err != nil {
		s.fatalErrCh <- errors.New("failure to get loop service")
		return
	}
	payload := make([]byte, constants.UserForwardPayloadLength)
	id := [cConstants.MessageIDLength]byte{}
	_, err = io.ReadFull(rand.Reader, id[:])
	if err != nil {
		s.fatalErrCh <- errors.New("failure to generate message ID for loop decoy")
		return
	}
	msg := &Message{
		ID:        &id,
		Recipient: serviceDesc.Name,
		Provider:  serviceDesc.Provider,
		Payload:   payload[:],
		WithSURB:  true,
		IsDecoy:   true,
	}
	defer s.incrementDecoyLoopTally()
	s.doSend(msg)
}

// SendUnreliableMessage asynchronously sends message without any automatic retransmissions.
func (s *Session) SendUnreliableMessage(recipient, provider string, message []byte) (*[cConstants.MessageIDLength]byte, error) {
	msg, err := s.composeMessage(recipient, provider, message, false)
	if err != nil {
		return nil, err
	}
	err = s.egressQueue.Push(msg)
	if err != nil {
		return nil, err
	}
	return msg.ID, nil
}

func (s *Session) BlockingSendUnreliableMessage(recipient, provider string, message []byte) ([]byte, error) {
	msg, err := s.composeMessage(recipient, provider, message, true)
	if err != nil {
		return nil, err
	}
	sentWaitChan := make(chan *Message)
	s.sentWaitChanMap.Store(*msg.ID, sentWaitChan)
	defer s.sentWaitChanMap.Delete(*msg.ID)

	replyWaitChan := make(chan []byte)
	s.replyWaitChanMap.Store(*msg.ID, replyWaitChan)
	defer s.replyWaitChanMap.Delete(*msg.ID)

	err = s.egressQueue.Push(msg)
	if err != nil {
		return nil, err
	}

	// wait until sent so that we know the ReplyETA for the waiting below
	sentMessage := <-sentWaitChan

	// if the message failed to send we will receive a nil message
	if sentMessage == nil {
		return nil, ErrMessageNotSent
	}

	// wait for reply or round trip timeout
	select {
	case reply := <-replyWaitChan:
		return reply, nil
	// these timeouts are often far too aggressive
	case <-time.After(sentMessage.ReplyETA + cConstants.RoundTripTimeSlop):
		return nil, ErrReplyTimeout
	}
	// unreachable
}

Here, we can see that we have several functions to send messages. First, we set up a register function to set up the configurations. Then, we can go straight into testing.

package client

import (
	"fmt"
	"testing"
	"time"

	"github.com/hashcloak/Meson/client/config"
	"github.com/katzenpost/client/utils"
)

func register() (*Client, *Session, *utils.ServiceDescriptor) {
	cfg, err := config.LoadFile("client_test.toml")
	if err != nil {
		panic(err)
	}
	_ = cfg.UpdateTrust()

	_ = cfg.SaveConfig("client_test.toml")

	linkKey := AutoRegisterRandomClient(cfg)

	c, err := NewFromConfig(cfg, "echo")
	if err != nil {
		c.Shutdown()
		panic(err)
	}

	s, err := c.NewSession(linkKey)
	if err != nil {
		c.Shutdown()
		panic(err)
	}

	serviceDesc, err := s.GetService("echo")
	if err != nil {
		c.Shutdown()
		panic(err)
	}

	return c, s, serviceDesc
}

func TestBasicBlockingSend(t *testing.T) {
	c, s, serviceDesc := register()

	fmt.Printf("Sending Sphinx packet payload to: %s@%s\n", serviceDesc.Name, serviceDesc.Provider)
	resp, err := s.BlockingSendUnreliableMessage(serviceDesc.Name, serviceDesc.Provider, []byte(`Data encryption is used widely today!`))
	if err != nil {
		c.Shutdown()
		panic(err)
	}
	payload, err := ValidateReply(resp)
	if err != nil {
		c.Shutdown()
		panic(err)
	}
	fmt.Printf("Return: %s\n", payload)

	c.Shutdown()
}

func TestBasicNonBlockingSend(t *testing.T) {
	c, s, serviceDesc := register()

	fmt.Printf("Sending Sphinx packet payload to: %s@%s\n", serviceDesc.Name, serviceDesc.Provider)
	id, err := s.SendUnreliableMessage(serviceDesc.Name, serviceDesc.Provider, []byte(`Data encryption is used widely today!`))
	if err != nil {
		c.Shutdown()
		panic(err)
	}
	fmt.Printf("Return: %s\n", id)

	c.Shutdown()
}

func TestSendingBlockingConcurrently(t *testing.T) {
	c, s, serviceDesc := register()
	done := make(chan struct{})
	timeout := time.After(time.Second * 80)

	fmt.Printf("Concurrently Sending 20 Sphinx packet payloads to: %s@%s\n", serviceDesc.Name, serviceDesc.Provider)
	for i := 0; i < 20; i++ {
		go func(i int) {
			fmt.Printf("Iteration %d\n", i+1)
			resp, err := s.BlockingSendUnreliableMessage(serviceDesc.Name, serviceDesc.Provider, []byte(fmt.Sprintf("Data encryption is used widely today! Iteration: %d", i+1)))
			if err != nil {
				c.Shutdown()
				panic(err)
			}

			payload, err := ValidateReply(resp)
			if err != nil {
				c.Shutdown()
				panic(err)
			}

			fmt.Printf("Return: %s\n", payload)
			done <- struct{}{}
		}(i)
	}

	for i := 0; i < 20; i++ {
		select {
		case <-done:
		case <-timeout:
			c.Shutdown()
			panic("Timeout")
		}
	}

	c.Shutdown()
}

func TestSendingNonBlockingConcurrently(t *testing.T) {
	c, s, serviceDesc := register()
	done := make(chan struct{})
	timeout := time.After(time.Second * 80)

	fmt.Printf("Concurrently Sending 20 Sphinx packet payloads to: %s@%s\n", serviceDesc.Name, serviceDesc.Provider)
	for i := 0; i < 20; i++ {
		go func(i int) {
			fmt.Printf("Iteration %d\n", i+1)
			id, err := s.SendUnreliableMessage(serviceDesc.Name, serviceDesc.Provider, []byte(fmt.Sprintf("Data encryption is used widely today! Iteration: %d", i+1)))
			if err != nil {
				c.Shutdown()
				panic(err)
			}

			fmt.Printf("Msg ID: %s\n", id)
			done <- struct{}{}
		}(i)
	}

	for i := 0; i < 20; i++ {
		select {
		case <-done:
		case <-timeout:
			c.Shutdown()
			panic("Timeout")
		}
	}

	c.Shutdown()
}

func TestSendingDropLoopDecoy(t *testing.T) {
	c, s, serviceDesc := register()
	done := make(chan struct{})
	timeout := time.After(time.Second * 80)

	fmt.Printf("Sending 20 Drop and Loop decoys to: %s@%s\n", serviceDesc.Name, serviceDesc.Provider)
	for i := 0; i < 20; i++ {
		go func(i int) {
			fmt.Printf("Iteration %d\n", i+1)
			s.sendDropDecoy()
			s.sendLoopDecoy()

			done <- struct{}{}
		}(i)
	}

	for i := 0; i < 20; i++ {
		select {
		case <-done:
		case <-timeout:
			c.Shutdown()
			panic("Timeout")
		case <-s.fatalErrCh:
			c.Shutdown()
			panic("Fatal error")
		}
	}

	c.Shutdown()
}

The test cases above check for concurrency issues during sending blocking, non-blocking, drop, and loop messages. We can see that we employed a goroutine to run those functions 20 times every time the parent function is called. A 'done' channel is used to keep track of the number of times the goroutine successfully runs.

One potential red flag for a concurrency error within the code is when the timeout counter runs out. This happens when the 'done' channel blocks. (Which should not be occuring when running a thread safe function) Multiple logging should then be done to pinpoint the bugs.

Conclusion

In this article, we introduced the concept of race conditions along with important relevant terminologies. We also touched upon several methods in which we can catch concurrency bugs and worked through sample test cases that were used to audit Meson.

Check out the Meson repository by clicking this here!

It's been a long time (long time), we shouldn't have left you (left you) Without a dope mixnet to protect you, protect you, protect you, protect you *

After years of hard work, we are finally announcing the first Meson testnet release dubbed Steel Magnet🎉!

Why Steel Magnet? Well, steel magnets are a core component of cyclotrons which are particle accelerators in which meson particles are built. For more details, read this Wikipedia article.

Our first testnet will be simply a local testnet in which users and future node operators alike can experience what it feels like to use Meson. You can also use our wallet demo in order to experience what it's like to send cryptocurrency transactions through Meson!

This testnet will have support for Ethereum, Ethereum testnets and major L2s such as Optimism and Arbitrum. Further, with our wallet demo, you can send your transactions privately using one of Ethereum's most popular privacy tool, Tornado.cash! Due to interest, we are currently in talks to support other blockchains such as Firo and Solana and will be adding support for ZK-Rollups on Ethereum in subsequent testnets!

Testnet Features

This first testnet is meant to test our PKI system , Katzenmint, on a larger scale. Katzenmint is a Tendermint-based PKI system for managing mix nodes building upon the Katzenpost directory authority. This will be the first of many testnets in which we push the limits of Katzenmint.

We will be writing more about our design of Katzenmint and how it differs from other directory authorities in other anonymity systems.

The road ahead

The road to Meson will be long and we want to bring everyone along with us.

Here is a short overview of the road ahead and what other features will be included in subsequent testnets

Internal Audit

At HashCloak, we've been heads down trying to make Katzenmint work and get rid of glaring bugs out of our prototype of Katzenmint. However, since we are building upon the Katzenpost mixnet project, we will be taking the time to take a critical look at the code and seeing where it fails with respect to privacy, anonymity, and code quality. We will be writing more about the process of auditing anonymity networking software, so stay tuned.

Dynamic tuning

Mixnets are really nice in that they scale vertically and horizontally better than most anonymity systems. However, there is no free lunch. When more nodes are added, there are diminishing returns with respect to how large the anonymity sets for messages can be and latency. Add too many mix nodes and you risk the chance of making it easier to de-anonymize messages if there isn't enough traffice. Add too little nodes when traffice increases and then you risk the chance of increasing the latency of messages passing through the mixnet. In both cases, since our use case is blockchain transactions, users risk not only potentially missing out on interesting on-chain opportunities but might also lose some anonymity in the process!

This problem is commonly referred to as dynamic tuning of mix network parameters. In other words, how do we ensure that at a given time, there are enough mix nodes on the network to maximize anonymity while minimizing latency for messages that go through the mixnet? We have been working on this problem for quite a while and will soon enter the prototyping phase for our ideas and then integrate these ideas in a subsequent testnet.

Incentivization

Anonymity networks traditionally have relied on altruistic people running nodes for the greater good of the network. In practice, this has worked out quite well for anonymity networks like Tor. However, running these kinds of nodes is very resource intensive and we should aim to lessen the load on people who decide to participate in a cutting edge anonymity system.

With the advent of alternate funding models facilitated by cryptocurrencies, we will be experimenting with ways (beyond just launching a shitcoin!) in how to ensure that participants in Meson can be compensated!

Running the testnet

In order to run the testnet locally, do the following:

1. Clone Meson repository $ git clone https://github.com/hashcloak/Meson.git

2. Checkout to monorepo branch $ git checkout monorepo

3. Build containers $ python plugin/ops/build_containers.py

4. Start testnet

$ cd testnet/local
$ docker compose up

1. Execute ping test

$ cd ping
$ go run main.go -s echo

More details are available at docs.mesonmix.net.

Keeping in touch

If you want to keep in touch with the Meson project, you can follow us on Twitter @MesonMixnet. If you want to follow the developement and research discussions, please join us on Element.

*Reference for this quote: Aaliyah – Try Again

At HashCloak, we've been leveraging the work done in Katzenpost to build Meson, a mix network for cryptocurrency appplications. We've recently released our first testnet, Steel Magnet, after many years of R&D and debugging. As such, the Meson codebase is relatively small and contains code that we are now intimately familiar with. We figured this would be the best time to start thinking about the security of our anonymous network and prepare for our first internal audit.

In the midst of our research into this, we quickly learned that anonymous networking software doesn't get auditing to the same degree (if at all) as smart contracts or other blockchain enabled software. As such, we have decided to document our efforts in auditing Meson through this multi post blog series. We will be detailing our approach and any resources we develop with the goal of 1) educating others on how anonymous networking should be audited and 2) providing reassurance and transparency to supporters of Meson that at HashCloak, we take the security and privacy of our privacy software very seriously. In this first post, we will be going through our current plans and approach for how we aim to tackle auditing Meson.

The Beginning

As a first step, we started looking into how other well-known anonymity networking software handles audits and external code reviews. We started looking at software that was adjacent to Meson such as Tor, I2P, various VPNs and other mixnet competitors (Nym, Oxen, HOPR, etc). We quickly noticed that mainly only the VPN services had engaged external third parties to audit their software (often times clients, web browser extensions, etc) but the other kinds of privacy adjacent software rarely did this. In the case of Tor, the most famous anonymity networking software of all time, there is a vibrant academic community that seeks to find bugs in both its design and implementation and as such, Tor gets regularly looked at from a diverse set of stakeholders. Even though this doesn't necessarily count as a audit in the traditional sense, this approach has provided very valuable research and it may be possible to find similar bugs in Meson. To a smaller extent, the same can be said of I2P.

However, for the other projects, there have been no publicly published audits regarding the actual client and server software underpinning their networks. When there are audit reports available, it was mainly regarding the smart contract functionality needed for payments and other node management functionality (scalability, credentials, etc). We quickly realized that we will need to develop our own checklists of what to look out for and read more deeply into bugs that have affected previous networks in order to better adapt them to Meson and see how they might translate.

Since everyone on the Meson team at HashCloak has experience auditing software, we already had the skills needed to predict what areas would need more scrutiny and how to conduct research for security-related topics. This would be the first time we would need to develop our own set of resources without relying on the shoulders of giants. So, we set out to gather as much info as we can on anything adjacent to the security of anonymous networking software. We gathered audit reports of VPN clients, CVEs affecting various networks, academic papers, etc. We are still in the process of combing through all of these resources that we gathered. Over the course of this blog post series, we will be detailing our findings and hopefully these findings helps other projects better secure their networks as well.

Our current progress

So far in our process, we have compiled a list of basic things that we should check for no matter what. This minimal list will most likely be a mainstay for every single audit we do for Meson and any anonymous networking code that comes our way as part of our consulting business. You can find our current checklist here.

We will do a quick walkthrough of the checklist. Note that this list is ever evolving and we will be updating it as we learn more about auditing anonymous networking software.

Check and Update Dependencies

Dependencies are often a way in which vulnerabilities creep into a codebase. For every single dependency that we have, we will analyze to see if it needs to be updated or even if we can implement it ourselves and integrate it into the codebase. If we simply need to update it, we will ensure that any code that breaks as a result is confined to a staging branch. If we realize that it may be better for us to fork it or reimplement the functionality, we will take into account the extra time we need for our roadmap.

Set up a fuzzing harness

Fuzzing is a testing technique in which one's code is given arbitrary inputs in order to cause unexpected behavior in the code. The goal is to find areas of the code that hasn't been sufficiently hardened. This will most likely be an ongoing tasks as the codebase gets larger. Once we have a larger scale testnet, we will be using the testnet data to form our corpus to build our fuzzer with.

Check logs for info leaks

Logs are a common source of information leakage in security sensitive applications. These are usually the result of developers adding log messages in order to ease the debugging process but forget to omit them for production releases.

Ensure that installation doesn't escalate privileges

This item mainly relates to when users download a program with Meson embedded such as a cryptocurrency wallet. During the installation process, any executables that contain Meson should be only modifiable by privileged users on that machine. Otherwise, a normal user might have the ability to overwrite executables and escalate privileges.

Check for time of check and time of use bugs

Time of check and time of use bugs are a category of race condition bugs that hard to protect against in large scale distributed systems. The race condition occurs when there is a time gap between when a condition is checked and then that condition is leveraged to execute some code.

Check input and output sanitization

The inputs and outputs of certain operations need to be processed before they are used throughout the codebase. Otherwise, it might be result in intentionally malformed inputs or ouputs being able to trigger undefined behavior within a program. Further, sensitive data can be contained within inputs/outputs and these should be removed accordingly.

Check that Prometheus and Grafana ports are not easily accessible to an attacker

We make heavy use of Prometheus and Grafana for instrumentation and providing Meson node operators with as much information as possible about the state of their nodes. Prometheus and Grafana expose ports in order for the node operator to query data and display it as they see fit. We see this as a potential avenue for information leaks and unauthorized access. As such, we need to ensure that we are not introducing any problems into the Meson codebase by relying on these tools.

Check for the usual cryptography bugs

As Meson is a fork of Katzenpost and Katzenpost relies on many cryptographic protocols for various aspects of its designs, cryptographic implementation bugs can easily creep in. This category of bugs is very familiar to us as we find these bugs through our consulting engagements.

Check container configurations

For easily deploying Meson nodes, we provide docker containers for prospective node operators to use. As with using Prometheus and Grafana, we have similar concerns with potential information leaks and unauthorized access to containers.

Check for signature validation

Signature validation is a common area in which bugs creep into such codebases, that we felt that it warranted its own bulletpoint as opposed to being put together with cryptographic implementation bugs or time of check and time of use bugs. Signatures are used throughout Meson to provide authentication, integrity and confidentiality. As such, signatures need to be validated in order to minimize the risk that any of these properties are broken.

Once we have more items and have added more details, we will most likely create a separate community Github repository with this information so that other teams can check their code against this checklist.

Conclusion

That's the end of our first post in this series as we aim to build a good security foundation for Meson. Stay tuned for the next post! If you have any feedback about anything relating to auditing anonymous networking software, please let us know on Github by commenting on our issue , our Element Community or Tweet at us @MesonMixnet!

After months of trying to grokk MPC VMs as implemented in MP-SPDZ and SCALE-MAMBA, we are finally ready to publicly announce StoffelMPC!

StoffelMPC aims to be a framework for building MPC as a sidechain applications in order to enable blockchain developers to build more expressive, confidential applications.

StoffelMPC is still very much a work in progress and the repo is quite empty (all the work is in branches though if you wish to ponder engineering design decisions). However, we will now be working more in public as we have figured out one of the harder aspects of the system, virtual machines designed for MPC computation.

Over the next few weeks, we will be going deep into the design of how it all comes together and some potential important applications for the blockchain space.

If you are interested in learning more, you can follow us on Twitter, and watch our github repo. If you are interested in potentially building applications using the framework, then you can fill out our developer survey.

We are also hiring for a junior research engineer to help us build StoffelMPC. Here is the job posting.

Special Thanks to the folks at the Decentralized Systems Lab for working on this problem for years and without their work, we would not be able to pursue this work

Written by Yahsin Huang

An update about HashCloak team research projects as well as development progress over the past month.

This post marks the first of HashCloak update posts. We will share some of the projects we have been working on, highlight our recent client work, as well as announce some of the research grants we received this past month.

Meson mixnet project

Github repo: https://github.com/hashcloak/Meson

Meson mixnet project is one of the main internal projects we have been focusing on over the past year. Our goal is to build a multi-chain mix network focused on bringing network-level privacy to cryptocurrency transactions. It's based on the Katzenpost software project, which is a series of software libraries for building mixnets.

It currently supports Binance Chain and Ethereum (and its derivatives!). It has received funding from the Binance X Fellowship and the Ethereum Foundation.

For the past year or so, we have been working on mix network R&D which has mainly focused on designing a new mix network PKI called Katzenmint. The implementation of Katzenmint is ongoing and you can follow its development on Github. In addition to the implementation, we will also be publishing a paper draft of the Katzenmint PKI design. In the coming months, we will be launching a more public facing but limited testnet launch for Meson, along with more of our mixnet R&D coming to fruition. Stay Tuned!

HoneyBadgerSwap project

Github repo: https://github.com/initc3/HoneyBadgerMPC

HoneyBadgerSwap is an AMM-based dark pool built using MPC. The goal of the project is to demonstrate the paradigm of using MPC as a sidechain for building more expressive confidential applications on Ethereum. The work was done in conjunction with the Decentralized Systems Lab at UIUC under the leadership of PhD Student Yun Qi Li. Stay tuned for a more formal paper along with more interesting applications of this paradigm!

SoK paper on Universal SNARKs

In order to provide newcomers to the world of SNARKs, for the past year, we have been writing an SoK on universal SNARK constructions, lead by Karl Yu. We will be posting a draft on eprint in the coming months.

PIR library

We have been focusing on developing an ecosystem for using and programming private information retrieval protocols (PIR). The goal is to usher into the world easy to use and scalable PIR implementations that hopefully other developers can use for their applications.

For us, we will be using PIR for several of our current future projects such as Meson and privacy-preserving light clients. Stay tuned for a separate announcement about this!

Grant announcements

We have received two grants this past year for our privacy research. The first, given by Flashbots, was given for our ongoing work on providing mempool privacy and developing alternatives for using SGX in flashbots. The second, given by the Interchain foundation, was given for our work on integrating IT-PIR protocols into Tendermint for our Katzenmint PKI.

Audit reports for clients

Conducted a security audit on Hakka Finance products' smart contracts, as well as a mathematical analysis on the formulas in the Hakka Finance's iGain whitepaper. Ping Chen, the founder of Hakka Finance, expressed his appreciation for our work in a tweet.

Big thanks to @hashcloak for their comprehensive and in-depth analysis report. It benefits not only users' funds' security but also us learning a lot during the audit.

The audit includes iGain, Hakka Intelligence, vesting, and reward contract.https://t.co/rTOhsWSj0T

— ping.eth (@PingChenTW) April 28, 2021

The audit report is publicly viewable on Github: https://github.com/hakkafinance/audit-reports/blob/main/Hakka%20Finance%20Urban%20Giggle%20Audit.pdf

Community

On April 14, Er-Cheng Tang, our Taiwan-based research engineer, gave a 20-minute talk on challenges in Internet anonymity at a Taipei Ethereum event. Watch the recorded presentation on YouTube.

On May 20, research engineer Er-Cheng gave a 30-minute talk, entitled “Interactive Oracle Proof of Proximity for Reed-Solomon Code,” discussing FRI protocol and its proof (Fast Reed-Solomon Interactive Oracle Proofs of Proximity) to an audience at Papers We Love Taipei group's first online event. Event link: https://www.meetup.com/Papers-We-Love-Taipei-Taiwan/events/277916656/

Written by HashCloak Inc

Note that this article was originally posted the now defunct original HashCloak blog on November 15, 2019. Many things have changed since this was written and we will be updating you all soon!

One of the Achille's heels of Ethereum is its lack of privacy guarantees, both on-chain and at the network layer. Although the former has been addressed by a few well-known projects, very little has been focused on the latter. Being able to provide censorship and metadata-resistant network privacy is important for protecting Ethereum users' privacy. This lack of network layer privacy doesn't only affect Ethereum, it affects ALL Ethereum-based chains i.e. forks of Ethereum. In order to address this, we are announcing Meson, a mix network for all Ethereum-based networks.

What is a Mix Network?

A mix network (mixnet for short) is a kind of anonymous communication network that aims to be resistant to traffic analysis and censorship. They are designed to be resistant against a global passive adversary (think 3 letter agencies in your country of choice). A mixnet consists of a series of cryptographic relays that remove unlinkability of sender to receiver of messages through layered encryption and cryptographic shuffling techniques. This means that mixnets provide anonymity for modern, realistic threats. Mixnets were first introduced by David Chaum in 1981 and has inspired the design of many anonymous communication protocols used today.

Meson is built upon the Katzenpost mix network. Katzenpost is a project funded by the EU's Horizon R&D programme. Its development is led by a team of anonymous communications experts. It uses many recently designed constructs such as the Sphinx packet format and uses elements from well-known protocols for its design such as the Loopix Anonymity System and Tor. For an introduction to the Katzenpost mixnet, this video by David Stainton provides a great overview of the system and its tradeoffs.

In particular, providers will run multiple instances of the Meson plugin, configured for as many Ethereum-based chains it wants i.e. for multiple chain IDs. Clients can compose a SPHINX packet that contains a raw Ethereum transaction as its payload. This packet gets sent to the mixnet, to one of the providers running the Meson plugin. The providers then relay this transaction to the Ethereum mainnet (or one of its derived chains). This act removes a user's network interactions with its on-chain interactions. A great compliment to the recent advances to on-chain privacy on Ethereum!

If you want to learn more about mix networks and anonymous communication protocols in general, this talk by Claudia Diaz is a great introduction.

Why a Mix Network? Can't you just use Tor?

Short answer: Yes, you can but ... probably shouldn't! It's complicated! Long answer: Tor is a well-known low-latency anonymous communication network that makes use of onion routing for masking traffic. To access Tor, users usually download the Tor browser and browse the Internet through that. There are 3 main reasons that we'll go into why Tor isn't a good idea for cryptocurrency transactions: its scaling problems, its threat model and the fact that using Tor in non-recommended ways can do more harm than good.

First, scaling in Tor is actually an important issue. Although it has improved tremendously in the past few years, it's still a problem for regular users. One of the main reasons for this is that Tor uses source routing to route messages through its network. This means that at the start of communication, the initiator has to choose the full path to which traffic gets sent. The use of source routing actually makes Tor resistant to failure of routers. However, it does mean that initiators need a complete view of the network at any given time. This translates to users having to periodically download a bunch of router specific information such as the full list of routers, their public keys, etc.

Second, Tor's threat model doesn't handle global passive adversaries. For many users, this may not be of concern. But, as recent news shows, global passive adversaries have been able to figure out a bunch about Tor users' activities through metadata leakage. So, this kind of threat is no longer mythical but indeed realistic.

Lastly, the best way to use and access Tor is through its bundled browser. If you do everything right and given that you have a reasonable threat model, accessing Tor through the Tor browser is pretty safe. The Tor team has done a great job at making Tor usable and accessible through its browser. However, once one leaves this nice sandbox, it's very easy to mess up and undo all this hard work. There have been efforts to make torifying applications easier such as Torsocks, it's still pretty easy to mess this up. One of the main goals of Meson is to make it easy to integrate network-level anonymity in a developer's mixer or wallet app. Having to learn the intricacies of the Tor network increases the burden on the developers. Although, it is noted that one should have a decent understanding on these networks anyway! Moreover, it has been shown that using Tor for cryptocurrency transactions can be bad for the network. Even though that paper specifically talks about Bitcoin, the lessons can apply to many other networks.

Roadmap

Meson is a work-in-progress. The first step towards making Meson a reality is a long-lived testnet. This will help us find what configurations we need for a production ready mixnet and help the Katzenpost team with the development of their software. Other things in our roadmap include: – Different language bindings: Many of the most popular wallets and mixers are written in languages aimed for web and mobile development. If we want Meson to be adopted by all wallets, wallet developers need to be able to plug it into their codebases with ease. – Coordination between various communities that use Ethereum's codebase so that there are multiple providers running the Meson plugin aimed at various chain IDs. – Helping the Katzenpost team with maintenance of the Katzenpost software. – Continuous funding through a payment network (or other decentralized mechanisms) – Contribute to mixnet!

Special thanks to David Staiton for taking the time to help us through Katzenpost and Goncalo Pestana for the helpful discussions and PR reviews!