I recently heard about the Nym mixnet and am researching it and the Sphinx packet format. So far it looks promising, but there is one thing I'm unsure of.
Networks like Tor use ephemeral keys to limit the length of time an adversary could compel each relay to reveal where it is routing the packets it receives to essentially the lifetime of the circuit the data is going over, making compulsion attacks effectively useless. As a result, an adversary can't just run a packet capture on your connection to your guard relay, get the guard relay to use its private key to decrypt the tor cells to reveal the next hop, and repeat until the adversary knows the final destination of the packets, because the key used to encrypt the data is generated at circuit creation via DH and discarded at circuit teardown.
But with Nym, there is no notion of a mixnode collaborating with the sender to generate an ephemeral key to encrypt the data, because Nym sends each message independently, not over a circuit. Sphinx does do DH, but using data contained in each packet. As a result, anyone who can capture the packet on the wire and then compel the mixnode to give up its private key effectively can decrypt the message and reveal the next hop, because no interactivity is required with the sender to decrypt the message. As such, the PFS "lifetime" (i.e. the length of time after you send a message where an adversary could compel the nodes to decrypt it) is effectively the time between key rotations.
While this may not be particularly long and in many cases the time required to get a warrant and execute a search would be longer, I think it's prudent to assume if you're going up against a global adversary you really shouldn't rely on them having to bother with silly things like warrants to guarantee your security. As such, the relatively long lifetime of Nym's vulnerability to collusion attacks seems like a serious flaw.
Am I correct in this assessment? Is there some kind of PFS mechanism Sphinx provides that I'm missing?
