\section{\cmix{} additions}
\label{sec:cmixaddtions}
The base protocol of \cmix{} has some issues\cite{galteland2016attacks}, thankfully these issues can be addressed at the cost of some speed and clarity. Because it would not be safe to use \cmix{} in real world applications without these attack mitigations. This implementation adds the extra messages needed as this results in a more realistic benchmark.

\subsection{Tagging attack}
\label{sec:tagging}
In a tagging attack an adversary changes a message slightly in such a way that it can later detect and reverse the change. This modification allows the attacker to track a message even though it has been permuted. By making the change reversible the adversary stays undetected. This type of attack and the mitigation being discussed here are described by Galteland et al.\cite{galteland2016attacks}

When you control the last node you can change the output of realtime precomputation phase slightly. You can do this by slightly changing your value of  $r$ in one slot of the input. You either combine the input with $r * i$, for cyclic group ElGamal, or $r + p$, for elliptic curve implementations. After all the realtime computations are done you have the plaintexts that you want to send to their destinations. If you can verify that one of the outputs is not valid, it probably is the value you modified with either $i$ or $p$. Now you know the slot this value occupied when it was send to the first node in the realtime phase. Then you  can reverse your tag by doing the reverse operation, which makes it undetectable by other nodes or any of the clients and thus compromises the network. Note that no node in \cmix{} is special. The claim is that when all but one node is compromised the network should still function as intended and keep your transmissions anonymous.

To stop this attack we need to change the protocol slightly as described in the paper by Galteland et al.\cite{galteland2016attacks}. First we need to change the third step of the precomputation phase. Instead of sending the decryption shares of each node to the next, we send a hash, a commitment to our decryption shares. The nodes keep the decryption shares to themselves, and will use them separately in the realtime phase. The last node also includes a hash of the current mix result. So the hash of the decryption of formula \autoref{eq:EPiRS}. This makes that an adversary can no longer tamper with the $r$ values in the realtime phase, which means an attacker can no longer apply the tag without being detectable by other nodes.