From: ghsvax!hal@uunet.UU.NET (Hal Finney)
Date: Wed, 25 Nov 92 16:07:41 PST
To: cypherpunks@toad.com
Subject: Re: An easy-to-reply anonymous mail scheme
Message-ID: <9211252352.AA01919@nano.noname>
MIME-Version: 1.0
Content-Type: text/plain


The problem with the idea of posting anonymous mail to a newsgroup is
sheer volume.  Remember, we aim at a system where a large fraction of
mail is potentially being done this way.  Imagine if almost all email
was done today by posting to newsgroups!  There is probably thousands
of times as much email traffic as news traffic now.  It would totally
swamp the system.  You'd literally have to send every email message
sent by any user in the world to _every_ user in the world, in effect.

As Yanek says:

> You are guaranteed anonymity because no-one can find out who decrypted
> the alt.w.a.s.t.e message, since everyone received it.

This really won't scale to large numbers of users.  Yanek also writes:

> > Here is an example of how to use the cryptographic remailer at
> > <hal@alumni.caltech.edu> to implement an anonymous return address.
> 
> > But the again do you trust hal@alumni.caltech.edu...
> 
> With conventional remailer schemes such as this one, you are announcing
> your True Name (or at least your True Internet Mailbox) to someone you
> must trust. With my scheme (posted earlier today) you don't need to trust
> anybody except yourself (to not make a dumb mistake like including a
> signature).

This is why you would want to use a chain of remailers as your return
address, what Chaum calls a "cascade".  No single remailer sees the
correspondance between your anonymous address and your real address.
Only by breaking all of them can the bad guys find out who you are.
Ideally, remailers would operate in a variety of countries with
different laws, making it difficult to crack them all.

Remailers could be designed to periodically flush themselves, deleting
old keys and/or pseudonym maps.  This way anonymous addresses would
have a limited lifetime if desired, and the attackers would have only
a finite time window to break all the remailers involved.  (Different
keys/pseudonyms could have different lifetimes as needed.)

We could also imagine that there are lots of remailers - not just
dozens, or hundreds, but millions of them.  Maybe almost everyone runs
a "cheap" remailer on the side, collecting a few cents in digital cash
for each message they pass, enough to pay for their own messages.

Putting all this together, you could have an anonymous address which
passes through, say, 10 remailers which might be any of the millions
of remailers in the world.  It could have a limited lifetime of only a
few hours for some ultra-sensitive applications, with the remailers
involved flushing their databases after that time.  To break this, the
enemy would have to sequentially break into machines all over the
world, one after another, defeat any physical barriers (locks, men
with guns), overcome tamper-resistance in the computers, break the
encrypted files, and find out what the next step is in the address
cascade, all in a couple of hours.  This doesn't seem possible.

Hal
74076.1041@compuserve.com