From: iang@cs.berkeley.edu (Ian Goldberg)
Date: Sun, 30 Jun 1996 02:56:47 +0800
To: cypherpunks@toad.com
Subject: Re: anonymous mailing lists
In-Reply-To: <01I6GF62YWG291VYF3@delphi.com>
Message-ID: <4r3k8g$8h@abraham.cs.berkeley.edu>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

In article <199606290404.XAA32220@manifold.algebra.com>,
Igor Chudov @ home <ichudov@algebra.com> wrote:
>How about this attack: suppose I want to find out who hides behind
>an alias MightyPig@alpha.c2.org and I have the ability to monitor
>all internet traffic. Then I simply start mailbombing that address
>and see whose account gets unusually high traffic volume.
>
>A nice, albeit quite expensive, way of pretection from traffic analysis
>is to create a mailing list (or a newsgroup) and forward all messages to
>all users of that mailing list or newsgroup. Of course, since messages
>are encrypted, only the recipients will be able to decrypt them.
>
>This way the list of suspects is all subscribers of that list or
>newsgroup and there is no way to discriminate them.
>
>Instead of having messages to be sent to all recipients all the time,
>alpha.c2.org may be programmed so that it sends out every message not to
>only one recipient X, but to X and 20 other randomly selected people.
>
>It apparently makes traffic analysis much harder.
>
>Then users of alpha.c2.org will have to install mail filters that
>automatically delete all incoming mail not intended to be read by them
>(they can't read such messages anyway).
>
>        - Igor.

[I'm copying this to remailer-operators.]

Yesterday, Dave and I discussed at length a design for a new remailer network.
It was motivated by the fact that, when I installed mixmaster, it mentioned
Diffie-Helman and direct socket connections as a "future expansion"
thing.  Well, IMHO, that time has come.  I wanted to hack mixmaster to
accept ecash postage for the last hop, anyway, so I may as well put in
the direct connection bits as well.

I'll post more about this when we've discussed it more (and with Lance),
and when I'm on a faster link to the net.  Basically, the idea is that every
remailer gets a copy of every encrypted message, using a randomized fill
algorithm, and D-H encrypted links.  If you're a remailer in this network,
and you get a message:

If you've seen this message before, drop it (this step needs more thought).
If you can decrypt the message, do so, and handle the decrypted copy (but
continue with the following steps with the original message anyway).
If you have a message waiting to be inserted into the remailer network,
drop the incoming message and take that message instead.
Take whatever message you have now, and queue it to be sent to 5 random
remailers.  Every so often, fill your queue to a constant size with dummy
messages, and send some (possibly smaller, randomly chosen) constant
number of them on their way.
All messages should, of course, be packetized to the same size, a la mixmaster.

The result of this is that, if you are a part of this network, it should
be impossible for anyone to tell when you receive a message, as opposed
to anyone else in the network (think alt.anonymous.messages, but where
the links are D-H encrypted, and you have a news feed to your own
machine, and the message sizes are all the same, and so on...).  This is
perfect for making nyms.

Sender anonymity is achieved by chaining.  If you are part of the network,
you can always claim that a message you sent was just one you received from
somewhere else (you used D-H to get the messages, so you can't identify
from where, though).

So if you're part of the network, it would seem you are indistinguishable
from anyone else on the network.  Here is where the tradeoff occurs.
How big should the network be?  If it's too small, the above anonymity
doesn't gain you much.  If it's too big, you may not be able to handle
all of the remailer traffic.

Also, what are the issues for people who aren't on the network?  It will
be very hard to prevent people from noticing that they're sending a
message to the network, or receiving one from it, so it seems the best we can
do is to avoid letting someone be able to link incoming messages to outgoing
ones.  A way to help this is to have a (smaller) number of nodes be the
only ones which send mail _out_ of the network.  One idea which I'd like to
try is having that last remailer charge postage in order to send mail out.
After all, he is the one who will take the "heat" for the anon message,
probably.  By concentrating the outgoing messages, it should be easier
to do the latency and reordering tricks.

   - Ian

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMdVUL0ZRiTErSPb1AQH3mAQAhf0Lgh2cpahbF8JrB+hhD8ZP3oV3v9bA
UsfRFEV+vcQtCopvwEsXGz6FvuyrxvYzxWE+74iPBlY204eeiTFZ0n1zq8qGRIuw
kUgdM0jgNX5v5nmv+EaUeeCkuRQ5JEqIevlaD9iaK3iYO2mAVg8HFxzdmV0kLPq1
hLehErR+GX4=
=7JBM
-----END PGP SIGNATURE-----