1993-01-14 - Re: Details on return envelopes

Header Data

From: Hal <74076.1041@CompuServe.COM>
To: <cypherpunks@toad.com>
Message Hash: 3a7b20565fd1e3a832ae692ab81418e01b233ba8d4e4f62b646e0aa75a61d2af
Message ID: <93011419592774076.1041_DHJ54-1@CompuServe.COM>
Reply To: _N/A

UTC Datetime: 1993-01-14 20:09:52 UTC
Raw Date: Thu, 14 Jan 93 12:09:52 PST

Raw message

From: Hal <74076.1041@CompuServe.COM>
Date: Thu, 14 Jan 93 12:09:52 PST
To: <cypherpunks@toad.com>
Subject: Re: Details on return envelopes
Message-ID: <930114195927_74076.1041_DHJ54-1@CompuServe.COM>
MIME-Version: 1.0
Content-Type: text/plain

I've been studying Eric Messick's message.  It's pretty complicated and
it will take more time to really understand it.

I did spot one possible problem.  Remailer &V sends to &W an address
field that looks like:

Addr: w(B), w(Sw, Qw, C, &X, x(C), x(...), pad)

but I don't think &V has enough information to create the 2nd item here.
The reason for the A, B, etc. keys is, I think, to allow new padding to
be done as the message gets passed between each pair of remailers.
I think that may need to be used here as well.  &V can't put padding into
the w(Sw,...) block.

As a more general comment, I'd like to see some simpler examples.  Eric
has shown the most complex case in order to demonstrate that his scheme
works for that, but I think more people would be able to comment on it
if some simpler examples were provided.  How about an anonymous address
that is just one hop long, instead of 3, and which is used by the sender
without going through any remailers first?  I think that would be less

Another general point, which may be important.  Chaum emphasized that his
anonymous addresses should be use-once, because if two people send messages
to the same anonymous address, someone who has access to the mail goig
into and coming out of the remailer will see identical address fields
coming out for the pair of messages.  I think Eric's scheme has the same

I have to admit that I don't see that a use-once anonymous address is very
useful, but I think we should give this some consideration.  I think
Eric's use of padding is to defeat just such an attacker, so that there
is no message-length correlation between incoming and outgoing messages.
If we are going to worry about such attacks, it calls into question the
whole approach to anonymous addresses.

As one possible corollary, if anonymous addresses were used once then the
postage could be supplied by the addressee.  This might change the protocol
very considerably.

Hal Finney