1994-01-30 - Re: 2-way anonymous via SASE

Header Data

From: jim@bilbo.suite.com (Jim Miller)
To: cypherpunks@toad.com
Message Hash: c6c6c3940e2f93572814761b3bc936161bf559ae9e9d3de22439caa7da295bb3
Message ID: <9401300244.AA25386@bilbo.suite.com>
Reply To: N/A
UTC Datetime: 1994-01-30 02:48:36 UTC
Raw Date: Sat, 29 Jan 94 18:48:36 PST

Raw message

From: jim@bilbo.suite.com (Jim Miller)
Date: Sat, 29 Jan 94 18:48:36 PST
To: cypherpunks@toad.com
Subject: Re: 2-way anonymous via SASE
Message-ID: <9401300244.AA25386@bilbo.suite.com>
MIME-Version: 1.0
Content-Type: text/plain



Hal Finney writes:

> Jim's idea looks good for anonymous communication.  It is basically
> the same as the one Chaum describes in his 1981 Communications of the
> ACM paper.

Damn, just when I thought I might have had an original idea...


> The one difference is that Jim's B, C, and D are conventional rather
> than public keys in Chaum's system.  This could be slightly more
> efficient.
> 


Probably most than just slightly (for the sender), considering the time it  
takes to generate good public-key pairs.


> One other caution Chaum raises re the SASE's is that they should not be
> used more than once.  If they could be it would be possible to send in
> multiple messages using the same SASE and notice which output address
> was similarly duplicated.

If the SASEs incorporated the use of non-reusable Digital Stamps, then the  
remailers could detect attempts to double spend the Digital Stamps placed  
inside the SASEs.


>..., else the Opponent can eavesdrop on an SASE-based message
>and replay the address portion.

I'm not exactly sure what you mean here.  I'm guessing that you mean an  
eavesdropper could capture a reply message of the form...

Ted sends  (stuff3)R3, (reply)A      ==> R3

...and grab the "(stuff3)R3" part and try to use it.  However, he wouldn't  
have the public-key A, so he wouldn't be able to use "(stuff3)R3" to send  
a readable message to Bob (who constructed the SASE).  Bob would get  
garbage at the end of the final decrypt step because the eavesdropper's  
message was not encrypted with A.  However, the eavesdropper could still  
use "(stuff3)R3" to send multiple copies of a garbage message in an  
attempt to track back to Bob (as you indicated in your last paragraph).   


If I was Ted and I was worried about an eavesdropper, I would not send the  
reply directly to R3.  I would wrap the reply in a nest of conventional  
digital envelopes and send the reply to R3 via a random set of other  
remailers.  Something like:

(R21, (R3, ((stuff3)R3, (reply)A)R3)R21)R10

This would first go to R10, then R21, and then to R3, which would  
recognize the (stuff3)R3, (reply)A format and forward the reply based on  
the contents of "stuff3"

This would foil the eavesdroppers who were trying to figure out who Ted  
was replying to.  An eavesdropper monitoring R3 would still be able to  
caputure the SASE-based message forward by R3 (e.g. (stuffN) ((reply)A)B   
==> R2 ), but they wouldn't be able know that the forwarded reply  
originally came from Ted.

This, of course, doesn't prevent Ted from abusing the SASE.  Will probably  
need some form of non-reuseable Digital Stamps to do that.


Jim_Miller@suite.com






Thread