1994-03-28 - Solution to Remailer Abuse

Header Data

From: Hal <hfinney@shell.portal.com>
To: cypherpunks@toad.com
Message Hash: 31f42544042c0011930541d5bc16afea768051e8edaf57b0eed8edfa4675affd
Message ID: <199403280737.XAA10102@jobe.shell.portal.com>
Reply To: N/A
UTC Datetime: 1994-03-28 07:37:12 UTC
Raw Date: Sun, 27 Mar 94 23:37:12 PST

Raw message

From: Hal <hfinney@shell.portal.com>
Date: Sun, 27 Mar 94 23:37:12 PST
To: cypherpunks@toad.com
Subject: Solution to Remailer Abuse
Message-ID: <199403280737.XAA10102@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


I was riding the train tonight, re-reading some old crypto papers, including
Chaum's Auscrypt paper on digital pseudonyms, credentials, and such.  He
described a method for letting libraries catch people who don't return
library books, while still preserving confidentiality of all transactions.
It occured to me that a modified form of his idea could help curb abuse
of remailers.  (It might also work for the anonymous video rental problem
we have discussed here from time to time.)

Chaum's idea was pretty complicated, but I think a simpler approach could
work using the existing Magic Money software.  One idea we have talked about
to help curb abuse would be to simply charge digital postage for every
message.  However, it was pointed out that in practice postage costs would
probably be so low that this would only help in extreme cases of volume
abuse.

My idea is to have the coins not represent money, but to have them be
"non-abuse tokens".  With every message would be included a non-abuse
token in the form that Magic Money uses when you exchange incoming
money at the bank.  This is composed of the coin itself, plus what is
called a "proto-coin" which is a blinded version of what will become
the new coin.  The remailer would check the incoming non-abuse token to
make sure it hadn't been seen before, just like the bank does with
Magic Money.

However, it would not immediately sign and return the blinded proto-coin.
Instead, it would hold onto it for a day or two to see if any complaints
came back about the message.  This would require remembering the outgoing
message-ID along with the proto-coin, but nothing else would have to be
remembered about the message, and of course with remailer chains the true
source of the message would be completely unknown.

If no complaints come in (which is the case with the vast majority of
messages, in my experience) the remailer would sign and publish the blinded
proto-coin.  This would be put in some public place which was generally
available to all who might use the remailer.  The user who sent the message
would be watching for this proto-coin and pick it up, un-blinding it with
his Magic Money software, to produce a new non-abuse token which he can use
to send another message.

If serious complaints do come in about the message, the remailer would not
sign the proto-coin, and the sender would have lost a non-abuse token.

The nice thing about this system is that it protects the privacy of the user
of the remailer system.  With the Magic Money technology each non-abuse
token is blinded so there is no linkage possible between issuing of such
tokens and their use.  The big problem with the remailers now is that abusive
messages can't be addressed without trying to track down who sent them, which
is usually impossible.  This system addresses the problem without hurting
anyone's privacy.

A couple of issues that I have glossed over would include how the non-abuse
tokens are issued in the first place.  There is the obvious danger that an
abuser manages to keep getting new tokens by pretending to be a new net
user who would like to use the remailer.  Two solutions to this would be
first, to charge a significant sum for a handful of non-abuse tokens; this
would be a one-time fee for non-abusers but could get expensive for those
who abuse; or second, to only give non-abuse tokens to users who could be
identified by their True Names.  (This isn't a situation which needs military-
grade security; semi-secure methods of identifying true names should be
adequate.)

One other thing I suggested above which might seem a little controversial
was that the signed but still-blinded proto-coins could be made available
in the clear.  Since these are in the form r*f(x)^(1/d) where r, a random
number, is only known to the user who created the proto-coin, I think they
are effectively one-time-pad encrypted.  So I don't see any need for these
messages to be hidden with a public key.  In fact, I don't think Magic Money
would really need to have a public key for the user since it is only used to
protect these messages, and I don't think they need protection.  Comments
are welcome on this point.

One last point involves the definition of abuse.  As far as I am concerned
that is up to the remailer operator.  Last week I got a very polite and
worried letter from a girl wondering why she had received mail from my
remailer inviting her to such some guy's finger, except it wasn't his finger.
(Despite our recent discussion of this list's implicit "X" rating I am
reluctant to be more explicit.)  I don't get too many of these but I feel
bad about them all the same.  My current approach is to add each person to
the list of blocked outgoing addresses, but I think the technology would allow
for a more effective solution.

Hal






Thread