1995-01-23 - Re: traffic analyzing Chaum’s digital mix

Header Data

From: “Wei Dai” <weidai@eskimo.com>
To: Hal <hfinney@shell.portal.com>
Message Hash: bc632f920e61709a8bcb8c2defec04741e1d0485219673e8a075f4fe1afb7268
Message ID: <199501230319.AA11008@mail.eskimo.com>
Reply To: N/A
UTC Datetime: 1995-01-23 03:19:21 UTC
Raw Date: Sun, 22 Jan 95 19:19:21 PST

Raw message

From: "Wei Dai" <weidai@eskimo.com>
Date: Sun, 22 Jan 95 19:19:21 PST
To: Hal <hfinney@shell.portal.com>
Subject: Re:  traffic analyzing Chaum's digital mix
Message-ID: <199501230319.AA11008@mail.eskimo.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

> From:          Hal <hfinney@shell.portal.com>
>
> I know that the Eurocrypt 89 proceedings had some articles on
> cryptanalyzing Chaum's mixes.  My library has an excellent crypto
> selection but is missing this volume.  Can anyone who has read this say
> whether there is anything in those papers that isn't obvious?

I found a copy of these proceedings in the library today.  There is a
paper titled "How to break the direct RSA-implementation of MIXes"
by Birgit Pfitzmann and Andreas Pfitzmann.
Here is its abstract:

MIXes are a means of untraceable communication based on a public key
cryptosystem as published by David Chaum in 1981 (CACM 24/2 84-88).
	In the case where RSA is used as this cryptosystem directly 
i.e. without composition with other functions (e.g. destroying the
multiplicative structure) we show how the resulting MIXes can be
broken by an active attack which is perfectly feasible in a typical
MIX-environment. 
	The attack does not affect the idea of MIXes as a whole: 
if the security requirements of [Chaum's paper] are concretized 
suitably and if a cryptosystem fulfills them one can implement secure 
MIXes directly.  However it shows that present security notions for
public key cryptosystems, which do not allow active attacks
do not suffice for a cryptosystem which is used to implement MIXes 
directly. 
	We also warn of the same attack and others on further 
possible implementations of MIXes and we mention several implementations
which are not broken by any attack we know.

My interpretation is that PGP-based remailers are not susceptible to
the attack described by this paper.  (Of course, they are currently 
vulnerable to much more trivial ones.)

Wei Dai


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBLyMeCTl0sXKgdnV5AQFoggP/XzBFSyChFgNMrX3gCQSNfOiwHrAEKgpD
a0TGYX9KBRqRd6cdDIdauDzFtPST1XjU/1RpYvlGjKIhOSd60JZwO+7185SJGBM9
q/4cqE/hOiHzB2gaoHiQFySDIkfFTeJdlIiTiS/OjbR5awkMCF+zU8cxPrgWTrxr
/sM1C39O8Cc=
=J20K
-----END PGP SIGNATURE-----





Thread