At 5:18 PM -0800 1/25/98, Adam Back wrote:
Repeat to get back to originator. If we assume 100 message pool size (probably generous) and chain of length 10, that is 1000 decryptions which adds equivalent to 10 bits worth of symmetric key size.
Paranoid stuff yes, but the NSA mixmaster traffic archive doesn't seem that unlikely.
It is interesting to note that Tim May's recent suggestion of LAM (Local Area Mixes) would help here because if 5 of those mixmaster nodes where part of a LAM, it is unlikely that the NSA would be able to archive inter remailer traffic, thus increasing effective pool size to 100^5. So one advantage of the LAM approach is that it provides links which are protected by physical security.
This is a big part of the LAM motivation: to grossly complicate the task of observers watching the traffic. If SWAN or PipeNet is adopted, this obviates this point, but neither seems likely anytime soon. A LAM approach is low tech, and can be implemented easily enough. (And PipeNet becomes much more feasible...) Even an adventurous company, with many machines on various networks, could deploy a LAM on their network. (Though the laws about corporate culpability are written in ways that a Silicon Graphics or Sun or C2Net would have much to fear in having their corporate network associated with a LAM of any sort. Hence my point about many and varied residential users in a physical building being the LAM nodes.) Another point about LAMs is that they are useful as "concentrators" for PipeNet connections. To wit, Suppose someone has deployed a PipeNet connection to another node. Fine, but the NSA and Mossad and GCHQ and other enemies of freedom may watch the traffic flowing into the node feeding that PipeNet connection. So why not do a better job of "loading" this PipeNet connection by having a LAM at the site? Then, watchers see the stuff flowing into the LAM, and have less idea (correlation-wise) of what's then making use of the PipeNet connection. (There are arguments that PipeNet would be immune to this type of correlation, in that a single node feeding a PipeNet connection is as good as N nodes. The devil's in the details. I argue that a LAM feeding a PipeNet connection is at least as secure against monitoring as a single node feeding a PipeNet, and possibly more secure, practically speaking.) --Tim May The Feds have shown their hand: they want a ban on domestic cryptography ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^2,976,221 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."