Date: Sun, 29 Jan 1995 17:56:34 -0800 From: Hal <hfinney@shell.portal.com>

Of course it was Chaum himself in his 1981 paper (which I think is available from the CP FTP site) who described the duplicate-message attack. I don't see that inter-remailing encryption helps much, because the attacker can still notice that whenever they inject message A, _something_ goes to Bob. The real solution, as Chaum pointed out, is that the remailer must reject duplicate messages, even when separated by days. Doing this without keeping a database of all messages ever sent is left as an exercise.

Perhaps the postage could integrally contain the request-remailing- to field. Supose the postage were <e-money, to-address> encrypted to the remailer. Then replayers would want to copy the to-address into a new piece of postage. But, we assume, they can't figgure out what it is because they don't have the key for the remailer. If the remailer issued it's own non-blinded stamps, the remailer would have to keep a list of canceled stamps. (For as long as that series of stamps remains valid.) If the remailer used Chaumiam e-cash no logs would need to be kept at all.

Another aspect worth mentioning is that message splitting can make the kinds of statistical correlations that Wei Dai was looking at more of a danger. [...] Ideally you'd want to dribble them out at some standard rate, a rate at which you always send a message whether you have something to send or not. But this may introduce unacceptable latency.

If everybody ran a second level remailer, and if they always forwarded something (of very nearly the same size) when they recieved an encrypted message, then without compromising the users machine it would be imposible to say when a message was delivered. Some of the messages forwarded would need to be junk. Is there a polite way to send mail to a remailer, and ask it to junk the mail? Some of the messages forwarded would have to be 'part n of m' messages. Noyb