-----BEGIN PGP SIGNED MESSAGE----- [ To: Cypherpunks ## Date: 07/02/96 03:36 pm ## Subject: Re: anonymous mailing lists ]

Date: Sat, 29 Jun 1996 09:40:51 -0700 From: Hal <hfinney@shell.portal.com> Subject: Re: anonymous mailing lists

Wei Dai did some nice statistical analysis of this type of attack sometime a year or two ago. Even with countermeasures such as you suggest, if they are not perfect, so some information leaks correlating incoming and outgoing messages, Wei showed that it was possible to deduce the owners of the nyms surprisingly quickly.

Yes, this makes sense. As I said before, this is related to the way timing attacks work. A little correlation that shouldn't be there, over many messages, turns out to be enough to unravel a lot of information.

The countermeasures do work - if you get and send exactly 50 pieces of 4K byte email every day, no matter what, then correlations don't exist - but they are expensive to do perfectly.

At the very least, this is susceptible to a flooding attack. At any rate, this is analogous to the fixed-delay solution to timing attacks. (Make all PK operations with long-term secret keys take the same amount of time.) Unfortunately, I can't see a solution to this that's analogous to blinding out the values in the timing attacks.

Hal

Note: Please respond via e-mail as well as or instead of posting, as I get CP-LITE instead of the whole list. --John Kelsey, jmkelsey@delphi.com / kelsey@counterpane.com PGP 2.6 fingerprint = 4FE2 F421 100F BB0A 03D1 FE06 A435 7E36 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMds0LUHx57Ag8goBAQHPeQP+JH4b7bJCLW3ttqQ+v0XzEcbCaeOg9LqR e+xuaLx2AjCx5N+V2q3xeJTAldfZZ5YFwCUq3KgpnBAbDvJ1my0hCGmKj+1uXQTp SFSciq5oItMo2kwncbez2RaN/0aqcDSOGnc4ddfO4Ur7H7k+aLOQuaAUvcvDpV1p C8up+1PSPW0= =60Zh -----END PGP SIGNATURE-----