Return envelopes.

Hal 74076.1041 at CompuServe.COM
Sun Jan 17 20:48:33 PST 1993

I looked at Eric Messick's improved ideas for remailing with digital
postage, and they look pretty good.  I think it's especially good that
Eric has been able to show that anonymous addresses can be used by
more than one person without being incriminating.

But there is still an attack which they are vulnerable to, which Eric
mentions.  The "Pneed" field of the anonymous address has information
about the postage amounts which will be needed by each remailer in
the chain.  (But it doesn't reveal which specific remailers to use,
of course.)  It also has public keys to encrypt these amounts with,
which are matched by secret keys hidden in the encrypted address.

But the remailers themselves each see their corresponding postage secret
keys as they process the message.  This means that they know which
envelope was used to send each message.  That means that each remailer
can find out if it is part of a given anonymous address, and it can
find out what remailers are before and after it in the chain.  It is
especially unnerving that the last remailer in the chain can learn
this information, as it will see your true address.  The one consolation
is that it won't _know_ that it is the last remailer in the chain,
so it won't realize that it has actually broken the code and is seeing
the true correspondance between the anonymous address and the real

But if most anonymous addresses only go through no more than a handful
of remailers, say 10, then that remailer must figure that it has at
least a 10% chance of having "broken" your address.  This degree of
information is more than I would like to have revealed about my anonymous

Based on this, I would be inclined to use non-postage-charging remailers.
But even the non-postage remailers have the same flaw using Eric's
protocol.  Each remailer sees the "clear text" of the message M being
passed along.  If a remailer sent the message in the first place, it
created M, so if it then sees message M come through later, it again
knows the correspondance between an anonymous address and its own
forwarding activities.

Chaum's scheme avoided this problem by having M get encrypted at each
point.  Using Eric's notation, an anonymous address might be:

Addr: &Z, z, z(&R, r, A, r(junk))

The new addition is A, a random conventional key.  Z gets sent:

To: &Z
Addr: z(z(&R, r, A, r(junk)), pad)
Message: z(M, pad)

This is just like Eric's example.  What Z sends is:

To: &R
Addr: r(r(junk), pad)
Message: r(A(M), pad)

The new feature is that Z encrypted M with A as it passed through.
In this case we only had a one-step anonymous address, but if there
were more than one step, each would use a different conventional key
A, B, C, ....  This way even a remailer which created M wouldn't
recognize it when it passed through after at least one step.

Using this idea along with Eric's idea of random padding and double
encryption at each step, we have multiple-use return addresses for
which no information can be learned at any point about the correspondence
between anonymous and real addresses, as long as the return addresses
use at least two hops.


More information about the cypherpunks-legacy mailing list