2-way anonymous via SASE

Jim Miller jim at bilbo.suite.com
Fri Jan 28 15:02:36 PST 1994 


Here's an idea that was inspired by Tim May's prepaid mailer example.  I  
call it "2-way anonymous communication using Self Addressed Stamped  
Envelopes".

The general idea is that each anonymous messages will include a SASE that  
can be used to reply to the sender, without revealing the identity of the  
sender to the message recipient.  To reply, the recipient will copy the  
SASE from the original message and past it into a special section of the  
reply message.  Remailers will examine this section of the reply message  
and use its contents to route the message back to the sender of the  
original message.  


The syntax's for describing the mechanism gets messy fast.  I hope I can  
describe it so others can understand it.

Here's how I see it working...


Small example:

Bob wishes to communicate anonymously with Ted via remailer R1.  (With  
just one remailer, R1 would be able to track who sends to whom, but this  
is just for example purposes.)

Bob constructs:

(stuff1)R1                   - stuff encrypted with R1's public key

Where:

stuff1 == Ted, (stuff2)Ted   - Ted's address and more stuff encrypted
                               with Ted's public key.

stuff2 == msg, SASE          - Bob's message and Self Addr Stamped Envlpe


All together, it looks like:

(Ted, (msg, SASE)Ted)R1

(i.e. msg and SASE, encrypted with Ted's public key, appended to Ted's  
e-mail address, all encrypted with R1's public key)

The SASE contains the information Ted will use to send a reply message  
back to Bob.  It looks like:

  R1, A, (stuff3)R1

where

  stuff3 == Bob, B, (stuff4)Bob

  stuff4 == A', B'

all together:

  R1, A, (Bob, B, (A', B')Bob)R1

expanded

  R1's address,
  A                  - a one-time public-key generated by Bob,
  ( Bob's address,
    B                - another one-time public-key generated by Bob,
    ( A'             - private key paired with A,
      B'             - private key paired with B
    ) encrypted with Bob's public key
  ) encrypted with R1's public key


Ok, Bob sends (stuff1)R1 to R1. This is just like using a regular  
encrypting remailer.  R1 decrypts stuff1 and gets:

Ted, (stuff2)Ted

R1, strips off "Ted" and passes the rest to Ted.  Ted receives  
(stuff2)Ted, decrypts it and gets:

msg, SASE

Which is really:

msg, R1, A, (stuff3)R1

Ted reads the message and decides to reply to whomever sent the message.   
Ted composes a reply and encrypts it with public-key A, then sends the  
following to R1 (he sends it to R1 because R1 was in the SASE):

(stuff3)R1, (reply)A           ==> R1

R1 receives this, decrypts (stuff3) and gets:

Bob, B, (stuff4)Bob

R1 encrypts (reply)A with public-key B and sends the following to Bob (the  
guy mentioned inside of stuff3):

(stuff4)Bob, ((reply)A)B       ==> Bob

Bob receives this, decrypts stuff4, obtaining A' and B'.  Bobs decrypts  
((reply)A)B using B' and A' respectively and gets the reply message.  If  
the reply message contained a SASE generated by TED, then Bob and Ted  
could continue to converse anonymously by including SASEs in each reply.



Expanded example:

Bob and Ted use combinations of R1, R2, R3 to communication anonymously


Bob write a message and wants to send it to Ted via R1, R2, and R3.  He  
constructs the following:

(R2, (R3, (Ted, (msg, SASE)Ted)R3)R2)R1

In this example, the SASE will look like the following:

R3, A, (R2, B, (R1, C, (Bob, D, (A', B', C', D')Bob)R1)R2)R3

ASIDE: As you may guess by now, Bob's message will go through R1, then R2,  
then R3, and Ted's reply will come back via, R3, then R2, then R1.   
However, the SASE does not have to specify the reverse route of the  
original message, nor even use the same remailers.


Anyways, Bob sends

(R2, (R3, (Ted, (msg, SASE)Ted)R3)R2)R1      ==> R1

R1 decrypts it and gets:

R2, (R3, (Ted, (msg, SASE)Ted)R3)R2

R1 strips off "R2" and sends the rest to R2.  R2 and R3 do similar things.   
Standard remailer stuff.  Eventually Ted will receive

(msg, SASE)Ted

decrypting obtains:

msg, SASE

Which is really:

msg, R3, A, (R2, B, (R1, C, (Bob, D, (A', B', C', D')Bob)R1)R2)R3

To reply to the sender of the message, Ted does just what he did in the  
first example.   He constructs:

(stuff3)R3, (reply)A

and sends it to to R3.  R3, R2, R1 do their thing and eventually the reply  
gets back to Bob.  When it arrives at Bob it will look like:


(A', B', C', D')Bob, ((((reply)A)B)C)D

>From this, Bob can recover Ted's reply message, while simultaneously  
verifying that the remailers correctly routed the reply.  If the remailers  
did not correctly route the reply, or failed to re-encrypt the reply with  
B,C, and D, then the thing Bob got at the end of the final decrypt would  
have been garbage.


Phew.  I wonder if it really works?


Jim_Miller at suite.com

More information about the cypherpunks-legacy mailing list