That 70's Crypto Show (Remailers, science and engineering)

Wed Dec 27 16:58:41 PST 2000

Tim May wrote:
>> In other words, it's time to get crypto out of the math and computer 
>> science departments and put it in the engineering departments where 
>> it belongs.

Tim's complained for a while that the cypherpunks meetings and
discussions have declined in quality, partly because we've
tended to rehash old material rather than doing new and 
interesting work, and partly because we've tended to have
fewer talks on new stuff people are doing and more on
some commercial business (maybe or maybe not run by cypherpunks)
doing their product or non-technical talks by EFF lawyer types.
While I'm not disagreeing with him here,
I think a lot of this is _precisely_ related to the movement
of crypto out of math and CS areas and into engineering.
Mojo Nation, for example, is partly interesting because it's not just 
Yet Another Encrypted Music Sharing Product - it's mixing the
crypto with economic models in ways that are intellectually complex,
even if they're somewhat at the hand-waving level
rather than highly precise.

At 02:42 AM 12/26/00 -0500, dmolnar wrote:
>There's some hope. There was a workshop on "Design Issues in Anonymity and
>Unobservability" this past summer which brought people together to talk
>about these issues. The Info Hiding Workshops are still going strong.
>With luck, this year's IHW may have a paper on reputations in it...

Cool.  Are the proceedings on line anywhere?  (Or is it only
for people who know the secret keys...)

>On the other hand, we can oppose this to the fact that we 
>have a bunch of remailers, and they seem to work. 
>They may be unreliable, but no one seems
>to have used padding flaws to break a remailer, as far as we know. 

Arrgh!  Dave, just because nobody's known to have broken them
doesn't mean that nobody's succeeded in breaking them
(without us knowing they've succeeded), 
or that anybody's put serious effort into an attack.
The basic remailer network is known to be breakable by
anybody doing a thorough eavesdropping attack,
because you can learn a lot from message sizes.
Mixmasters are much safer, because message sizes are
constant (though message counts aren't), but it's not clear
whether they're good enough, given a good attack.
Pipenets are probably secure enough against most attacks,
but they're annoying economically - not surprising that
Zero Knowledge's initial service didn't fully implement them.

The reason remailers have been Good Enough so far
is that as far as we know, nobody's had the motivation
to do a proactive eavesdropping attack on them,
or a proactive deployment of untrustworthy remailers
the attacks have either been after-the-fact attempts to
get information that wasn't logged (they're strong enough
for that, if run by trustable people on uncracked machines), 
or proactive attempts to close the remailers
(many of those attacks have been successful.)

Small numbers of remailers (there are typically about 20)
aren't good enough to resist shutdown-forcing attacks.
The cool thing about Zero Knowledge was that they had a 
business model they thought could get large numbers of
service providers to support, which increases the security
against loss of individual remailers as well as reducing 
the likelihood of an individual remailer shutting down.

				Thanks! 
					Bill
Bill Stewart, bill.stewart at pobox.com
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639