CDR: Re: Disposable remailers
despot
despot at crosswinds.net
Sun Oct 8 18:35:03 PDT 2000
On Fri, 6 Oct 2000, dmolnar wrote:
> On Fri, 6 Oct 2000, despot wrote:
>
> > But, this disposable remailer idea is solid. As a quick
example
> > scheme, if there were some sort of remailer protocol that
> > functioned like routing protocols, as disposable remailers
came
> > online, they could announce themselves to other remailers.
> > Pseudorandom hopping from one disposable remailer to another
could
> > occur in a remailer-chained message, instead of manually
> > encrypting a message for a chain of remailers. The sender
could
I will inject one missing piece of my example, the final remailer
address
(and perhaps even the whole message) should be obfuscated by the
hop count.
This way only the last disposable remailer before the final
remailer has this information.
> This reminds me of something I was looking at this spring.
Markus
> Jakobsson has two papers on "A Practical Mix" and "Flash Mixing"
which
> look at mix-nets in a different way than we see in remailers.
There,
> instead of a message being successively encrypted for a
particular
> path through a series of remailers, the remailers pass a
prepared
> encrypted message around and perform a distributed computation
on it. At
> the end of the computation, the decrypted name of the recipient
> automagically pops out.
> Anyway, both papers deal with a collection of mix servers fixed
in
> advance. It seems that disposable remailers would work well with
> extensions of these protocols modified to deal with dynamic
leave and
> joins of servers. Add this to wireless and you have mobile
disposable
> remailers.
Ok, I am stretching my memory here, but...
I read about mix-nets and the "Flash Mixing" paper months ago, so
I may be a bit off. If I remember correctly, you have network of
mix servers. Any set of these mix servers can be used to perform
the mix, and as long as one is "honest," the result will be
private. These servers communicate over some sort of broadcast
channel.
Lets say C is a list of the ciphertexts (c0...ci) after encrypting
messages M (m0...mi) with a public key. C flows through the
mix-net where it is re-encrypted, permuted, sorted, etc by each
mix server (so each mix server has a modified copy of the list)
and out pops C'. C' is a list of ciphertexts corresponding to M.
For the Flash Mix, the mix servers can confirm to a high
probability that C' was computed correctly. As long as one of the
mix servers is honest and an attacker does not know, I think it
is, 2 plaintexts corresponding to input ciphertexts, then there is
a high probability of privacy. More so, I believe there are even
dummy inputs in the list C to help strengthen this scheme against
attacks.
So, off the top of my head, issues with extending this scheme to
disposable remailers...
Well, the list size immediately comes to mind for
memory-constrained devices. The resistance to attack is dependent
on the list size and the number of lists (which corresponds to the
number of mix servers used). Adding nodes should have no impact as
they would not be part of the current mixes. Dropping nodes not
used in any mixes would be fine, but what happens when a node
being used in a mix fails? The mix could start over, using
pseudorandomly selected nodes perhaps. The system also seems to
fall prey to malicious remailers. For the flash mix, I believe, it
is assumed that nodes will perform properly more often than not,
but this seems to be the rarer case in a disposable remailer
structure. The means of communication would need to be looked at,
especially with this dynamic environment. How to eliminate nodes
that are found to be malfunctioning from being used by other
nodes? A few trusted, "honest" nodes should be available to the
mixes in order to ensure privacy. And so on... :)
> So a further question would be whether we can design a mix
protocol
> which can
> a) take advantage of all these cheap, (hopefully) distinct
> devices and their computation power
> but
> b) doesn't give the commodity devices enough power to
> break the mix, even if many (almost all??) of them act in
> concert.
Indeed...
-andrew
More information about the cypherpunks-legacy
mailing list