Transcript Document
Untraceable Electronic Mail,
Return Addresses, and
Digital Pseudonyms
David Chaum
CACM Vol. 24 No. 2
February 1981
Presented by: Adam Lee
1/24/2006
Motivation
Many uses for anonymous communication
channels
Elections
Anonymous crime tips
Whistle-blowing
Etc.
Standard mail offers some guarantees of
anonymity; why not email too?
Contributions
Cryptographic protocols to support an
anonymous email system
Keep sender anonymous w.r.t. both the receiver
and other parties in the network
Allow receiver to reply to sender without revealing
sender’s identity
Protocol can also be used to form
anonymous and verifiable rosters
E.g., for an electronic election
Historical Perspective, 1979
Cryptography had been around for millennia
Usually required the use of shared secrets
Paradigm shift: late 1970s
Diffie & Hellman, “New Directions in Cryptography”
(1976)
RSA cryptosystem (1977)
Rapid advancements allow for the sharing of
keys (secrets) between strangers
Notation
Keys in public-key cryptosystem
Public key: K
Private key: K-1
Encryption of x with K denoted by K(x)
Keys are inverses
i.e., K-1(K(x)) = K(K-1(x)) = x
Operations
To prevent certain attacks, Chaum advocates
random padding before encryption
i.e., use K(R, x) where R is a random string rather
than K(x) to encrypt x
When signing, first pad with some known
constant
i.e., K-1(C, y) where C is a known constant
Chaum’s Assumptions
Can’t break the cryptosystem
Anyone can observe all links in the system
The so-called “global passive adversary”
Anyone can inject, replay, remove, or modify
messages
Dolev-Yao active attacker model (which they didn’t
publish about until 1983)
Sending Anonymous Mail
Rather than sending mail directly to the
recipient, send mail to a mix
Principle: Try to reduce correspondence
between input- and output-sets
Fool global passive adversaries
What about keeping the message private?
The Crypto!
Players (and their public keys)
Mixes (Kn)
Recipient, A (Ka)
One mix protocol
Sender -> Mix: K1(R1, Ka(R0, M), A)
Mix -> A: Ka(R0, M)
Use of public key crypto hides message from
mix and nosy parties on the Internet
Cascade Mix Example
Protocol
Sender -> Mix n: Kn(Rn, Kn-1(Rn-1, …, K1(R1,
Ka(R0, M), A) … An-2)An-1)
Mix n -> Mix n-1: Kn-1(Rn-1, …, K1(R1, Ka(R0, M), A)
… An-2)
…
Mix 2 -> Mix 1: K1(R1, Ka(R0, M), A)
Mix 1 -> A: Ka(R0, M)
As long as (n-1) mixes remain
uncompromised, the anonymity properties of
the message are preserved!
Observations
At each step in the cascade, the current mix
Peels off one layer of encryption
Discovers a forwarding address
Passes message along
So, each mix only knows where a message
came from and where its going
Note similarities between onion routing,
Crowds, etc…
Return to Sender
This is all fine and good for one way email
(anonymous threats and the like), but how
can we arrange responses?
Embed an untraceable return address!
Format: K1(R1, AX), KX
AX is X’s return address, KX is a temporary public
key for X
Example
Protocol:
X -> Mix: K1(R1, KY(R0, M1), AY), K1(R1, AX), KX
Mix -> Y: KY(R0, M1), K1(R1, AX), KX
Y -> Mix: K1(R1, AX), Kx(R2, M2)
Mix -> X: R1(Kx(R2, M2))
Note 1: R1 used to alter forwarded message
to prevent I/O correspondence
Note 2: Return addresses can be cascaded
just like messages.
Note 3: Responses clearly different from
initial messages
Possible Attack (not in paper)
Note that K1(R1, AX) and KX aren’t
bound
A malicious mix can read reply
messages by carrying out a man in the
middle attack
With email, lots of times, replies contain
the original message!
Attack Example
X -> Mix:
K1(R1, KY(R0, M1), AY), K1(R1, AX), KX
Mix -> Y: KY(R0, M1), K1(R1, AX), KX’
Note substituted ephemeral public key KX’
Y -> Mix: K1(R1, AX), Kx’(R2, M2)
Mix can unpack this message, read M2,
and reencrypt using KX
Mix -> X: R1(Kx(R2, M2))
A Simple Solution
To prevent the previously mentioned attack, we
need only change the first message of the
protocol
X -> Mix:
K1(R1, KY(R0, KX, M1), AY), K1(R1, AX), KX
This allows Y to verify that the mix didn’t change
KX, since the mix can’t alter anything encrypted
with KY
Anonymous Elections
Form a roster of pseudonyms by
sending anonymous emails through a
mix-net
Output list in a public location
Only entities on the list can take actions
in the system
Recommendations for an
Untraceable Mail System
To hide number of messages sent, each
participant sends same number of messages
per interval (some are dummies)
Cover traffic!
To hide number of messages received, must
check all messages, not just known good
messages
Messages should all be same size
Prevent I/O correlation
Implementing an Advanced
Mix
A mix with all of the following properties can
be implemented using the techniques
presented in this paper
Overview
Break message into fixed size blocks
Each mix “pops” the first block, adds a block of
junk to the end
Decrypt removed block to yield a key R which is
used to encrypt each block in the new message
Discussion Questions
Why wasn’t Chaum’s mix network ever
implemented?
How should we characterize
advancements in anonymous email
over the years? Technological?
Responses to better understanding of
threats?
Discussion Questions (cont.)
This article explains how anonymous
rosters can be used for electronic
voting. Did Chaum oversimplify the
problem, or do current systems ignore
his work in this area?
What do people think of the notion of
certified mail and receipts?