[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Recipient Anonymity




A group of servers collects messages of equal length for anonymous
recipients.  All servers exchange messages so that each has copies of all
messages.

A recipient wishes to retrieve a message from the servers without any
server knowing which message he is receiving.  The recipient selects a
group of n servers.  From each server, S_1...S_n-1, he requests a random
selection of messages, with a 50% probability that any particular message
will be selected.  The server returns the xor of all messages requested.
He sends the final server a request which is the xor of all the previous
requests and the one single message that he wants.

The xor of all the responses is the desired message.  It is impossible to
determine which message was received unless all servers collude.

A variant of this scheme where there is only one server and a number of
anonymizing proxies will also work, however in this case there must be
sufficient delay to obscure the time correlations or the server will know
which message was received, and collusion with any one of the proxies
could reveal the recipient.

It is also possible to eliminate the need for real-time communication and
operate the system on a store-and-forward network.  The recipient
generates a one time pad and sends it to a remailer/messageserver along
with a reply-block which is a nested series of encrypted message requests
and next-hop addresses.  Each remailer along the way xors the requested
messages onto the existing message data before forwarding it to the next
hop.  When the recipient gets his message back, he decrypts it using the
one time pad.  To account for the situation where first and last remailer
collude, it is desireable to have some of the intervening remailers apply
a stream cipher to the message using a supplied key.

The server-to-server broadcast eliminates the need for cover traffic, but
the anonymizing proxy system does not.  However, there is no reason that
both schemes could not be used concurrently in the same network, and in
fact they would look the same to the end-user.

Except for the additional server-to-server communications necessary to
broadcast new messages into the system, the bandwidth utilization is
comparable to sender-anonymous remailers; it scales linearly as the
number of parties involved in the delivery of a particular message.  The
failure rate is also the product of the failure rate for each server; if
one server delivers corrupt data, the message is unreadable, and the
recipient must identify the bad server and eliminate it from future
requests.