[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MixMinion Status

To: mixminion-dev@freehaven.net
Subject: Re: MixMinion Status
From: Roger Dingledine <arma@mit.edu>
Date: Fri, 15 Mar 2002 11:48:44 -0500
Delivered-To: archiver@seul.org
Delivered-To: mixminion-dev-outgoing@seul.org
Delivered-To: mixminion-dev@seul.org
Delivery-Date: Fri, 15 Mar 2002 11:48:45 -0500
In-Reply-To: <Pine.LNX.4.44.0203150858370.28566-100000@blackbird.lcs.mit.edu>; from gd@theory.lcs.mit.edu on Fri, Mar 15, 2002 at 09:10:32AM -0500
References: <20020314235049.L6832@moria.seul.org> <Pine.LNX.4.44.0203150858370.28566-100000@blackbird.lcs.mit.edu>
Reply-To: mixminion-dev@freehaven.net
Sender: owner-mixminion-dev@freehaven.net
User-Agent: Mutt/1.2.5.1i

(David and Nick: I've changed the address from which you're subscribed.)

On Fri, Mar 15, 2002 at 09:10:32AM -0500, George Danezis wrote:
> I am in the process of rewritting the core of the design document to 
> reflect what we discussed last Saturday. 

This is probably something to deal with down the road, but I wanted to
mention it now so I don't forget and so we can be keeping it in mind.

Two quotes from page 69 of http://freehaven.net/doc/freehaven10.ps :

|We call a public key cryptosystem \emph{recipient-hiding} if it is
|infeasible to determine, given a ciphertext, the public key used to create
|that ciphertext. The recipient-hiding property is \emph{not} implied
|by the standard definition of semantic security (even with respect to
|adaptive chosen ciphertext attack). Moreover, it is not even achieved
|in common practical constructions. This has implications for mixnets
|which use reply blocks that are separate from the body of the message.

|In practice, mail programs such as PGP tend to include the recipient's
|identity in their header information. Even if headers are stripped, David
|Hopwood has pointed out in the case of RSA that because different RSA
|public keys have different moduli, a stream of ciphertext taken modulo
|the ``wrong'' modulus will tend to have a distribution markedly different
|from the same stream taken modulo the ``right'' modulus. This allows an
|adversary to search through a set of possible public keys to find the one
|which is the best fit for any ciphertext, even if OAEP or similar padding
|is used.

On the other hand, most actual systems generate a symmetric key, encrypt
that with RSA, and then crypt the text with the symmetric key. Does that
solve our problem?

> Roger: Feel free to hack the introduction, I am not going to work on it 
> until later.

Ok. I'll put it on my plate.

--Roger

Follow-Ups:
- Re: MixMinion Status
  - From: Zooko <zooko@zooko.com>
- Re: MixMinion Status
  - From: George Danezis <gd@theory.lcs.mit.edu>

References:
- mixminion-dev list
  - From: Roger Dingledine <arma@mit.edu>
- MixMinion Status
  - From: George Danezis <gd@theory.lcs.mit.edu>

Prev by Date: Re: mixminion-dev list
Next by Date: Re: MixMinion Status
Prev by thread: MixMinion Status
Next by thread: Re: MixMinion Status
Index(es):
- Date
- Thread