[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: problem in 3.2 "Replies"



On Mon, 2002-05-06 at 19:47, Zooko wrote:
> 
> Folks:
> 
> I've finally had a look at the paper.  It's impressively complete and 
> well-written.  I have concentrated on section 3.2 "Replies".
> 
> It ends with "Even the crossover point cannot know if it's processing a reply 
> or forward message."
> 
> Is this really true?  As far as I can see it is impossible for a sender who 
> uses a reply block to generate a useful H2, because it is going to be 
> encrypted by the contents of H1's which the sender does not know.  So it 
> appears to me that if your node opens a header and finds a "swap" instruction 
> therein, then he knows that this is a sender-anonymous ("forward") message.

No, all messages have two legs.  In replies, Alice uses Bob's reply
block as the second leg.  In forward messages, Alice generates both
legs.  Thus, when Charlie sees a "swap" instruction, he doesn't know
whether the next message is from a reply block or not.

I'm reworking the paragraph after the chart and pulling it up higher in
the section; let me know if it helps.

[OLD STUFF FOR CONTEXT] We divide a message's path into two \emph{legs},
and split the header
into two equal-size subheaders, each corresponding to a single leg.
Each hop contains a hash of the subheader it's a part of, so we can do
integrity-checking of the path (but not the payload) within each leg.
Each hop also contains a symmetric key, which is used to derive a
decryption key for decrypting the rest of the message. The MIX also
derives a padding seed from this master key. It uses this padding seed
to place
predictable padding at the end of the subheader, so the hash will
match even though each hop must regrow the subheader to maintain
constant length.

[NEW PARAGRAPH FROM END OF SECTION] For forward messages, Alice provides
both legs; for anonymous replies, Alice
uses Bob's reply block as the second leg, and generates her own path
for the first leg.  (To send a direct reply, Alice can use an empty
first leg, or send the reply block and message to a MIX that can wrap
them for her.)


I'll-commit-soon-I-promise-ly Yours,
-- 
Nick