Re: New attack on mixminion (& fix)

[George Danezis <gd@theory.lcs.mit.edu>]

Dear all,

I am back from a meeting in Europe where I met lots of subversives, some 
of them interested in running minion nodes. There is also a volonteer here 
in cambridge that could be interested in writing a service on top of 
mixminion (nym server or other not yet clear).

On Sat, 31 Aug 2002, Roger Dingledine wrote:

> On Sat, Aug 31, 2002 at 12:21:03AM -0400, Nick Mathewson wrote:
> > On Mon, 2002-08-26 at 10:56, Roger Dingledine wrote:
> >  [...]
> > > Out of curiosity, is our encryption deterministic? That is, if I
> > > encrypt a given payload along a given path and then do it again, will
> > > the ciphermessages be linkable?
> > 
> > If I understand your question properly, "no."  The payload encryption
> > keys are based on the SK_i shared secrets, and those are chosen randomly
> > each time.
> 
> I thought so. So since the adversary can never recognize that the new
> payload is the same as the original one, then the attack as George
> described it will not work.
> 

The attack takes place when you have a (Forward)(SURB)(message) series of 
messages. The attacker tags the (SURB) part, but the message is always 
rendered in clear (without the fix), because it has been decrypted by the 
keys in the (Forward) block. If the payload is not dependant on the (SURB) 
part then it will appear the same at the crossover points, if it is 
resent, after the first message is tagged (and destroyed).

Am I missing something?

> But I have the funny feeling that some other similar attack will work.

Yours,

George