Chaffing application (was MJ, Carnitine; was Quality)

Lee Daniel Crocker (
Tue, 31 Mar 1998 00:10:00 -0800 (PST)

> This reminds me of another repressive regime where I had to risk my
> health and career to obtain books from black marketeers.
> (Talk about indifference of transhumanism to politics...)
> Could anybody recommend a serious private discussion groups that deals
> with these topics - or be interested in forming one?

The dangers of such a discussion group are obvious, but one of
the things in Rivest's paper on "Chaffing" stuck with me: the fact
that a third party with no knowledge of keys can do the work
made me wonder if that couldn't be used to do a pseudonymous
remailer like Julf's without the risk of cops subpoenaing your
database--because you have none.

Here's an idea I think would work; would the more cipherpunk
connected among you please evaluate this idea for me?

Let's say we form discussion group of 50 people. Each of us
uses a standard piece of software to receive mail from the
group and to post mail to it (a Usenet newsreader modified
as described later). The list of addresses for the group is
known publicly (members can use other mail forwarders for
added security if desired). Each time a message is posted
to the group or mailed to another user with this software,
the real return address is stripped, and a new set of headers
is added with, say, 20 return addresses, each accompanied
by a MAC; the "real" one has a MAC using the sender's private
key, and the rest a random one. The MACs are all calculated
using message ID/time so that they don't repeat. The 19
addresses are chosen at random from the group (for even more
security, members can each have more than one address).

When anyone wants to respond privately to a message, he
composes the message and addresses it to all 20 of the names
listed, using their MACs; 20 people receive it, but only the
real author can authenticate eir address; the software
quietly discards the message to the other 19. There is no
central list of keys at the forwarding server; only the
addresses and MACs in each message. There is no way to
tell from the message which of the 20 senders is real, even
for the list manager, yet personal replies are still

Is this practical/useful? Could it be combined with real
encryption as well without revealing identities (I haven't
thought that far through)?

I suggest using a Usenet system because every message, even
the personal ones, get sent to many people--in fact the more
people, the more secure. The softare on each member's desk
could rotate MAC keys weekly or so, and keep only as much
history as ey felt was safe. That way, even if one message
was compromised, they system as a whole is still safe.

Lee Daniel Crocker <> <>
"All inventions or works of authorship original to me, herein and past,
are placed irrevocably in the public domain, and may be used or modified
for any purpose, without permission, attribution, or notification."--LDC