Chaum's Unfug

David Chaum and Co-Authors Javani, Kate, Krasnova, de Ruiter and Sherman have published a new paper called "cMix: Anonymization by High-Performance Scalable Mixing" proposing a new cryptographic mix protocol called "cMix" which he plans to implement with "Privategrity". The system aims to provide anonymity to users while also providing law enforcement the means to both identify users and decrypt their messages.

The relevant (prosa) section of the paper reads:

Independent from cMix, PrivaTegrity addresses potential abuse of anonymity services by establishing a trust model that offers a balance of anonymity and accountability. On the one hand, PrivaTegrity aims to provide privacy at a technical level that is not penetrable by nation states. On the other hand, PrivaTegrity aims to provide integrity, both prior restraint and accountability after the fact, that is inescapably tied to individuals. Only if all of the mixing nodes cooperate, can the senders and receivers of messages be linked or identified.

PrivaTegrity implements a new approach to user identification requiring each user to provide a small but different type of identifying information to each mix node. Some nodes may require photos or answers to personal history questions; others may request mobile phone numbers or email addresses. A user reveals comparatively little to any single node, but collectively the nodes possess significant identifying information. Each node can obligate itself contractually to trace and aggregate identifying information only according to a published policy, resulting in accountability and effective identification of users who violate the policy.

I'd say this scheme is Unfug:

• If some third party is able to identify an "anonymous" user, then the user is not anonymous. It doesn't count how much effort a third party would have to put into this. If it IS possible, it's not anonymous. Calling it as such is just a lie.
• If some third party is able to decrypt a message, then the system is not secure. Wether you operate nodes in nine different countries, 190 different countries or even 1 million different planets - if it IS possible, then it's not secure.
• Also something like "accountability" might score high on government wishlists, it has nothing to do with "anonymous communication". This newspeak is only introduced to justify the scheme.
• The whole concept ignores the problems with multiple jurisdictions. Something may be worth a warrant in one country but not in another. So it will be next to impossible to reach a consensus among all admins in most cases. Of course governments will catch this and demand a simple solution: operate all nodes in friendly jurisdictions (say: only in "five eyes countries").
• And, last but not least: how can a user know which node runs in which country? What if all nodes are operated by a state company in turkey? Or what if all nodes are running on the very same system?

So this scheme is nothing else as just another surveillance infrastructure, which is something no cryptographer shall ever propose.

Wired article. Hackernews Thread.