J. Cryptology 1(1), 1988, pp. 65-75.

Unconditional Sender and Recipient Untraceability

**David Chaum**

Centre for Mathematics and Computer Science, Kruislan 413, 1098 SJ Amsterdam, The Netherlands

Abstract. Keeping confidential who sends which messages, in a world where any physical transmission can be traced to its origin, seems impossible. The solution presented here is unconditionally or cryptographically secure, depending on whether it is based on one-time-use keys or on public keys, respectively. It can be adapted to address efficiently a wide variety of practical considerations.

Key words. Untraceability, Unconditional Security, Pseudonymity.

Each cryptographer flips an unbiased coin behind his menu, between him andthe cryptographer on his right, so that only the two of them can see theoutcome. Each cryptographer then states aloud whether the two coins he cansee--the one he flipped and the one his left-hand neighbor flipped--fell onthe same side or on different sides. If one of the cryptographers is thepayer, he states the opposite of what he sees. An odd number of differencesuttered at the table indicates that a cryptographer is paying; an even numberindicates that NSA is paying (assuming that the dinner was paid for only once).Yet if a cryptographer is paying, neither of the other two learns anythingfrom the utterances about which cryptographer it is.

To see why the protocol is unconditionally secure if carried out faithfully,consider the dilemma of a cryptographer who is not the payer and wishes tofind out which cryptographer is. (If NSA pays, there is no anonymity problem.)There are two cases. In case (1) the two coins he sees are the same, one ofthe other cryptographers said "different," and the other one said "same." Ifthe hidden outcome was the same as the two outcomes he sees, the cryptographerwho said "different" is the payer; if the outcome was different, the one whosaid "same" is the payer. But since the hidden coin is fair, both possibilitiesare equally likely. In case (2) the coins he sees are different; if bothother cryptographers said "different," then the payer is closest to the cointhat is the same as the hidden coin; if both said "same," then the payer isclosest to the coin that differs from the hidden coin. Thus, in each subcase, anonpaying cryptographer learns nothing about which of the other two is paying.

The cryptographers become intrigued with the ability to make messages publicuntraceably. They devise a way to do this at the table for a statement ofarbitrary length: the basic protocol is repeated over and over; when onecryptographer wishes to make a message public, he merely begins inverting hisstatements in those rounds corresponding to 1's in a binary coded version ofhis message. If he notices that his message would collide with some othermessage, he may for example wait a number of rounds chosen at random from asuitable distribution before trying to transmit again.

Other generalizations are also considered during dinner. The underlyingassumptions are first made explicit, including modeling key-sharingarrangements as graphs. Next, the model is illustrated with some simpleexamples. The potential for cooperations of participants to violate thesecurity of others is then looked at. Finally, a proof of security based onsystems of linear equations is given.

The remaining information about the system may be described as: (a) who shares keys with whom; and (b) what each participant outputs during each round (the modulo two sum of that participant's keys and inversion). This information neednot be secret to ensure untraceability. If it is publicly known and agreed,it allows various extensions discussed in Sections 2.5 and 2.6. The sum of all the outputs will, of course, usually become known to all participants.

In the terminology of graphs, each participant corresponds to a vertex and each key corresponds to an edge. An edge is incident on the vertices corresponding to the pair of participants that shares the corresponding key. From here on, the graph and dinner-table terminologies will be used interchangeably. Also, without loss of generality, it will be assumed that the graph is connected (i.e., that a path exists between every pair of vertices), since each connected component (i.e., each maximal connected subgraph) could be considered a separate untraceable-sender system.

An anonymity set seen by a set of keys is the set of vertices in a connected component of the graph formed from the original graph by removing the edges concerned. Thus a set of keys sees one anonymity set for each connected partition induced by removing the keys. The main theorem of Section 1.4 is essentially that those having only the public information and a set of keys seeing some anonymity set can learn nothing about the members of that anonymity set except the overall parity of their inversions. Thus, for example, any two participants connected by at least one chain of keys unknown to an observer are both in the same anonymity set seen by the observer's keys, and the observer gains nothing that would help distinguish between their messages.

If all other participants cooperate fully against one, of course no protocolcan keep that singleton's messages untraceable, since untraceability existsonly among a set of possible actors, and if the set has only one member, itsmessages are traceable. For similar reasons, if a participant believes thatsome subset of other participants will fully cooperate against him, there isno need for him to have keys in common with them.

A biconnected graph (i.e., a graph with at least two vertex-disjoint pathsbetween every pair of vertices) has no cut-vertices (i.e., a single vertexwhose removal partitions the graph into disjoint subgraphs). In such a graph,the set of edges incident on a vertex v sees (apart from v) one anonymity setcontaining all other vertices, since there is a path not containing v betweenevery pair of vertices, and thus they form a connected subgraph excluding v;each participant acting alone learns nothing about the contribution of otherparticipants.

Consider collusion in a complete graph. A vertex is only seen as a singleton anonymity set by the collection of all edges incident on it; all other participants must supply the key they share with a participant in order to determine that participant's inversions. But since a collusion of all but one participant can always trace that participant merely by pooling its members' inversions as already mentioned, it gains nothing more by pooling its keys. The nonsingleton anonymity set seen by all edges incident on a colluding set of vertices in a complete graph is the set of all other vertices; again, a collusion yields nothing more from pooling all its keys than from pooling all its inversions.

Now consider noncomplete graphs. A full collusion is a subset of participants pooling all of their keys. The pooled keys see each colluder as a singleton anonymity set; the colluders completely sacrifice the untraceability of their own messages. If a full collusion includes a cut- set of vertices (i.e., one whose removal partitions the graph), the collusion becomes nontrivial because it can learn something about the origin of messages originating outside the collusion; the noncolluding vertices are partitioned into disjoint subgraphs, which are the anonymity sets seen by the pooled keys.

Members of a partial collusion pool some but not all of their keys. Unlike themembers of a full collusion, each member of a partial collusion in general hasa different set of keys. For it to be nontrivial, a partial collusion's pooledkeys must include the bridges or separating edges of a segregation orsplitting of the graph (i.e., those edges whose removal would partition thegraph). Settings are easily constructed in which the pooled keys see anonymitysets that partition the graph and yet leave each colluder in a nonsingletonpartition seen by any other participant. Thus, colluders can join a collusionwithout having to make themselves completely traceable to the collusion'sother members.

Informally, what remains to be shown is that the only thing the collusion learns about the members of C is the parity sum of their inversions. This is intuitively apparent, since the inversions of the members of C are each in effect hidden from the collusion by one or more unknown key bits, and only the parity of the sum of these key bits is known (to be zero). Thus the inversions are hidden by a one-time pad, and only their parity is revealed, because only the parity of the pad is known.

The setting is formalized as follows: the connected component C is comprised of rn vertices and n edges. The incidence matrix M of C is defined as usual, with the vertices labeling the rows and the edges labeling the columns. Let K, I, and A be stochastic variables defined on GF(2)^n, GF(2)^m, and GF(2)^m, respectively, such that K is uniformly distributed over GF(2)^n, K and I are mutually independent, and A = (MK) cross I. In terms of the protocol, K comprises the keys corresponding to the edges, I consists of the inversions corresponding to the vertices, and A is formed by the outputs of the vertices. Notice that the parity of A (i.e., the modulo two sum of its components) is always equal to the parity of I, since the columns of M each have zero parity. The desired result is essentially that A reveals no more information about Ithan the parity of 1. More formally:

Theorem. Let a be in GF(2)^n. For each i in GF(2)^n, which is assumed by I with nonzero probability and which has the same parity as a, the conditional probability that A = a given that I = i is 2^(1 - m). Hence, the conditional probability that I = i given that A = a is the a priori probability that I = i.

Proof. Let i be an element of GF(2)^n have the same parity as a. Consider the system of linear equations (MK) cross i = a, in k an element of GF(2)^n. Since the columns of M each have even parity, as mentioned above, its rows are linearly dependent over GF(2)^m. But as a consequence of the connectedness of the graph, every proper subset of rows of M is linearly independent. Thus, the rank of M is m - 1, and so each vector with zero parity can be written as a linear combination of the columns of M. This implies that the system is solvable because i cross a has even parity. Since the set of n column vectors of M has rank m - 1, the system has exactly 2^(n - m + 1) solutions.

Together with the fact that K and I are mutually independent and that K is uniformly distributed, the theorem follows easily.

Another possibility is for a pair to establish a short key and use acryptographic pseudorandom-sequence generator to expand it as needed. Ofcourse this system might be broken if the generator were broken. Cryptanalysismay be made more difficult, however, by lack of access to the output ofindividual generators. Even when the cryptographers do not exchange keys atdinner, they can safely do so later using a public-key distribution system(first proposed by [4] and [3]).

Communication systems based on simple cycles, called rings, are common inlocal area networks. In a typical ring, each node receives each bit and passes it round-robin to the next node. This technology is readily adapted to the present protocols. Consider a single-bit message like the "I paid" message originally sent at the dinner table. Each participant exclusive-or's the bit he receives with his own output before forwarding it to the next participant. When the bit has traveled full circle, it is the exclusive-or sum of all the participants' outputs, which is the desired result of the protocol. To provide these messages to all participants, each bit is sent around a second time by the participant at the end of the loop.

Such an adapted ring requires, on average, a fourfold increase in bandwidth over the obvious traceable protocols in which messages travel only halfway around on average before being taken off the ring by their recipients. Rings differ from the dinner table in that several bit- transmission delays may be required before all the outputs of a particular round are known to all participants; collisions are detected only after such delays.

Efficient use of many other practical communication techniques requires participants to group output bits into blocks. For example, in high-capacity broadcast systems, such as those based on coaxial cable, surface radio, or satellites, more efficient use of channel capacity is obtained by grouping a participant's contribution into a block about the size of a single message (see, e.g., [5]). Use of such communication techniques could require an increase in bandwidth on the order of the number of participants.

In a network with one message per block, the well-known contention protocols can be used: time is divided evenly into frames; a participant transmits a block during one frame; if the block was garbled by collision (presumably with another transmitted block), the participant waits a number of frameschosen at random from some distribution before attempting to retransmit; theparticipants' waiting intervals may be adjusted on the basis of the collisionrate and possibly of other heuristics [5].

In a network with many messages per block, a first block may be used byvarious anonymous senders to request a "slot reservation" in a second block.A simple scheme would be for each anonymous sender to invert one randomlyselected bit in the first block for each slot they wish to reserve in thesecond block. After the result of the first block becomes known, theparticipant who caused the ith 1 bit in the first block sends in the ithslot of the second block.

A different topology assumes the existence of a subset of participants who each participant believes are sufficiently unlikely to collude, such as participants with conflicting interests. This subset constitutes a fully connected subgraph, and the other participants each share a key with every member of it. Every participant is then untraceable among all the others, unless all members of the completely connected subset cooperate. (Such a situation is mentioned again in Section 3.)

If many people wish to participate in an untraceable communication system, hierarchical arrangements may offer further economy of keys. Consider an example in which a representative from each local fully connected subgraph is also a member of the fully connected central subgraph. The nonrepresentative members of a local subgraph provide the sum of their outputs to their representative. Representatives would then add their own contributions before providing the sum to the central subgraph. Only a local subgraph's representative, or a collusion of representatives from all other local subgraphs, can recognize messages as coming from the local subgraph. A collusion comprising the representative and all but one nonrepresentative member of a local subgraph is needed for messages to be recognized as coming from the remaining member.

A cryptographer can ensure the secrecy of an anonymous message by encrypting the message with the intended recipient's public key. (The message should include a hundred or so random bits to foil attempts to confirm a guess at its content [1].) The sender can even keep the identity of the intended recipient secret by leaving it to each recipient to try to decrypt every message. Alternatively, a prearranged prefix could be attached to each message so that the recipient need only decrypt messages with recognized prefixes. To keep even the multiplicity of a prefix's use from being revealed, a different prefix might be used each time. New prefixes could be agreed in advance, generated cryptographically as needed, or supplied in earlier messages.

Authentication is also quite useful in systems without identification. Even though the messages are untraceable, they might still bear digital signatures corresponding to public-key "digital pseudonyms" [1]; only the untraceable owner of such a pseudonym would be able to sign subsequent messages with it. Secure payment protocols have elsewhere been proposed in which the payer and/or the payee might be untraceable [2]. Other protocols have been proposed that allow individuals known only by pseudonyms to transfer securely information about themselves between organizations [2]. All these systems require solutions to the sender untraceability problem, such as the solution presented here, if they are to protect the unlinkability of pseudonyms used to conduct transactions from home.

The first requirement has already been mentioned in Section 1.1, where it was said that this information need not be secret; now it is required that this information actually be made known to all participants and that the participants agree on it.

The second requirement is in part that disrupters be unable (at least with some significant probability) to change their output after hearing other participants' outputs. Some actual channels would automatically ensure this, such as broadcast systems in which all broadcasts are made simultaneously on different frequencies. The remainder of the second requirement, that the outputs be publicly agreed on, might also be met by broadcasting. Having only channels that do not provide it automatically, an effective way to meet the full second requirement would be for participants to "commit" to their outputs before making them. One way to do this is for participants to make public and agree on some (possibly compressing and hierarchical, see Section 2.6) one-way function of their outputs, before the outputs are made public. The third requirement is that at least some rounds can be contested (i.e., that all inversions can be made public) without compromising the untraceability of non-disrupting senders. The feasibility of this will be demonstrated here by a simple example protocol based on the slot reservation technique already described in Section 2.2.

Suppose that each participant is always to make a single reservation in each reserving block, whether or not he actually intends to send a message. (Notice that, because of the "birthday paradox," the number of bits per reserving block must be quadratic in the number of participants.) A disrupted reserving block would then with very high probability have Hamming weight unequal to the number of participants. All bits of such a disrupted reserving block could be contested without loss of untraceability for nondisrupters.The reserved blocks can also be made to have such safely contestable bits if participants send trap messages. To lay a trap, a participant first chooses the index of a bit in some reserving block, a random message, and a secret key. Then the trapper makes public an encryption, using the secret key, of both the bit index andthe random message. Later, the trapper reserves by inverting in the round corresponding to the bit index, and sends the random message in the resultingreserved slot. If a disrupter is unlucky enough to have damaged a trap message, then release of the secret key by the trapper would cause at least one bit of the reserved slot to be contested.

With the three requirements satisfied, it remains to be shown how if enough disrupted rounds are contested, the disrupters will be excluded from the network.

Consider first the case of a single participant's mail computer disrupting the network. If it tells the truth about contested key bits it shares (or lies about an even number of bits), the disrupter implicates itself, because its contribution to the sum is unequal to the sum of these bits (apart from any allowed inversion). If, on the other hand, the single disrupter lies about some odd number of shared bits, the values it claims will differ from those claimed for the same shared bits by the other participants sharing them. The disrupter thereby casts suspicion on all participants, including itself, that share the disputed bits. (It may be difficult for a disrupter to cast substantial suspicion on a large set of participants, since all the disputed bits will be in common with the disrupter.) Notice, however, that participants who have been falsely accused will know that they have been--and by whom--and should at least refuse to share bits with the disrupter in the future.

Even with colluding multiple disrupters, at least one inversion must be revealed as illegitimate or at least one key bit disputed, since the parity of the outputs does not correspond to the number of legitimate inversions. The result of such a contested round will be the removal of at least one edgeor at least one vertex from the agreed graph. Thus, if every disruptive action has a nonzero probability of being contested, only a bounded amount of disruption is possible before the disrupters share no keys with anyone in the network, or before they are revealed, and are in either case excluded from the network.

The extension presented next can demonstrate the true value of disputed bits, and hence allows direct incrimination of disrupters.

Antisocial use of a network can be deterred if the cooperation of most participants makes it possible, albeit expensive, to trace any message. If, for example, a threatening message is sent, a court might order all participants to reveal their shared key bits for a round of the message. The sender of the offending message might try to spread the blame, however, by lying about some odd number of shared bits. Digital signatures can be used to stop such blame-spreading altogether.

In principle, each party sharing a key could insist on a signature, made by the other party sharing, for the value of each shared bit. Such signatures would allow for contested rounds to be fully resolved, for accused senders to exonerate themselves, and even for colluders to convince each other that they are pooling true keys. Unfortunately, cooperating participants able to trace a message to its sender could convince others of the message's origin by revealing the sender's own signatures. A variation can prevent a participant's signatures from being used against him in this way: instead of each member of a pair of participants signing the same shared key bit, each signs a separate bit, such that the sum of the signed bits is the actualshared keybit. Signatures on such "split" key bits would still be useful in resolving contested rounds, since if one contester of a bit shows a signature made by the second contester, then the second would have to reveal the corresponding signature made by the first or be thought to be a disrupter.

In many applications it may be impractical to obtain a separate signature on every key bit or split key bit. The overhead involved could be greatly reduced, however, by digitally signing cryptographic compressions of large numbers of key bits. This might of course require that a whole block of key bits be exposed in showing a signature, but such blocks could be padded with cryptographically generated pseudorandom (or truly random) bits, to allow the exposure of fewer bits per signature. The number of bits and amount of time required to verify a signature for a single bit can be reduced further by using a rooted tree in which each node is the one-way compression function of all its direct descendants; only a digital signature of each participant's root need be agreed on before use of the keys comprising the leaves.

There is another multiparty-secure sender-untraceability protocol in theliterature [1]. To facilitate comparison, it will be called a mix-net here,while the protocol of the present work is called a dc-net. The mix-netapproach relies on the security of a true public-key system (and possiblyalso of a conventional cryptosystem), and is thus at best computationallysecure; the dc-net approach can use unconditional secrecy channels to providean unconditionally secure untraceable-sender system, or can use public-keydistribution to provide a computationally secure system (as described inSection 2.1).

Under some trust assumptions and channel limitations, however, mix-nets canoperate where dc-nets cannot. Suppose that a subset of participants is trustedby every other participant not to collude and that the bandwidth of at leastsome participants' channels to the trusted subset is incapable of handling thetotal message traffic. Then mix-nets may operate quite satisfactorily, butdc-nets will be unable to protect fully each participant's untraceability.Mix-nets can also provide recipient untraceability in this communicationenvironment, even though there is insufficient bandwidth for use of thebroadcast approach (mentioned in Section 2.4).

If optimal protection against collusion is to be provided and thecrypto-security of mix-nets is acceptable, a choice between mix-nets anddc-nets may depend on the nature of the traffic. With a mail-like systemthat requires only periodic deliveries, and where the average number ofmessages per interval is relatively large, mix-nets may be suitable. Whenmessages must be delivered continually and there is no time for batchinglarge numbers of them, dc-nets appear preferable.

This solution to the dining cryptographers problem demonstrates thatunconditional secrecy channels can be used to construct an unconditionalsender-untraceability channel. It also shows that a public-key distributionsystem can be used to construct a computationally secure sender-untraceabilitychannel. The approach appears able to satisfy a wide range of practicalconcerns.

I am pleased to thank Jurjen Bos, Gilles Brassard, Jan-Hendrik Evertse, andthe untraceable referees for all their help in revising this article. It isalso a pleasure to thank, as in the original version that was distributed atCrypto 84, Whitfield Diffie, Ron Rivest, and Gus Simmons for some stimulatingdinner-table conversations.

[2] Chaum, D., Security Without Identification: Transaction Systems to MakeBig Brother Obsolete, Communications of the ACM, vol. 28, no. 10, October1985, pp. 1030-1044.

[3] Diffie, W., and Hellman, M.E., New Directions in Cryptography, IEEETransactions on Information Theory, vol. 22, no. 6, November 1976, pp.644-654.

[4] Merkle, R.C., Secure Communication over Insecure Channels, Communicationsof the ACM, vol. 21, no. 4, 1978, pp. 294-299.

[5] Tanenbaum, A.S., Computer Networks, Prentice Hall, Englewood Cliffs,New Jersey, 1981.