How to break the direct RSA-implementation of mixes

Abstract

MIXes are a means of untraceable communication based on a public key cryptosystem, as published by David Chaum in 1981 (CACM 24/2, 84-88) (=[6]). In the case where RSA is used as this cryptosystem directly, i.e. without composition with other functions (e.g. destroying the multiplicative structure), we show how the resulting MIXes can be broken by an active attack which is perfectly feasible in a typical MIX-environment. The attack does not affect the idea of MIXes as a whole: if the security requirements of [6] are concretized suitably and if a cryptosystem fulfils them, one can implement secure MIXes directly. However, it shows that present security notions for public key cryptosystems, which do not allow active attacks, do not suffice for a cryptosystem which is used to implement MIXes directly. We also warn of the same attack and others on further possible implementations of MIXes, and we mention several implementations which are not broken by any attack we know.