Possible chosen-ciphertext attack on receiver anonymity

Brent Waters bwaters at theory.Stanford.EDU
Sat Jul 2 07:00:17 CEST 2005

> A simple way for a client to avoid the attack is by keeeping a list of
> seen session keys; they should be random and thus a duplicated one
> will be suspicious.  It is not really practical to implement such a
> feature.
> In fact the --throw-keyid feature is not intended to hide the keys
> between the set of recipients but to keep the recipients secret for
> outsiders.  Its main use is with anonymous remailers:

Thanks for clarifying that. The context in which I was originally 
interested in this is when there are BCC recipients on encrypted email. In 
this case one wants the semantics that different BCC recipients cannot 
learn of each other. Also, it is not clear that just because two people 
can receieve the same message they should know each others' identities.

> I know that some folks are using the --hidden-encrypt-to feature (to
> hide selected recipients) for their private archive copy of a mail.

More information about the Gnupg-devel mailing list