how vulnerable is "hidden-encrypt-to"

[Jens Lechtenboerger]

On Mo, Aug 20 2012, vedaal at nym.hush.com wrote:

> On Mon, 20 Aug 2012 09:38:49 -0400 Jens Lechtenboerger 
> <cloudpg at informationelle-selbstbestimmung-im-internet.de> wrote:
>
>> if a message M is encrypted to you and other
>>recipients using RSA, then you are of course able to obtain the
>>session key K.  Now, if you suspect Alice to be a recipient then 
>>you download her public key from a key server and encrypt the session
>>key K under her public key.  If the result matches one of the
>>encrypted session keys contained in M, then Alice is a recipient 
>>of M.
>
> =====
>
> The one sending the message really is in control here ;-)
> The sender can use hidden encrypt to ANY public key.
>
> i.e. if Alice is sending the message and wants to hide her 
> identity,
> nothing prevents her from using throw-keyid with Bob's public key 
> instead of her own, or NIST's, or PGP Corporation's, or any onyone 
> else's.
> [...]

I'm not sure whether I understand you correctly.  If I'm not
mistaken then you are referring to sender anonymity.

In contrast, I interpreted the original question in terms of
recipient anonymity: Bob wants to encrypt a message to some
undisclosed list of recipients (say, including Alice and Eve), and
nobody should be able to figure out who (else) is on the list.
Clearly, the fact whether I can decrypt the message tells me whether
I'm on the list or not; however, I should not be able to learn more
than that.  In particular, I should not be able to identify any
other recipient.

In that situation, my previous posting was meant to suggest that Eve
(if she has access to the public RSA key of Alice used by Bob) will
be able to figure out that the message was also encrypted to Alice.
Thus, hidden-encrypt-to, throw-key-id, and hidden-recipient do not
help here.  I'd be happy to be corrected if I'm missing something,
though...

Best wishes
Jens