There may be elements of an interesting specialized anonymizer scheme below. The notion is that an informant wants to anonymously notify the police of criminal activity. A two way channel between the police and the informant is to be maintained until an arrest, whereupon the channel is to be irrevocably expunged to thwart subpoena of the information defining the channel and the informant. The police do not know the informant and the informant does not know the police officer. We pursue in this version the idea that the channel between the anonymizer and police officer is encrypted in a way that provides forward secrecy.
The informant contacts the anonymizer which thus learns the Informant Address (IA) which is information sufficient to contact the informant. The anonymizer creates random data R which is the same size as IA and allocates a new serial number for the informant and sends (R⊕IA, serial number, initial message) to the police department. It also asks the informant to remember the serial number. The serial number is different from any other serial number among the tuples kept by the annonymizer. A new pseudo-name might be chosen by the informant in place of a serial number. The anonymizer generates and stores the tuple (serial number, Police dept. code, R). The anonymizer expunges all other memory of this transaction, in particular IA. When the police need to contact the informant they send (message, R⊕IA, serial number) to the anonymizer. The anonymizer computes IA = R⊕(R⊕IA) and relays the message and quickly expunges IA again. If the informant initiates another message he must remember and provide his serial number to the anonymizer.
Sending R⊕IA in messages is a problem. It must go only thru forgetful channels. We need ‘forward anonymity’.
I imagine in this version a simple PDA size unit that communicates via SMS. We propose to transmit and hold the R⊕IA values only in these units. The unit networks directly only with other such units over SMS. The unit shows short messages such as from an informant. Its protocol expunges any message that it successfully transfers to another unit, or at least the R⊕IA portion of any message. There is a two-phase commit issue to get right here. The message is thus like an un-copyable piece of paper. Perhaps it is allowable to copy the message but not the value of R⊕IA. The anonymizer is in the network of these units. A new message is sent to a unit at the relevant police department and then to the assigned officer’s unit. Then the officer’s unit has the only persistent copy of R⊕IA. The officer can delete R⊕IA whereupon IA is permanently lost.
When an arrest is made based on information of the informant, the police officer deletes the R⊕IA information. The contact information for the informant, IA, can not be recreated!
There is the following vulnerability. A wire tapper captures a transmission of R⊕IA from the anonymizer to the police department or from the department to the officer’s unit. To avoid this vulnerability inter unit messages are encrypted under a key whose management we have not yet described. Call it the transmission crypto key (TCK). Such communications are all encrypted with a pairwise symmetric key over a pre-established symmetric graph of units. Such a key is shared between just two units. If the TCK were subpoenaed then the stored encrypted message could be decrypted revealing R⊕IA which together with the R probably kept by the anonymizer reveals IA.
Here is a tentative solution that seems to work but it should be vetted by an expert. As each message that includes R⊕IA is transmitted between units, each unit immediately replaces TCK with its secure hash. I.e. TCK ← SHA(TCK).
SMS could be augmented by e-mail or WiFi plus dynamic DNS.
This article relates ideas of a similar nature. Absent there is the notion of a signal to expunge the origin information.