A technique based on public key cryptography is presented that allows an electronic mail system to hide who a participant communicates with as well as the content of the communication, even with an unsecured underlying telecommunication system. The technique does not require a universally trusted authority. One correspondent can remain anonymous to another while allowing the second to respond via an untraceable return address. The technique can also be used to form rosters of untraceable digital pseudonyms. Applicants retain the ability to form digital signatures corresponding to their pseudonyms. Elections can be conducted with anonymously mailed ballots signed with pseudonyms from a roster of registered voters. An individual can correspond with a record-keeping organization under a unique pseudonym that appears in a roster of acceptable clients. The paper introduces a solution to the traffic analysis problem using public key cryptography. Unlike Baran's solution, which requires trust in a common authority, the proposed system can be compromised only by subversion or conspiracy of all authorities. The system uses a mix to process mail, hiding correspondences between input and output. The mix ensures that no item is processed more than once and hides the order of arrival by outputting uniformly sized items in lexicographically ordered batches. A cascade of mixes provides secrecy for the entire cascade. Return addresses allow a recipient to respond to a sender while keeping the sender's identity secret. Digital pseudonyms are used to create rosters of untraceable identities, allowing for anonymous communication and verification. The paper also discusses general purpose mail systems, where messages pass through a cascade of mixes to ensure anonymity. A new type of mix is introduced that allows messages to be processed through a sequence of mixes, hiding the number and identity of mixes, allowing incrimination of a faulty mix, and treating regular mail and untraceable return addresses equally. The mix operates by removing the first block and adding a random block, then decrypting the removed block and encrypting the remaining blocks. The system ensures that messages are anonymous and secure, with the ability to verify the receipt of messages through certified mail. The paper concludes that the proposed solution allows for secure and anonymous communication, providing new methods for limited anonymity.A technique based on public key cryptography is presented that allows an electronic mail system to hide who a participant communicates with as well as the content of the communication, even with an unsecured underlying telecommunication system. The technique does not require a universally trusted authority. One correspondent can remain anonymous to another while allowing the second to respond via an untraceable return address. The technique can also be used to form rosters of untraceable digital pseudonyms. Applicants retain the ability to form digital signatures corresponding to their pseudonyms. Elections can be conducted with anonymously mailed ballots signed with pseudonyms from a roster of registered voters. An individual can correspond with a record-keeping organization under a unique pseudonym that appears in a roster of acceptable clients. The paper introduces a solution to the traffic analysis problem using public key cryptography. Unlike Baran's solution, which requires trust in a common authority, the proposed system can be compromised only by subversion or conspiracy of all authorities. The system uses a mix to process mail, hiding correspondences between input and output. The mix ensures that no item is processed more than once and hides the order of arrival by outputting uniformly sized items in lexicographically ordered batches. A cascade of mixes provides secrecy for the entire cascade. Return addresses allow a recipient to respond to a sender while keeping the sender's identity secret. Digital pseudonyms are used to create rosters of untraceable identities, allowing for anonymous communication and verification. The paper also discusses general purpose mail systems, where messages pass through a cascade of mixes to ensure anonymity. A new type of mix is introduced that allows messages to be processed through a sequence of mixes, hiding the number and identity of mixes, allowing incrimination of a faulty mix, and treating regular mail and untraceable return addresses equally. The mix operates by removing the first block and adding a random block, then decrypting the removed block and encrypting the remaining blocks. The system ensures that messages are anonymous and secure, with the ability to verify the receipt of messages through certified mail. The paper concludes that the proposed solution allows for secure and anonymous communication, providing new methods for limited anonymity.