<p dir="ltr">> By Pond's approach, I think you mean recipients hand out one-time<br>
> delivery tokens to their senders, so their mailbox can accept messages<br>
> or blacklist senders without learning the sender?</p>
<p dir="ltr">Taking this opportunity to discuss a slight modification to the status-quo at the expense of "forward anonymity".</p>
<p dir="ltr">Ponds approach is to generate X private keys and a HMAC of the associated public keys. The sender is given both sets, the receiving server gets the key to the HMAC.</p>
<p dir="ltr">The slight modification is to generate the private keys by chaining a hash (only works for things like most ECC where a private key can be created from a hash). So from the initial key x, the next key is H(x) with some implementation specific padding for domain separation.</p>
<p dir="ltr">The advantages are a reduction in the token transfer size by up to half (assuming 256bit private and 256bit HMAC), and savings in revocation - you send the next private key to the server and it can revoke all remaining keys (with the option for a TMTO).</p>
<p dir="ltr">I don't think this reduces privacy anymore than sending a batch of HMACs to revoke. But it has storage savings for all three parties.</p>