<p dir="ltr">On 23 Dec 2015 1:16 pm, "Max Skibinsky" <<a href="mailto:max@skibinsky.com">max@skibinsky.com</a>> wrote:<br>
><br>
><br>
> what if Mallory takes tomorrow's timestamps and precalculate 1M<br>
> verify_token and 1M nonces satisfying their POW and then sends them<br>
> within tomorrow timestamp window (which have to be non-zero to allow<br>
> for weaker clients)? or I'm still misunderstanding your schema?</p>
<p dir="ltr">Only the server can calculate the HMAC in the verify_token.</p>
<p dir="ltr">> very interesting! so hpk becomes signing key only, are all encryption<br>
> keys are ephemeral (exchanged as needed under hpk signature?). The<br>
> elegance of this is clear on intuitive level - I'm curious what are<br>
> the formal issues of using same key for auth and encryption and what<br>
> sort of weakness that introduces? (just an RTFM link is fine if<br>
> simpler) I presume that is the reason why Nacl itself uses different<br>
> keys for crypto_box and crypto_sign?</p>
<p dir="ltr">No, I believe the Edwards curve is just more performant. I don't have an article for you unfortunately (and I'm hardly an expert in this field), it just avoids issues where outputs of one process can be used to attack other process.</p>
<p dir="ltr">> I think we are one step away from fully anon messaging. yes, anybody<br>
> can generate [a_pk,a_hpk] at will, yet by itself it's useless. they<br>
> need to receive b_pk from somebody else first to be able to message<br>
> them (and know their hpk). let's say hpk is somehow leaked and that<br>
> hpk is spammed with 1m garbage messages from 1m random hpks. to</p>
<p dir="ltr">It may not be your use case then - I just got the impression from your spec that you wanted jax to be agnostic to the underlying end to end message protocol.</p>
<p dir="ltr">But if you are linking the hpk to message protocol then it seems you want a more integrated solution.</p>
<p dir="ltr">The other approach to spam is Pond's privacy preserving token style. It might be worth considering if you wanted to avoid the server from being able to determine sender-receiver relationships.</p>