[messaging] Message delivery and revocation in Pond etc

Trevor Perrin trevp at trevp.net
Tue Apr 1 15:17:06 PDT 2014

On Mon, Mar 31, 2014 at 12:11 PM, Ximin Luo <infinity0 at pwned.gg> wrote:
> On 30/03/14 17:31, Trevor Perrin wrote:
>>  * The server's storage of used values is unlimited over time, but
>> grows at a small rate, and could possibly be scoped by introducing
>> more complexity (e.g. rotating epochs).
> Instead of storing used tokens, you could store *unused* tokens and delete used tokens. To authorize a sender, the server checks to see if their token is *in* its store, then deletes it if succesful. To revoke, Bob tells the server Alice's tokens as before, but now the server deletes them instead of storing them.

That's interesting.  It solves the "unbounded storage" problem, but it
also means Bob can't just share a MAC key with his server, he has to
tell it in advance about all the one-time signing keys he's

And if Bob isn't careful, the rate at which he publishes new keys to
his server might reveal new contacts, or the rate at which contacts
are sending to him.


> In summary, to achieve "Bob's server can't recognize messages from the same sender" we have two broad options:
> - every messages looks to be from the same sender (group sigs)
> - every messages looks to be from a new sender (send auth-tokens)
> From a not-too-deep think through, I'm not sure there are other options.

Note that just sending unique auth-tokens alongside the message isn't
enough, I think the tokens need to be public-key signatures over the
message, so that the mailbox server can't make it appear that a
contact is spamming you by associating junk messages with valid


More information about the Messaging mailing list