[messaging] Message delivery and revocation in Pond etc

Michael Rogers michael at briarproject.org
Thu Apr 3 04:09:24 PDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 30/03/14 17:31, Trevor Perrin wrote:
> Bob and his server share an HMAC key k.  Bob distributes to each
> of his contacts a bunch of pairs (x, HMAC(k,y)) where (x,y) are a 
> signature keypair (y=g^x).
> 
> Contacts then send (msg, y, HMAC(k,y), sig(msg, x)) to the server, 
> which records used values of HMAC(k,y) and rejects them in future.

Is crypto needed here? Assuming secure connections between Bob and the
server, and Bob's contacts and the server, Bob could just upload some
random tokens to the server, and hand the same tokens out to his
contacts; each token would be redeemable for delivery of one message.
Bob would know which tokens had been given to which contacts, but the
server wouldn't.

To revoke a contact's access, either (a) remove the contact's tokens
from the server (but this lets the server guess how many contacts you
have based on what fraction of tokens you remove), or (b) stop giving
the contact fresh tokens, allow the outstanding tokens to be spent, or
(c) stop giving the contact fresh tokens, connect to the server
anonymously and spend the outstanding tokens yourself.

Cheers,
Michael

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBCAAGBQJTPUFjAAoJEBEET9GfxSfMs4wIALW/fulBnEV0WEyNJsHomdGy
TmRRTbbIXArpSese4PIVdUICQwBxMCYO0vjG3G/zbXHYSBv7HRPU3MUHknrCZJvG
oNGHMARX66XVPtTgUqr4jz30aoUPdAXv8CF1oBR0fdS3xsWRQne9LxdQJqOwdkBN
i0kghpdIQg3zf9mKfFCtiR10OjmSzInP6gjzUkx4AfHW31wvPcGjUvs15B7GBCxG
2HHMkwkB4XAwc72fZUN4KIx4sSqp3fgjNB48NPtlRQ+rgdRKmyJHJ85ExEjTWyq7
c7UhKawOBJF4rfjOHvXrsbTyZiqV4NHsQKFT9qg5myF8gVVQoEeb0PLU/CnTrAE=
=DCIp
-----END PGP SIGNATURE-----


More information about the Messaging mailing list