[messaging] Message delivery and revocation in Pond etc

Trevor Perrin trevp at trevp.net
Thu Apr 3 16:06:38 PDT 2014

On Thu, Apr 3, 2014 at 3:36 PM, Michael Rogers <michael at briarproject.org> wrote:
> Hash: SHA256
> On 03/04/14 21:06, Trevor Perrin wrote:
>> In Pond, at least, the mailbox/recipient bandwidth is kept to a
>> low, roughly constant level over time, to resist traffic analysis.
>> Thus the recipient can be temporarily DoS'd by a fairly low volume
>> of messages.  I'm not sure it's feasible to keep the # of
>> outstanding tokens so low as to prevent this.
> If anything that makes it easier. There's already a limit on how many
> messages each contact can send per day, so the mailbox can be
> provisioned to accommodate that many messages.

No, senders contact mailboxes directly (in Pond).  There's no limit to
how much they can send.  It's recipients who maintain a
roughly-constant-rate connection to their own mailbox, which is the
weak link for DoS.

>> My original proposal was for distributing one-time signing keys
>> which would work similarly to your tokens, but with the added
>> property that the signature would be bound to a particular
>> message.
> Yup, I don't see any problem with your original proposal - I'm just
> curious about whether we can do something simpler.

The cost of one-time signing keys (compared to one-time tokens) seems
pretty insignificant to me:

The sender stores (32-byte?) signing keys vs (16 byte?) tokens, and
calculates a signature when sending a message (which are < 16KB in

The receiver calculates a verification upon receiving a message.

The server and receiver could store 16-byte fingerprints of the
one-time public keys, so there's not a storage difference there.

So it seems worthwhile just to do signing keys, and get immediate,
reliable attribution in case of a junk message.


More information about the Messaging mailing list