[messaging] Replacing group signatures with HMAC in Pond.

Joseph Bonneau jbonneau at gmail.com
Wed May 28 11:54:01 PDT 2014

On Wed, May 28, 2014 at 2:24 PM, Trevor Perrin <trevp at trevp.net> wrote:
> You'd want to hand out serial #s randomly, so the server's bitmask
> would need to be sized to MAX number of messages that a user can
> receive.  Not sure if that's a win spacewise vs storing 100 or 64 bits
> for each actual message.

You hand out serial #s randomly from your pool, but I don't think they need
to be random serial numbers from a 64-bit space. You can generate say 2^20
key pairs with sequential serial numbers. Every time you hand some out to
contacts, you pick a random set from those you haven't handed out yet. This
enables the bitmap representation. Is there a flaw with that I'm missing?

Eventually if you run out you get into the HMAC update process you
described, this happens either way.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140528/89389fa3/attachment.html>

More information about the Messaging mailing list