[messaging] Replacing group signatures with HMAC in Pond.

Joseph Bonneau jbonneau at gmail.com
Thu May 29 09:42:05 PDT 2014

On Thu, May 29, 2014 at 9:25 AM, Trevor Perrin <trevp at trevp.net> wrote:
> Oh I see, with serial numbers the server could at a minimum also track
> them with a blacklist, which would be smaller than a blacklist of MACs
> due to birthday bound (though I'd expect closer to a 2x difference
> than 5x).  That makes sense, seems like a good optimization.

Yeah I see now you could push the MAC size (L) down quite a bit from normal
cryptographic use. You could actually beat the birthday bound since they're
all generated at once, you could just throw out any tokens you generate
that collide. That would require more work during generation but you could
probably get away with 30 bit MACs or so. The adversary would have a 2^-30
chance of forging a MAC, but if that just lets them send one spam mail
seems like no big deal.

Serial numbers are still more efficient throughout and would still offer
nice 10x savings if you need to switch to a bitmap.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140529/7f64dcf9/attachment.html>

More information about the Messaging mailing list