[messaging] Reduce identity key exposure in Pond

Joseph Bonneau jbonneau at cs.stanford.edu
Thu Apr 2 17:28:01 PDT 2015


Coming to this thread a little late, I would try to summarize this as an
attempt to separate two types of keys:

*Message keys, for which we might like for Bob and Charlie to be able to
link Alice's message keys to be sure they're talking to the same party (or
compare against, say, a CONIKS server somewhere).
*"Identity keys" (not a great name) which are used for routing to a
specific mailbox. We'd like Bob and Charlie (or Bob today and Bob tomorrow)
to be able to easily set up to route to different mailboxes for Alice,
using the same message keys for encryption (or keys ratcheted forward from
them). That way the server can't easily link all of Alice's traffic.

Currently the two are intertwined in Pond and the suggestion of "just have
multiple Pond identities" is a little unsatisfactory. What if I'd like to
break up traffic analysis the server can do (or even use multiple servers)
while keeping a consistent Message key for my correspondents?

Is that the problem that we're trying to solve? If so, I think there are
some pretty straightforward ways to do this by allowing Alice to have
multiple mailboxes with the same key, perhaps using blind signatures to
register unlinkable mailboxes with her server. This would not be more
efficient than just registering multiple identities with the server, as
you'd need to query each mailbox separately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150402/365de247/attachment.html>


More information about the Messaging mailing list