[messaging] pond alike group messaging

azul azul at riseup.net
Tue Jun 16 09:32:47 PDT 2015


Most of the discussion around group messaging on this list seems to
focus on low latency, asynchronous conversations with a few
participants. I would like to look into higher latency messaging to a
larger list of participants that tries to prevent leaking metadata in a
similar way to pond. Take for example a mailing list like
messaging at moderncrypto.org - which security properties could be achieved
for such a usecase?

At a first glance it looks like the distribution mechanism of pond could
be generalized to a set of recipients. Fetching messages from the server
currently requires authenticating to the server with one specific key.
This could be extended to multiple recipients with a group
authentication scheme similar to the one that pond originally used for
authenticating senders. The recipients would have to specify the last
message they received and the server has to keep messages around for a

The server could get some information about which connections come from
the same user by observing the messages requested. Since pond only
delivers one message per connection it already requires the frequency of
messages to be lower than the frequency of connections. In such a
scenario with many users the additional information gained seems
comparable to observing other patterns in client connections.

There seems to be a rough consensus that pair wise encryption is the way
to go for group messaging. However this comes with the condition that
participants in a conversation know all other participants keys. In our
usecase this may not be easy to achieve.

One option seems to be to send key updates to the list in administrative
messages that are not displayed to the user. This would leak information
about other subscribers to the list. It may well be that the key updates
outnumber the messages send to the list. This is particular painful with
a distribution mechanism that limits the number of messages to send and

An interesting option to me seems to be using a proxy reencryption
scheme like SELS[1] that reencrypts the messages for a given recipient
on the server without leaking the plaintext. The scheme introduces the
role of a list moderator (LM) and is already designed for list services.
The list moderator and the server are responsible for establishing
initial keys with new subscribers and maintaining the list of
subscribers both for authenticating to the server and the reencryption.

In order to reencrypt the message for a particular user the server has
to learn that users identity. We can reduce this leak by serving
messages that can be decrypted by a number of users that would serve as
an anonymity pool. The additional overhead should be small if the
messages themselves are encrypted symetrically and public key crypto is
only used for the keys to the symetric encryption. Pond currently uses
16 KB messages. So 128 bit keys (=6 byte) would allow an anonymity pool
of 200 users while reducing the available message size by less than 10%
(1.2 KB).

So, dear messaging at moderncrypto ... What do you think about this
approach? Are proxy reencryption schemes still of interest? What would
be a the current state of the art? Are there any that also provide
perfect forward secrecy?


[1] http://sels.ncsa.illinois.edu/pub.html

More information about the Messaging mailing list