[messaging] pond alike lists (was: pond alike group messaging)

Trevor Perrin trevp at trevp.net
Sun Jun 21 16:02:34 PDT 2015 

On Thu, Jun 18, 2015 at 7:30 AM, Mike Hearn <mike at plan99.net> wrote:
>
> For instance, you could imagine a kind of forum server and forum browser
> client that's not based on rather fragile web technologies but something
> more robust.

Building mailing-lists on top of secure-messaging protocols makes sense to me.

I also agree that having the list admin decrypt / re-encrypt all
messages is simple:  The admin declares she's a mailing list and
responds to messages like ("subscribe", "unsubscribe", "post").

Downsides are:
 - Delivery runs through the admin - if she's offline, messages don't flow.
 - She can forge messages unless they're signed.
 - List of members isn't known to subscribers (could be pro or con).

It's possible to remove the admin from the delivery path while keeping
membership hidden, if you make the server aware of groups.  The admin
would send a symmetric group key to new members which they use to
encrypt.  The server would fan out each encrypted message to the
group.

Azul mentioned proxy re-encryption [1] where the admin instead sends a
group public key PK to new members, and gives the server special data
for each member.  The special data lets the server tranform messages
encrypted to PK to messages encrypted to each member's public key, but
doesn't let the server decrypt the messages.  I think that isn't much
different from handing out a symmetric group key, except for removing
users:  If the admin trusts the server to delete the member-specific
data then proxy re-encryption is more efficient than sending everyone
a new group key.  But I'm not sure this is worth the complexity.

If you're willing to make the membership visible to members then you
can build on pairwise messaging between users, with optimizations like
"sender keys" for 1-to-N messages [2].  This gives you options for
more-deniable authentication and hiding membership from servers, but
creates the problem of syncing the member list.


Azul also asked for Pond-like properties to "prevent leaking
metadata".  That's a tall order because Pond's security properties
aren't easy to characterize, much less extend to groups.  Presumably
you want to hide things like which groups exist, and which users
belong to a group.

The admin could receive and relay all messages over Pond.  That has
"Pond-like" properties in a sense.  But all members would receive
group messages at similar times, so their home server(s) might be able
to correlate message arrival times and infer the group.

Azul proposed using group signatures for all members to authenticate
to a single server and send/retrieve messages from a shared mailbox.
That might be better, but:

 - Is it realistic to ask group members to perform a shared-secret
exchange with the group admin (like Pond's "PANDA") to get a group
private key?  Azul seems OK with this: Pond "solves the key
distribution very nicely", but this doesn't seem that useable to me.

 - Users would be polling the group server frequently over Tor.  This
would be vulnerable to "traffic confirmation" where traffic between
clients and entry nodes is correlated with authentication events on
the server.

I don't have a great alternative.  These are hard problems which need
careful analysis and possibly better anonymity infrastructures.  I'm
excited by some signs of life in mix-net research (e.g. Vuvuzela), but
I think there's a lot of open problems here.

Trevor

[1] http://sels.ncsa.illinois.edu/
[2] https://moderncrypto.org/mail-archive/messaging/2015/001752.html

More information about the Messaging mailing list