[messaging] Vuvuzela: Scalable Private Messaging Resistant to Traffic Analysis

Jeff Burdges burdges at gnunet.org
Mon Jun 22 04:35:33 PDT 2015

On Sat, 2015-06-20 at 16:25 +0200, carlo walentiny wrote:
> I recently came across an interesting paper:
> http://jelle.vandenhooff.name/vuvuzela.pdf
> Anyone qualified to evaluate their claims care to comment? 

I enjoyed reading the paper, thanks.  It's lovely they quantified the
privacy so explicitly. 

There is a contextual miss-statement when they quote that Pond does not
protect against a global passive adversary.  Pond does not protect
against a global adversary who also hacks the Pond server, but that's a
given in context.  Vuvuzela cannot protect against an adversary who
hacks *all* the Vuvuzela servers either, not so many servers.  And
Vuvuzela over Tor cannot protect against an a global passive adversary
who hacks all the Vuvuzela servers.  In any case, Vuvuzela over Tor does
require that our global passive adversary hack more servers than Pond. 

All the vuvuzela network shape buys them is simplicity in implementation
and analysis.  If the clients make more choices, like specifying a route
in a mixnet, then you must argue those choices do not reveal anything to
the adversary, like by making them random.  In fact, they mention this
article is merely a precursor to a mixnet-like design.  I'd imagine
their mixnet-like design would proceed in rounds with fixed long-lived
connections between a network of servers. 

Vuvuzela as described only addresses metadata.  There are flaws in the
cryptography if implemented as they describe, specifically it needs
forward-security across dialing events, and maybe issues with
deniability.  That's fine since they're only doing proof-of-concept for
metadata protection, not building a deployable system.  

I also like their idea of non-permanent mailboxes for active
conversations and activating conversations, aka dialing.  I've thought
about signaling protocols for non-permanent mailboxes before, but
dialing to start an active conversation sounds *much* better than
signaling each message. 

I'd expect it's suboptimal to use the same protocol for dialing and
messages though.  Could dialing use a Pychon's gate like systems for
example?  Dialing need only communicate 1 flag bit that says "you've got
mail from me".  There is no need to communicate a new mailbox in the
dialing protocol because the message mailbox could be hashed from a
recent shared value in your ratchet for that contact.  We might survive
the O(n^2) computation in Pychon's gate if dialing events were rare
enough.  I'll read their references on Herbivore, Dissent, and Riposte
for ideas on further limiting dialing events. 


> Authors:
> Jelle van den Hooff, 
> David Lazar, 
> Matei Zaharia, 
> Nickolai Zeldovich

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150622/93347f5f/attachment.sig>

More information about the Messaging mailing list