[messaging] Masking contact addresses with ECDH

Jeff Burdges burdges at gnunet.org
Tue Mar 1 04:37:12 PST 2016

On Mon, 2016-02-29 at 12:00 -0800, Tony Arcieri wrote:

> Alice wants to share her contact list in a public directory without
> revealing specifically who her contacts are.

What does this mean?  Or maybe : Why does she want to share it?

In your scheme, Bob might as well be an adversary, giving a nasty
confirmation attack. 

If you need this, then maybe it's better to run an privacy preserving
set reconciliation protocol between Alice and Bob using the messaging p
rotocol itself, so no public lists.  You could use the public keys of
Alice and Bob as deterministic seeds so that over many reruns Alice and
Bob produce almost the same intermediate bloom filters and do not leak
their contact list to one another.  

There is still room for a blinding operation here before building the
bloom filters, well that's where you incorporate the deterministic
seed.  I think your ECC blinding operation is inferior to simply taking
a hash.  If you need it to be slow, then using Argon2 as the hash beats
using ECC.  I donno if that buys much though since if a user's device
can handle O(|contact|^2) cycles or storage then an adversary is likely
to posses O(|interesting_people|^2) cycles or storage.

As an aside, I tend to favor schemes based upon introductions, either
implicit when CCing, or explicit like social media sites provide.  I
suppose these ideas become useful if you want introduction requests
based upon publicly listed fingerprints, which offers security
advantages over introductions.  


More information about the Messaging mailing list