Hi, Most of the discussion around group messaging on this list seems to focus on low latency, asynchronous conversations with a few participants. I would like to look into higher latency messaging to a larger list of participants that tries to prevent leaking metadata in a similar way to pond. Take for example a mailing list like [email protected] - which security properties could be achieved for such a usecase?
At a first glance it looks like the distribution mechanism of pond could be generalized to a set of recipients. Fetching messages from the server currently requires authenticating to the server with one specific key. This could be extended to multiple recipients with a group authentication scheme similar to the one that pond originally used for authenticating senders. The recipients would have to specify the last message they received and the server has to keep messages around for a while. The server could get some information about which connections come from the same user by observing the messages requested. Since pond only delivers one message per connection it already requires the frequency of messages to be lower than the frequency of connections. In such a scenario with many users the additional information gained seems comparable to observing other patterns in client connections. There seems to be a rough consensus that pair wise encryption is the way to go for group messaging. However this comes with the condition that participants in a conversation know all other participants keys. In our usecase this may not be easy to achieve. One option seems to be to send key updates to the list in administrative messages that are not displayed to the user. This would leak information about other subscribers to the list. It may well be that the key updates outnumber the messages send to the list. This is particular painful with a distribution mechanism that limits the number of messages to send and receive. An interesting option to me seems to be using a proxy reencryption scheme like SELS[1] that reencrypts the messages for a given recipient on the server without leaking the plaintext. The scheme introduces the role of a list moderator (LM) and is already designed for list services. The list moderator and the server are responsible for establishing initial keys with new subscribers and maintaining the list of subscribers both for authenticating to the server and the reencryption. In order to reencrypt the message for a particular user the server has to learn that users identity. We can reduce this leak by serving messages that can be decrypted by a number of users that would serve as an anonymity pool. The additional overhead should be small if the messages themselves are encrypted symetrically and public key crypto is only used for the keys to the symetric encryption. Pond currently uses 16 KB messages. So 128 bit keys (=6 byte) would allow an anonymity pool of 200 users while reducing the available message size by less than 10% (1.2 KB). So, dear messaging@moderncrypto ... What do you think about this approach? Are proxy reencryption schemes still of interest? What would be a the current state of the art? Are there any that also provide perfect forward secrecy? Azul [1] http://sels.ncsa.illinois.edu/pub.html _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
