[147778] in cryptography@c2.net mail archive
Re: [Cryptography] prism-proof email in the degenerate case
daemon@ATHENA.MIT.EDU (Benjamin Kreuter)
Mon Oct 21 13:08:28 2013
X-Original-To: cryptography@metzdowd.com
Date: Mon, 21 Oct 2013 10:42:26 -0400
From: Benjamin Kreuter <brk7bx@virginia.edu>
To: Ray Dillinger <bear@sonic.net>
In-Reply-To: <52571A15.2060606@sonic.net>
Cc: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============3868704745166708113==
Content-Type: multipart/signed; micalg=PGP-SHA1;
boundary="Sig_/HGI4FUkqOoT3=7nUPxcdY6I"; protocol="application/pgp-signature"
--Sig_/HGI4FUkqOoT3=7nUPxcdY6I
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
On Thu, 10 Oct 2013 14:20:21 -0700
Ray Dillinger <bear@sonic.net> wrote:
> On 10/10/2013 12:54 PM, John Kelsey wrote:
> > Having a public bulletin board of posted emails, plus a protocol=20
> > for anonymously finding the ones your key can decrypt, seems=20
> > like a pretty decent architecture for prism-proof email. The=20
> > tricky bit of crypto is in making access to the bulletin board=20
> > both efficient and private. =20
>=20
> Wrong on both counts, I think. If you make access private, you
> generate metadata because nobody can get at mail other than their
> own. If you make access efficient, you generate metadata because
> you're avoiding the "wasted" bandwidth that would otherwise prevent
> the generation of metadata. Encryption is sufficient privacy, and
> efficiency actively works against the purpose of privacy.
I am not sure this is the whole story. The key word in John's
suggestion is "protocol" -- what immediately comes to my mind is PIR,
which would allow you to fetch your messages more efficiently without
generating more metadata. One practical consideration is that people
might be receiving different numbers of messages, but this can be
addressed by having everyone fetch a fixed number of messages every $n$
minutes; you probably need to do this regardless of PIR to prevent
other forms of information leakage.
There are probably a few other practical considerations here, but at
least in theory PIR could help with efficiency without compromising
privacy.
-- Ben
--Sig_/HGI4FUkqOoT3=7nUPxcdY6I
Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iQIcBAEBAgAGBQJSZT1WAAoJEOV0+MnZK9ijLZEQAL2ut99h547E9npBeNp0CI1v
+53rC14v3KX+I+vKnArFqXHdeOTe5j0YQIpitvHTSieS2mKezhi42QMS52Tycr38
O5fEnwmlDnY6RpWGsxk2FXjb5DgyWrX/wIaiy+14QF1NVTQUiAoZuUYUOdsdUdDl
neMQDQU4wik6i5oUquc+2jI6HbsDQnmWHoM9O+3ZdTCwobMdbVRPmT3pYhz6dlum
z8JTWGtI5/arZyjDlWNE0Th2NrVSkyAbWLeZldaWk4W4rMGkbyppC5xueo1ikl/v
Qp5398GO8SEL3FvWYqEslwmP9VRQWRso8cLS0OkkQAbHypIu+pY77hvF5IFZ+tSe
Jwn4Yxft0VxPTOxLS2tm2IiyjwjuvJTZmk/rq4GeEnmx6T7G4VxKVwe0riyESu6E
IjyZag6ZjcbrTHEFBtppG+Y1EoxHs5QUy13srptt+u3bXER1TFkis33WsoD7zSSu
z5vu9odXNvxxVH6uxwvHpbBG/l6giwfE7mfeAk8TI7JnuW4fJjRgI37p/32fHMsU
qtCtwPjCJTKuBDNLi9r3xlyNTnRp58GttCux57zAq8lVXpCc1b9ImW+8qiNz5nYJ
kGOg2tiSSa8Fz/NqCqJqvmz9KnbrB5JYUMdZ4nJ6vgA48CCbNxnhuTzw1j19hBDd
dmUvrKhyPNSNl0Tqr58r
=bJ9w
-----END PGP SIGNATURE-----
--Sig_/HGI4FUkqOoT3=7nUPxcdY6I--
--===============3868704745166708113==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============3868704745166708113==--
