-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 30/03/14 17:31, Trevor Perrin wrote: > Bob and his server share an HMAC key k. Bob distributes to each > of his contacts a bunch of pairs (x, HMAC(k,y)) where (x,y) are a > signature keypair (y=g^x). > > Contacts then send (msg, y, HMAC(k,y), sig(msg, x)) to the server, > which records used values of HMAC(k,y) and rejects them in future.
Is crypto needed here? Assuming secure connections between Bob and the server, and Bob's contacts and the server, Bob could just upload some random tokens to the server, and hand the same tokens out to his contacts; each token would be redeemable for delivery of one message. Bob would know which tokens had been given to which contacts, but the server wouldn't. To revoke a contact's access, either (a) remove the contact's tokens from the server (but this lets the server guess how many contacts you have based on what fraction of tokens you remove), or (b) stop giving the contact fresh tokens, allow the outstanding tokens to be spent, or (c) stop giving the contact fresh tokens, connect to the server anonymously and spend the outstanding tokens yourself. Cheers, Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBCAAGBQJTPUFjAAoJEBEET9GfxSfMs4wIALW/fulBnEV0WEyNJsHomdGy TmRRTbbIXArpSese4PIVdUICQwBxMCYO0vjG3G/zbXHYSBv7HRPU3MUHknrCZJvG oNGHMARX66XVPtTgUqr4jz30aoUPdAXv8CF1oBR0fdS3xsWRQne9LxdQJqOwdkBN i0kghpdIQg3zf9mKfFCtiR10OjmSzInP6gjzUkx4AfHW31wvPcGjUvs15B7GBCxG 2HHMkwkB4XAwc72fZUN4KIx4sSqp3fgjNB48NPtlRQ+rgdRKmyJHJ85ExEjTWyq7 c7UhKawOBJF4rfjOHvXrsbTyZiqV4NHsQKFT9qg5myF8gVVQoEeb0PLU/CnTrAE= =DCIp -----END PGP SIGNATURE----- _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
