On Thu, Apr 3, 2014 at 12:50 PM, Michael Rogers <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 03/04/14 19:02, Trevor Perrin wrote: >> I think you want signatures for garbage messages which fail >> end-to-end authentication but could be used to fill the recipient's >> mailbox with junk. > > I don't see how the recipient's mailbox could be filled with junk by > anyone except the server. Anyone else would need a token to submit a > message; tokens are only issued to authorised senders, and the number > of tokens in circulation is controlled by the recipient, so it can be > kept within the capacity of the mailbox.
In Pond, at least, the mailbox/recipient bandwidth is kept to a low, roughly constant level over time, to resist traffic analysis. Thus the recipient can be temporarily DoS'd by a fairly low volume of messages. I'm not sure it's feasible to keep the # of outstanding tokens so low as to prevent this. >> With signatures a recipient can attribute a garbage message to a >> particular sender, or to the server (if the message can't be >> attributed to a sender, e.g. bad signature). > > Hmm, good point. How about this: the recipient gives random tokens to > authorised senders, and the hashes of the tokens to the server. Now > the server can only send a message by dropping a submitted message and > stealing its token. If the recipient receives a junk message with a > valid token then either the sender sent a junk message, or the server > dropped a submitted message and stole its token. Sure, but you can't distinguish those cases. My original proposal was for distributing one-time signing keys which would work similarly to your tokens, but with the added property that the signature would be bound to a particular message. > If we trust the server not to drop submitted messages (which I think > we must under any scheme) then this works as far as I can see - > without requiring group signatures. Yeah, but I think signatures are still a good idea in conjunction with one-time-use tokens. Trevor _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
