On Sat, 2015-06-20 at 16:25 +0200, carlo walentiny wrote: > I recently came across an interesting paper: > http://jelle.vandenhooff.name/vuvuzela.pdf > Anyone qualified to evaluate their claims care to comment?
I enjoyed reading the paper, thanks. It's lovely they quantified the privacy so explicitly. There is a contextual miss-statement when they quote that Pond does not protect against a global passive adversary. Pond does not protect against a global adversary who also hacks the Pond server, but that's a given in context. Vuvuzela cannot protect against an adversary who hacks *all* the Vuvuzela servers either, not so many servers. And Vuvuzela over Tor cannot protect against an a global passive adversary who hacks all the Vuvuzela servers. In any case, Vuvuzela over Tor does require that our global passive adversary hack more servers than Pond. All the vuvuzela network shape buys them is simplicity in implementation and analysis. If the clients make more choices, like specifying a route in a mixnet, then you must argue those choices do not reveal anything to the adversary, like by making them random. In fact, they mention this article is merely a precursor to a mixnet-like design. I'd imagine their mixnet-like design would proceed in rounds with fixed long-lived connections between a network of servers. Vuvuzela as described only addresses metadata. There are flaws in the cryptography if implemented as they describe, specifically it needs forward-security across dialing events, and maybe issues with deniability. That's fine since they're only doing proof-of-concept for metadata protection, not building a deployable system. I also like their idea of non-permanent mailboxes for active conversations and activating conversations, aka dialing. I've thought about signaling protocols for non-permanent mailboxes before, but dialing to start an active conversation sounds *much* better than signaling each message. I'd expect it's suboptimal to use the same protocol for dialing and messages though. Could dialing use a Pychon's gate like systems for example? Dialing need only communicate 1 flag bit that says "you've got mail from me". There is no need to communicate a new mailbox in the dialing protocol because the message mailbox could be hashed from a recent shared value in your ratchet for that contact. We might survive the O(n^2) computation in Pychon's gate if dialing events were rare enough. I'll read their references on Herbivore, Dissent, and Riposte for ideas on further limiting dialing events. Thanks, Jeff > Authors: > > Jelle van den Hooff, > David Lazar, > Matei Zaharia, > Nickolai Zeldovich
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
