On Thu, 2015-07-30 at 06:33 +0800, Ben Harris wrote: > If you aren't having single use mailbox addresses, then you HAVE to > share the mailbox address between multiple senders (otherwise the > server can identify senders breaking M0). If you use a mailbox per sender and receiver pair then the mailbox server has stronger attacks on the sender's identity, but this still reduces to the ambient transport. Vuvuzela analyzes exactly this case for their mixnet and traffic scheme.
I'd rephrase this as : If you use a unique mailbox per sender and receiver pairs, then you must change that box occasionally to avoid breaking both M0 and the recipient's anonymity. In fact, you cannot realistically keep all contacts in a "dialed" state anyways, way too much traffic, so your dialing protocol might as well assign new boxes. Conversely, if you have a unique mailbox per recipient, then senders have only a small anonymity set beyond the ambient transport's anonymity. And the recipient has only pseudonymity after the ambient transport's anonymity. We believe that small anonymity set suffices to prevent the mailbox server from engaging in attacks like modeling a external social graph, but actually proving that would requires considerations like traffic profile, etc. I'd love to see some an article doing this actually. Jeff
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
