On Mon, 2016-02-29 at 12:00 -0800, Tony Arcieri wrote: > Alice wants to share her contact list in a public directory without > revealing specifically who her contacts are.
What does this mean? Or maybe : Why does she want to share it? In your scheme, Bob might as well be an adversary, giving a nasty confirmation attack. If you need this, then maybe it's better to run an privacy preserving set reconciliation protocol between Alice and Bob using the messaging p rotocol itself, so no public lists. You could use the public keys of Alice and Bob as deterministic seeds so that over many reruns Alice and Bob produce almost the same intermediate bloom filters and do not leak their contact list to one another. There is still room for a blinding operation here before building the bloom filters, well that's where you incorporate the deterministic seed. I think your ECC blinding operation is inferior to simply taking a hash. If you need it to be slow, then using Argon2 as the hash beats using ECC. I donno if that buys much though since if a user's device can handle O(|contact|^2) cycles or storage then an adversary is likely to posses O(|interesting_people|^2) cycles or storage. As an aside, I tend to favor schemes based upon introductions, either implicit when CCing, or explicit like social media sites provide. I suppose these ideas become useful if you want introduction requests based upon publicly listed fingerprints, which offers security advantages over introductions. Jeff _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
