[Cryptography] prism-proof email in the degenerate case

Thu Oct 10 17:03:32 EDT 2013

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cool.

Drop me a note if you want hosting (gratis) for this.

On 10/10/13 10:22 PM, Jerry Leichter wrote:
> On Oct 10, 2013, at 11:58 AM, "R. Hirschfeld" <ray at unipay.nl>
> wrote:
>> Very silly but trivial to "implement" so I went ahead and did
>> so:
>> 
>> To send a prism-proof email, encrypt it for your recipient and
>> send it to irrefrangible at mail.unipay.nl....
> Nice!  I like it.
> 
> A couple of comments:
> 
> 1.  Obviously, this has scaling problems.  The interesting question
> is how to extend it while retaining the good properties.  If
> participants are willing to be identified to within 1/k of all the
> users of the system (a set which will itself remain hidden by the
> system), choosing one of k servers based on a hash of the recipient
> would work.  (A concerned recipient could, of course, check servers
> that he knows can't possibly have his mail.)  Can one do better?
> 
> 2.  The system provides complete security for recipients (all you
> can tell about a recipient is that he can potentially receive
> messages - though the design has to be careful so that a recipient
> doesn't, for example, release timing information depending on
> whether his decryption succeeded or not).  However, the protection
> is more limited for senders.  A sender can hide its activity by
> simply sending random "messages", which of course no one will ever
> be able to decrypt.  Of course, that adds yet more load to the
> entire system.
> 
> 3.  Since there's no acknowledgement when a message is picked up,
> the number of messages in the system grows without bound.  As you
> suggest, the service will have to throw out messages after some
> time - but that's a "blind" process which may discard a message a
> slow receiver hasn't had a chance to pick up while keeping one that
> was picked up a long time ago.  One way around this, for
> cooperative senders:  When creating a message, the sender selects a
> random R and appends tag Hash(R).  Anyone may later send a "you may
> delete message R" message.  A sender computes Hash(R), finds any
> message with that tag, and discards it.  (It will still want to
> delete messages that are old, but it may be able to define "old" as
> a larger value if enough of the senders are cooperative.)
> 
> Since an observer can already tell who created the message with tag
> H(R), it would normally be the original sender who deletes his
> messages.  Perhaps he knows they are no longer important; or
> perhaps he received an application-level acknowledgement message
> from the recipient. -- Jerry
> 
> _______________________________________________ The cryptography
> mailing list cryptography at metzdowd.com 
> http://www.metzdowd.com/mailman/listinfo/cryptography
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)

iQIcBAEBAgAGBQJSVxYkAAoJEAWtgNHk7T8Q+uwP/0sWLASYrvKHkVYo4yEjLLYK
+s4Yfnz4sBJRUkndj6G3mhk+3lutcMiMhD2pWaTjo/FENCqMveiReI3LiA57aJ9l
eaB2whG8pslm+NKirFJ//3AL6mBPJEqeH4QfrfaxNbu61T3oeU9jwihQ/1XpZUxb
F1vPGN5GZyrW4GdNBWW+0bzgjoBKsyBNTe/0F/JhtKz/KD6aEQjzeNDJkgm4z6DA
Euf+qYT+K3QlWWe8IMxliJcP4HacKhUPO6YUCx6mjbz34zNNa3th4eXXTzlcTWUR
LWFXcDnmor3E9yMdFOdtN8+qXvauyi5HGq55Rge3fZ/TqZbNrfPh2AWqDSd/N1rW
TFkx9w7b3ndfbkipK51lrdJsZcOudDgvPVnZUZBNm8H7dHi4jb4CJz+Cfr7e7Ar8
wze58qz/kYFqZ7h91e/m4TaIM+jXtPteAM2HZnAAtx3daNqcbcFd8DRtZGdOpjWt
ugz2f1NUQrj8f17jUFRwIZfwi2E6wBfKTfVebQy7kMMBbN3fwvIHjyXJTHaz6o0I
AX1u3bvAilFdxObwULP4PRl7ReDB42XonCf90VHSDetE/qHQy4CKiIiMrGQIlY7Y
NhyAkd3dGvs57TP5gH+d39G0hkJ/iBqgaJtHcU1CwMxYABNasj2yyKPzA7Lvma62
8qzw2uTKepVPUkCjbqcy
=mvZ0
-----END PGP SIGNATURE-----