[Cryptography] prism-proof email in the degenerate case

[John Kelsey]

On Oct 10, 2013, at 5:20 PM, Ray Dillinger <bear at sonic.net> wrote:

> On 10/10/2013 12:54 PM, John Kelsey wrote:
>> Having a public bulletin board of posted emails, plus a protocol 
>> for anonymously finding the ones your key can decrypt, seems 
>> like a pretty decent architecture for prism-proof email.  The 
>> tricky bit of crypto is in making access to the bulletin board 
>> both efficient and private.  
> 
> Wrong on both counts, I think.  If you make access private, you
> generate metadata because nobody can get at mail other than their
> own.  If you make access efficient, you generate metadata because
> you're avoiding the "wasted" bandwidth that would otherwise prevent
> the generation of metadata. Encryption is sufficient privacy, and
> efficiency actively works against the purpose of privacy.

So the original idea was to send a copy of all the emails to everyone.  What I'm wanting to figure out is if there is a way to do this more efficiently, using a public bulletin board like scheme.  The goal here would be:

a.  Anyone in the system can add an email to the bulletin board, which I am assuming is public and cryptographically protected (using a hash chain to make it impossible for even the owner of the bulletin board to alter things once published).

b.  Anyone can run a protocol with the bulletin board which results in them getting only the encrypted emails addressed to them, and prevents the bulletin board operator from finding out which emails they got.

This sounds like something that some clever crypto protocol could do.  (It's related to the idea of searching on encrypted data.). And it would make an email system that was really resistant to tracing users.  

>            Bear

--John