[Cryptography] prism-proof email in the degenerate case

Benjamin Kreuter brk7bx at virginia.edu
Mon Oct 21 10:42:26 EDT 2013


On Thu, 10 Oct 2013 14:20:21 -0700
Ray Dillinger <bear at sonic.net> wrote:

> On 10/10/2013 12:54 PM, John Kelsey wrote:
> > Having a public bulletin board of posted emails, plus a protocol 
> > for anonymously finding the ones your key can decrypt, seems 
> > like a pretty decent architecture for prism-proof email.  The 
> > tricky bit of crypto is in making access to the bulletin board 
> > both efficient and private.  
> 
> Wrong on both counts, I think.  If you make access private, you
> generate metadata because nobody can get at mail other than their
> own.  If you make access efficient, you generate metadata because
> you're avoiding the "wasted" bandwidth that would otherwise prevent
> the generation of metadata. Encryption is sufficient privacy, and
> efficiency actively works against the purpose of privacy.

I am not sure this is the whole story.  The key word in John's
suggestion is "protocol" -- what immediately comes to my mind is PIR,
which would allow you to fetch your messages more efficiently without
generating more metadata.  One practical consideration is that people
might be receiving different numbers of messages, but this can be
addressed by having everyone fetch a fixed number of messages every $n$
minutes; you probably need to do this regardless of PIR to prevent
other forms of information leakage.

There are probably a few other practical considerations here, but at
least in theory PIR could help with efficiency without compromising
privacy.

-- Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131021/f6e58797/attachment.pgp>


More information about the cryptography mailing list