[Cryptography] Comey: targeted ads => plaintext access

[Benjamin Kreuter]

On Sat, 2015-09-19 at 14:38 -0700, Tony Arcieri wrote:

> Allowing a potential attacker to compute things about your ciphertexts
> (even if they can't tell specifically what they're computing) leaks some
> information of course.

That depends on whether or not they receive output.  A secure protocol
should not allow parties that are not supposed to receive outputs to
learn anything (this follows from the real/ideal paradigm for security
definitions).

For search or filtering, there is no reason the mail server should
receive any outputs.  Ad targeting is different because of the need to
charge advertisers when their ads are displayed (or clicked on, or
whatever the pricing model is).  On the other hand, if you can involve
the advertisers themselves as parties in the protocol, you can avoid
revealing anything to the mail server by using an anonymous payment
system; in that case the server would receive a payment as output, but
because of the unlinkability property the server will not know which
advertiser's payment it received (the advertisers would have to send a
payment as their inputs to the protocol, and those who did not have
their ads displayed would receive their money back as output -- so each
advertiser will know how many times their ads were shown).

-- Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150919/ab90a68e/attachment.sig>