[Cryptography] Blockchain for encryption

Alfie John alfie at alfie.wtf
Thu May 2 07:35:15 EDT 2019 

On 2 May 2019, at 12:46 am, Phillip Hallam-Baker <phill at hallambaker.com> wrote:
> 
> Looking for review and comment on the following:
> 
> The DARE structure uses a public key exchange to establish a master key. Individual records can then be encrypted under a key generated from that master key by means of HKDF Key Generation with a unique per entry salt.
> 
> Besides GDPR compliant server logs, I can think of many, many applications. I use the structure extensively in the Mesh to manage sets and lists of entries. One of the applications I have always had in mind is end-to-end secure Web services including chat rooms and comment forums/mailing lists.
> 
> So is there anything I must add?

A concern I have is that it looks like it currently doesn't deal with forward secrecy. This is a must in 2019, especially when used for chat. Non-reputablity may be another feature that others may say is missing, but not sure how you would do this in an offline system such as yours.

1.3.5 - when switching to a new container, I would suggest the last entry in old container contain a pointer to the new one. Consider this analogously as signing your new GPG key with your old one. It will also help with your notary system so that nobody can travel back in time and point readers to a completely different container (with large amounts of data however, traversing this will be slow. Maybe consider a tree-like structure for containers rather than daisychain for performance, but this then breaks your append-only log aims though... just a thought).

1.3.6 - I'm not sure using DARE for Bitcoin works there isn't a concept of a master key used to sign and encrypt blocks. Consider Bitcoin as a public broadcast with multiple untrusted writers whereas DARE is trusted between participants.

1.3.7 - I'd consider adding my concern about the performance of traversing a daisy chain if implemented.

> Right now, I have not published my MetaNotary protocol because I haven't implemented it. I have published the basis for the analysis though in the trust paper.
> 
> A MetaNotary is simply any notary that includes the outputs of other notaries. Thus it is possible to prove quite easily that no other scheme can ever present a higher work factor than a MetaNotary since if such a notary existed, the MetaNotary can simply consume its output as an input and present at least equal the work factor.
> 
> In short, the system will hold together through reciprocity. Since metanotary.com <http://metanotary.com/> was taken, I call this the emergent reciprocal meta-system the internotary.

Be aware of colluding notaries in your threat model. If incentives are high enough, it will happen.

Alfie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20190502/43966a62/attachment.html>

More information about the cryptography mailing list