Hacker News new | ask | show | jobs
by lukeqsee 2995 days ago
> something about Bloom Filters or PGP Signatures or something, I dunno

Would this not defeat the purpose? Once an individual was tied to a unique piece of data, they'd be tied to all data in the stream.

I think such a system would definitely require guaranteed expiration (impossible?). Or some sort of rotating keys or the metadata piece would still be uniquely identifying.

I like this idea, as a concept, but I have no idea how it would actually work in real life with bad actors who can and would download all messages as they appear.

I wonder if there's some way to enforce expiration?
2 comments
VikingCoder 2995 days ago
rickycook responded to this part with a proposal, but I have my own take on some of it:

For the "tied to a unique piece of data," that's why I want Bob to download lots of messages, hiding the fact that the person at 14.85.101.86 is the user with the recipient ID of ntULzh2AeEgPH9bKxrn3gUL. Bob should also be rotating his IDs all the time. Maybe they're single-use. And if Bob wants Alice to be able to send him messages, then he (out of band) has to give her a huge list of IDs he'll be watching for, in sequence. If they arrive out of sequence, he knows to be supremely suspicious. Also, yes, I recognize that key management is THE PROBLEM. And I'm essentially inventing dead drops. But in my defense, I'm trying to come up with a way to make it easy for a lot of people to use, thus making it easier for everyone to hide in plain sight.

For the "guaranteed expiration," I am actively assuming bad actors would download and archive all messages. I only propose a limited number of days to lessen the storage costs.

For the rotating keys, as I understand it, there's Perfect Forward Secrecy, but it's very chatty (think of it as "online"). There's also a weaker form of Perfect Forward Secrecy (think of it as "offline"), but the risk is that if the communication if broken at any moment, then you can't recover from within that channel - meaning you'd need to go back to the person out of band, and restore communication. I'm probably summarizing it very poorly, but my mental model for it is roughly, at the end of every message I send you, I tell you what new password I will use when I send you the next message. It's actually way smarter than that, as I understand it, but that gives me enough of a mental model to work with it as a lay person.

link
lukeqsee 2995 days ago
That makes a lot of sense to me.

I wonder if there's a cryptographically secure way to build a known "stream" of one-use tokens (addresses, if you will) based on known "public key." For metadata security, you only hand that public key out to those you trust.

Another thought is the ability to attempt decoding of every message (as you already alluded to). Encode some well-known bytes at the beginning of every message and see if your key can decode and match them. I'm not certain that protects against metadata snooping, since I don't understand the cryptography enough to know if that well-known text would always be the same for a target private key.

link
clarkmoody 2995 days ago
> wonder if there's a cryptographically secure way to build a known "stream" of one-use tokens (addresses, if you will) based on known "public key."

This is what Bitcoin's BIP-47[1] does, but you can hand that "public key" to anyone[2]. The communication layer in this case is the Bitcoin blockchain.

[1] https://github.com/bitcoin/bips/blob/master/bip-0047.mediawi...

[2] https://paynym.is/

link
brownbat 2995 days ago
> "guaranteed expiration"

You could make the database so noisy that there's a proof-of-storage cost on anything over a day old.

No guarantee, but something.

Adversaries would want to store only those messages of interest, but that would require breaking the oblivious transfer system.

link