[londons_explore]

e2e encryption is easy if everyone knows public keys for everyone else. This is how GPG works for example.

However, the challenge is distributing those keys in a trustworthy way - because if someone can tamper with the keys during distribution, they can MITM any connection.

I assume this "bitcoin style" encryption is a blockchain or blocktree of every users public key now and throughout history. Ship the tree root hash inside the client app, and then every user can verify that their own entry in the tree is correct, and any user can use the same verified tree to fetch a private key for any other user.

[kstrauser]

I’m not sure you appreciate how large that data structure would be if you had to ship it inside the app.

[CodesInChaos]

The idea is to only distribute the root of the tree to a client, query the server for the username you want to look up, which then returns the key and a short proof that this username maps to that key within the hash tree identified by the known root.

[kstrauser]

How is that substantially better than an API that returns a user’s key?

[londons_explore]

If the service provider (ie. the X.com servers) are evil, then the API can return false data and the client has no way to know.

However, with a merkle tree, the root hash is embedded into the app, and the servers return the data together with info chaining to the merkle root (typically a few kilobytes, even if the whole tree is hundreds of gigabytes).

With that info, the app can verify the chain to the root and be sure that the servers aren't returning false data.

[fc417fc802]

To clarify the above. It protects against endpoint compromise but depends on the assumption that the service operator (the one computing the root hash) is trustworthy. In other words it significantly reduces attack surface.

[londons_explore]

It can be done with Merkel trees. You just ship the root hash.

Merkel trees are snapshot/read only though - so you then use a bitcoin style Blockchain to ship refreshed versions of the root tree hash (you can even ship it in the actual bitcoin Blockchain if you like, piggybacking on its proof of work to ensure different people don't see different root hashes)

[JustFinishedBSG]

I'm sure shipping a >150GB file to every user is perfectly fine and sound engineering.

[NicolaiS]

Parent comment writes: "ship[ing] the tree root hash", for a merkle tree ("bitcoin style") this would just be a single (small) hash no matter the tree size, i.e. 32 bytes is enough.

[VWWHFSfQ]

It's not _that_ far off from shipping a 3GB chrome webapp disguised as a desktop app (cough electron)

[kstrauser]

What’s a couple orders of magnitude between friends?

[viraptor]

We pretty much know this can't be practically done in a distributed way. Even the public federated stores for gpg keys have been flooded so much they stopped being usable.