Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attack on indistinguishability: server excludes some journalists when keys are fetched #56

Open
lumaier opened this issue Oct 1, 2024 · 2 comments
Open

Attack on indistinguishability: server excludes some journalists when keys are fetched #56

lumaier opened this issue Oct 1, 2024 · 2 comments

Comments

@lumaier
Copy link
Contributor

lumaier commented Oct 1, 2024

When aiming for indistinguishability between messages sent by sources and journalists (from the server's point of view), one must also consider the information leaked by the number of messages sent by each participant. Specifically:

Sources receive keys from the server for $k$ journalists and send $k$ messages to the server (one for each journalist).

The behavior of journalists is underspecified. Assuming that journalists fetch keys as well (to mimic the sources' behavior), they send $k-1$ messages to all other journalists, excluding themselves, and 1 message to the source (using the keys received from the source's submission). Hence, if the server behaves honestly, the journalists also send $k$ messages.

Attack

The server can now exclude one journalist when returning the journalists' key material. If the fetcher is a source, the server will receive $k-1$ messages with probability 1. If the fetcher is a journalist, the server will receive $k$ messages with probability $\frac{1}{k}$ (when the fetcher is the excluded journalist) and $k-1$ messages with probability $\frac{k-1}{k}$.

(The winning probability can be increased to $\frac{1}{2}$ by excluding half of the journalists.)

Solution

Sources will always send $k$ messages. Journalists need to ensure that they also always send $k$ messages. I propose that, in cases where the journalist fetching the keys is excluded from the returned set of journalists, the journalist encrypts and sends a message to themselves. This way, journalists always send $k$ messages (which will eventually be fetched by someone — i.e., no dummy messages).
@TheZ3ro
Copy link
Collaborator

TheZ3ro commented Oct 1, 2024

I like this attack subtle but still super interesting. The proposed solution seems pretty straightforward and easy to implement.
keep up the good work @lumaier !

@lsd-cat
Copy link
Member

lsd-cat commented Oct 5, 2024

Thanks this is very interesting, again!

Should we require newsrooms to sign a manifest with the current number of journalists every time the onboard or offboard someone? It does not seem like too much additional burden: we can force to ahppen when they have to use their signing material anyway to revoke (yeah this is not really in the protocol) or add journalists. This way client could check if the server is at least providing the correct amount of keys.

Indeed, when we consider journalist to journalist communication we should still send k messages and as such specify it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@TheZ3ro @lumaier @lsd-cat