2021-01-30 19:33:30 +00:00
# FuzzyTags
2021-01-29 21:49:52 +00:00
2021-01-30 02:47:49 +00:00
Anonymous messaging systems (and other privacy-preserving applications) often require a mechanism for one party
to learn that another party has messaged them.
2021-01-29 21:52:34 +00:00
2021-01-30 02:47:49 +00:00
Many schemes rely on a bandwidth-intensive "download everything and attempt-decryption" approach. Others rely on a trusted
3rd party to provide the service.
2021-01-30 02:24:27 +00:00
2021-01-30 02:47:49 +00:00
It would be awesome if we could get an untrusted server to do the work for us without compromising metadata-resistance!
2021-01-30 02:24:27 +00:00
2021-01-30 19:33:30 +00:00
**fuzzytags** is a probabilistic cryptographic structure to do just that! Specifically it provides the following
2021-01-30 02:47:49 +00:00
properties:
* Correctness: Valid tags constructed for a specific public key will always validate when tested using the detection key
* Fuzziness: Invalid tags will produce false positives with probability _p_ related to the security property (_γ
* Security: An adversarial server with access to the detection key is unable to distinguish false positives from true positives. (Detection Ambiguity)
## Security (hic sunt dracones)
This crate provides an experimental implementation of the `FMD2` scheme described in ["Fuzzy Message Detection" ](https://eprint.iacr.org/2021/089 ). Using
Ristretto as the prime order group.
This code has not undergone any significant review.
2021-01-30 09:49:18 +00:00
Further, the properties provided by this system are highly dependent on selecting a **false positive rate** _p_ and
**scheme constant** _γ for your system. There is no one-size-fits-all approach.
2021-01-30 02:47:49 +00:00
2021-01-30 09:49:18 +00:00
If _p_ is too low, then the probability of false positives will be very high.
2021-01-30 02:47:49 +00:00
2021-01-30 09:49:18 +00:00
If _p_ is too high, then an adversarial server will be able to link messages to recipients with low probability.
2021-01-30 02:47:49 +00:00
2021-01-30 09:49:18 +00:00
Likewise a large _γ means higher bandwidth costs, but a small _γ reveals more of the secret keys to the server and
increases false positives.
2021-01-30 02:47:49 +00:00
## Usage
Generate a key pair:
2021-01-30 07:09:02 +00:00
2021-01-30 02:47:49 +00:00
let gamma = 3;
2021-01-30 19:33:30 +00:00
let key = FuzzyTagKeyPair::generate(gamma);
2021-01-30 02:47:49 +00:00
`key.public_key` can be given to parties who you want to be able to communicate with you over a specific anonymous
messaging service / privacy-preserving application.
`key.detection_key` can be given to untrusted _adversarial_ servers.
`gamma` is security property (_γ
2021-01-30 19:36:48 +00:00
validate against a random public key with a maximum probability of 2^-gamma.
2021-01-30 02:47:49 +00:00
## Generating Tags
2021-01-30 07:09:02 +00:00
let tag = public_key.generate_tag();
2021-01-30 02:47:49 +00:00
This tag can be attached to a message in a metadata resistant system.
## Verifying Tags
2021-01-30 19:36:48 +00:00
First it is necessary to extract a detection key for a given false positive probability 0 < = 2^-n < = 2^-γ
This extracted key can then be given to an adversarial server can test a given tag against a detection key e.g.:
2021-01-30 02:47:49 +00:00
2021-01-30 09:49:18 +00:00
let detection_key = key.extract(5);
if detection_key.test_tag(tag) {
2021-01-30 19:36:48 +00:00
// the message attached to this tag *might* be for the party associated with the detection key
2021-01-30 02:47:49 +00:00
} else {
// the message attached to this tag is definitely *not* for the party associated with the detection key.
}
2021-01-29 21:52:34 +00:00
