Private Message Exchange
(using homomorphic encryption!)
Why is this so ugly?
I'm still skinning it, check back tomorrow.
What is the metadata here, and why should I care about it?
In the context of messaging, metadata is "who's talking to who", and it can be just as sensitive as the message itself. For example, anti-abortion states use call logs to Planned Parenthood as evidence of intent, and oppressive regimes track down activists by tracing their contact patterns. Wiretapping for metadata is alive and well, even in the age of end-to-end encryption.
How is message metadata secured?
With the Blyss protocol, the server learns nothing at all about retrievals, not even the location the client is retrieving from. This sounds like an oxymoron for a conventional database - how can you fetch data without its address? - but is made possible by fully homomorphic encryption (FHE). The client encodes the location of the desired message as a one-hot vector of length N (to select one out of N total messages on the server), and encrypts that using an FHE scheme. The server performs a dot product between the encrypted vector and the database of all messages, producing an encrypted result that only the client can decrypt to get the message payload.
More detailed explainers on our use of FHE: a blog post we wrote, our source code, and a paper we published.
Ok, but is this really homomorphic encryption? I thought that was really slow.
Yup, this is real-deal fully homomorphic encryption (FHE), running in your browser. We focused on the specific problem of private information retrieval, which allowed us to significantly optimize our FHE scheme. It's still slow compared to a plaintext database lookup, but we think it is now fast enough for some apps - we can serve gigabytes of data privately in under a second per query. Want to try using fast FHE in your own apps? Here's our open-source SDK!
How are message contents secured?
To send a message addressed to mailbox M, the browser client first derives a key
K = PKBDF2(M), using a fixed salt. K is used by the client to AES encrypt the message; K never leaves your device. Of course, the server can't know M, so the client writes the encrypted message to server location
L = SHA256(M). Thus, the message is readable by people who know M.
Is this end-to-end encryption?
No. In this toy demo, your message contents are encrypted, but under a weak key that is merely derived from the destination's name - not something we'd ever call E2E. But the metadata of message retrievals is actually protected, so the server cannot know whom is messaging whom. Caveat: regardless of encryption strategy, patterns in client activity can always hint at client relationships, unless communicating parties take care to decorrelate their actions.
Could this be used as a metadata-private messenger?
With a couple more steps (starting with E2EE), maybe! If you're interested in this sort of thing, we should definitely talk.