It seems weird to call a protocol where the receivers aren't anonymous anonymous messaging, particularly because if either side is anonymous traffic analysis may give up the other pretty easily.
The reencryptions seem to identify forwarding parties that have the recipient as a contact.
It's also not clear to me if/how they avoid reencryptions blowing up the total traffic being carried (because the mesh can't de-duplicate the reencrypted messages afaict?).
The security model where Bob will be compromised but still manage to output an updated key while a message is still in flight isn't clear. If bob is compromised, the attacker probably has his device and he won't send out an updated key for a long time if ever.
It's not clear to me why MA adds so many bytes. An 8 byte tag should be more than enough to uniquely identify the session (and if a trivial number of trial decryptions were tolerated, perhaps 4 bytes would be fine). Also I find it odd to see 44 bytes described as small-- it's probably larger than the average plaintext payload.
There are a LOT of round trips on this protocol and I wonder what they mean by "mesh networks" such that the bandwidth and reliability that all those round trips are sustainable.
also completely ignores timing/traffic correlation attacks which are no longer theoretical anymore - and chattiness would likely make them more effective
The reencryptions seem to identify forwarding parties that have the recipient as a contact.
It's also not clear to me if/how they avoid reencryptions blowing up the total traffic being carried (because the mesh can't de-duplicate the reencrypted messages afaict?).
The security model where Bob will be compromised but still manage to output an updated key while a message is still in flight isn't clear. If bob is compromised, the attacker probably has his device and he won't send out an updated key for a long time if ever.
It's not clear to me why MA adds so many bytes. An 8 byte tag should be more than enough to uniquely identify the session (and if a trivial number of trial decryptions were tolerated, perhaps 4 bytes would be fine). Also I find it odd to see 44 bytes described as small-- it's probably larger than the average plaintext payload.