Pond threat model
The threat model is defined in terms of what each possible attacker can achieve. The list is intended to be exhaustive, i.e. if an entity can do something that is not listed here then that should count as a break of Pond. (For now, this document is very new and I may have missed some things.)
Firstly, assumptions about the user:
- The user acts reasonably and in good faith. (Starting off very vaguely! But if the user were to give their private key material to the attacker that would be unreasonable, for example.)
- The user obtains an authentic copy of Pond.
Secondly, assumptions about the user's computer:
- The computer correctly executes the program and is not compromised by malware.
- The computer has a TPM or other form of erasable storage.
Lastly, assumptions about the world:
- The security assumptions of curve25519, Ed25519, salsa20, poly1305, HMAC-SHA256, Rijndael (with a 256-bit block) and pairing based group-signatures are valid.
What the user's home server can achieve:
- A server can learn when a user is online by observing transactions.
- A server can learn how many messages a user receives, and when they receive them. (But not who sent them.)
- A server can learn the approximate size of any uploaded detachments, when they are uploaded and when they are downloaded.
- A server can drop or corrupt any messages.
- A server can spam a user with invalid messages.
- A server can duplicate old messages.
- A server can drop or corrupt any uploaded detachments.
- A server can estimate the number of contacts who send messages to a given account after that account has issued a revocation based on the number of clients who try to send messages using an expired group generation number.
- (Future) A server can falsely inform a contact that they have been revoked.
What a global, passive adversary (one who can observe all Internet traffic) can achieve:
- A GPA can learn who is using Pond and where their home servers are located.
- A GPA can learn when messages are sent to a non-home server and which server that is.
- A GPA can observe detachment uploads and downloads, and who is performing each of those actions.
- A GPA can observe when a shared-secret key exchange is performed and can limit possible set of other parties to those who were also performing a key exchange at the same time.
What a local network attacker can achieve:
- A local network can observe when a user is using Pond.
- A local network can block Pond.
- A local network can observe the approximate size of any detachment uploads and downloads.
- A local network can observe when a shared-secret key exchange is performed.
What a physical seizure of the user's computer can achieve:
- After a seizure, an attacker can perform an offline attack against the user's passphrase and obtain undeleted messages if successful.
What a physical compromise of the user's computer can achieve:
- A compromise of the user's computer can obtain all messages from the point of compromise, onwards.
What the shared-secret key exchange (PANDA) server can achieve:
- The PANDA server can run offline attacks against the shared secret and can MITM any in-progress exchanges that it can break.
- The PANDA server can drop or delay any key exchanges that it wishes.
What a contact can achieve:
- A contact can spam a user with messages.
- A contact can, to some extent, prove to a third-party that a message came from a user (paper)
- A contact can retain messages from a user, forever.
- A contact can learn that a user has revoked a contact (but not which contact, unless they are the revoked contact) at some time after the time of the previous message that they sent to the user.
- A contact can learn if two of their contacts are actually the same user.
- Two contacts can confirm if they are communicating with the same user.
What a random person on the Internet can achieve:
- A random person can attempt an online attack against running PANDA key exchanges and MITM one of the users if they succeed. The other will receive an error.
- A random person can attempt to DoS a Pond server.