"ephemeral" key doesn't achive anything (in the context of ssb)

[dominictarr]

You can't have forward security if you have persistent records.
There is a time and place for denyable communications and a place for on-the-record.

For example, we may socialize over beer while negioating a business deal (denyable, and beer improves denyability), but when we sign the contract the agreement is fully on the record (although, likely private to the participants)

If you used private-box in isolation, and disposed of old messages, it would indeed be forward secure.
but in ssb it's not, so, we wouldn't loose any security by removing the ephemeral key, and instead using box(key, sender.secret*recipient.public, ...) etc.

[dominictarr]

If we used long term keys like this, the api could treat this as only using symmetric keys.
This would improve decryption performance well, because 1 asymmetric operation is worth about 50 times what one symmetric operation is.

Since we decrypt the to field, we must attempt decryption of all encrypted messages we see.
That means the majority of decryptions will fail, because most messages are not for you.
So it's pretty important that we fail fast.

my laptop can do 2297 scalarmults a second, but can do 342,916 failed secretbox_open, that is 142 times faster. If we don't have to do a new scalarmult per message, then we have more headroom to do more decryption attempts.

That means we can use more types of decryption and more importantly, use more groups etc.

[arj03]

Interesting. If we get some kind of concept of fractal identities or shared if you want, then maybe that allows these kinds of ephemeral messages.

[dominictarr]

@arj03 sorry I don't follow, can you expand on that a bit?

[arj03]

I mean that if instead og "me" being one feed, then for groups or specific conversations i can use a different feed, meaning if they break that feed they can only see those messages. This might be rather hypothetical if its the same machine but for a mobile / computer shared identity it might make sense.

How this would work in detail i am not sure, but if it maks sende then i dont see why it couldnt be built.

[dominictarr]

Yes, well if you both delete your private keys then that is forward secret. This means even you won't be able to open those messages, though. So you could create temporary keys, send them to each other in a private message, then plan your surprise party, then delete your keys. that would be forward secret (but not denyable if the private message was compromised)