Snake not only uses end-to-end encryption so that servers can't read message content, it also attempts to prevent servers from analyzing stored data in order to find out who is friends with whom, or who is communicating with whom.
Snake focuses on anonymizing the stored data. But a malicious server also sees the IP addresses from which requests arrive, the timing of requests, etc. Would such information break Snake's anonymity promises?
The friendship establishment protocol in Section III.B and Figure 4 seems to require that users A and B know each other's public keys already. Could the server succeed with a man-in-the-middle attack by returning false results to A's and B's requests for each others records from the Friendship Table (Figure 2)?
What is the Socialist Millionaires' Protocol (SMP) [18]? How does Snake use it? The paper's reference [19] has useful background.
What about the Web of Trust (WoT)?
Do SMP or WoT seem like good general-purpose identification/authentication schemes for decentralized applications?
Would it make sense for Snake to use a naming system such as Keybase or Blockstack? Which parts of the design could then be replaced (i.e. which parts of Section III.B)?
Why does each Snake user have three asymmetric key pairs? How is each used?
Can the storage provider trick clients by returning stale data, or by ignoring updates, or by forking different clients view of the data? Are any of these a serious problem in this context?
Can there be multiple storage providers?
Does Snake have better/worse properties than DECENT?
Page 764 mentions that Snake uses techniques from reference [13] for key distribution and groups. How does that work?