<div dir="ltr"><div><div>Is the authorization step considered a direct interaction? I can't personally think of a way to do this privately unless the "authorization to create contact set intersection" step is ignored. Otherwise, best case scenario, an adversary wishing to discover the contacts list can just iterate across all known contacts, correct? If you have a single directory, that implies that the directory has the capability to unmask everyone's contacts. That being said, just because I can't think of one, doesn't mean one doesn't exist. That's also something you could potentially mitigate through an expensive one-way function like scrypt/argon2/etc. But now we're talking risk management and not provable security, if that's what you're going for.<br><br></div>If you do allow the one authorization step, I can think of fairly easy ways of doing it -- as a simple example, Ben's suggestion of random + hmac (the random would be reused for all contacts, and the authorization step would be passing Bob the random). Alice is still giving Bob the ability to brute force her entire contacts list, though, if he can query the directory.<br><br></div>That last problem (Bob brute forcing against the directory once he's granted access to create a set against Alice's contacts) is, I think, unsolvable: the socialist millionaire protocol doesn't protect against a dishonest party if that dishonest party knows all possible values of X and has the capacity to iterate against them, does it?</div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><br>Nick Badger<br></div><div><a href="https://www.ethyr.net" target="_blank">https://www.ethyr.net</a><br></div><div><a href="https://www.muterra.io" target="_blank">https://www.muterra.io</a><br></div><div dir="ltr"><div><a href="http://www.nickbadger.com" target="_blank">http://www.nickbadger.com</a><br><span><font size="1">PGP fingerprint 37B9 22FC 2E47 50AA E06B 9CEC FB65 8930 46F0 333A, listed at <a href="https://pgp.mit.edu/" target="_blank">MIT</a> and <a href="http://keyserver.pgp.com/" target="_blank">PGP</a></font></span><br></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Mon, Feb 29, 2016 at 12:45 PM, Tony Arcieri <span dir="ltr"><<a href="mailto:bascule@gmail.com" target="_blank">bascule@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Sure, the original impetus for this was some discussion on the SimplySecure Slack of having a protocol which did not require any direct interactions between Alice and Bob for doing a private set intersection for contacts, mediated through a third party (the directory)<span class=""><span></span><br><br>On Monday, February 29, 2016, Joseph Bonneau <<a href="mailto:jbonneau@gmail.com" target="_blank">jbonneau@gmail.com</a>> wrote:<br></span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On Mon, Feb 29, 2016 at 12:38 PM, Tony Arcieri <span dir="ltr"><<a>bascule@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span>On Monday, February 29, 2016, Joseph Bonneau <<a>jbonneau@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">I'm not sure exactly what the goal is here. Is it for Alice and Bob to find out which contacts they have in common without each revealing the whole set?</div></blockquote><div><br></div></span><div>Yes. Moxie did a great job of spelling out the problem and various non-solutions here: </div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><br></div><div><span></span> <a href="https://whispersystems.org/blog/contact-discovery/" target="_blank">https://whispersystems.org/blog/contact-discovery/</a></div></blockquote><div><br></div></span><div>That post describe the problem of Alice and Bob trying to find out if they're both using the same service. I asked if the goal is for Alice and Bob to find out which contacts they have in common without each revealing the whole set, which is a quite different proposition. It sounds from your original message like you were asking about this, since you mentioned "<span style="font-size:12.8px">Bob is authorized in the directory to view Alice's contacts"</span><br></div></div><br></div></div><span class="HOEnZb"><font color="#888888">
</font></span></blockquote><span class="HOEnZb"><font color="#888888"><br><br>-- <br>Tony Arcieri<br><br>
</font></span><br>_______________________________________________<br>
Messaging mailing list<br>
<a href="mailto:Messaging@moderncrypto.org">Messaging@moderncrypto.org</a><br>
<a href="https://moderncrypto.org/mailman/listinfo/messaging" rel="noreferrer" target="_blank">https://moderncrypto.org/mailman/listinfo/messaging</a><br>
<br></blockquote></div><br></div>