[messaging] Introduction secrets and "unlinkable rendezvous" protocols

Trevor Perrin trevp at trevp.net
Tue Feb 18 16:29:13 PST 2014

On Mon, Feb 17, 2014 at 11:56 PM, Brian Warner <warner at lothar.com> wrote:
> On 2/15/14 4:50 PM, Trevor Perrin wrote:
>> During an offline meeting, users would exchange their long-term
>> fingerprints. They would then enter the other party's fingerprint into
>> their app, which would perform some pre-rendezvous steps:
>>  - Retrieve the other party's introduction cert by querying one of the
>>    mirrors.
> Would that require some sort of PIR protocol? Seems like the mirrors
> could learn who's interested in whom at about the same time, and thus
> deduce the connection.

Hmm, good question.

The directory would learn: "a Tor user is interested in Alice" and "a
Tor user is interested in Bob".  These wouldn't be tightly correlated
in time, as Alice and Bob might fire up their app at different times
after the meeting.

If the directory can also monitor users as they communicate with Tor
entry nodes, it could attempt end-to-end timing correlation (But this
is also true of a rendezvous server with meeting IDs, not just my

Some possible defenses, not sure which are best:

- Have all users occasionally send dummy lookups to the directory.

 - Eliminate the central directory and lookup a party's key at a
directory of her choice.  So instead of just exchanging fingerprints,
Alice and Bob exchange <fingerprint><@directory-name>, and choose
directories who they trust not to do these things.

 - Access the directory over a high-latency mix network, to break up
the end-to-end timing correlation.


More information about the Messaging mailing list