[messaging] Unlinkable rendezvous via human-sized keys (was: Re: Human sized keys)

Ben Laurie ben at links.org
Thu Mar 20 11:35:47 PDT 2014

On 20 March 2014 07:11, Trevor Perrin <trevp at trevp.net> wrote:
> (Context for this discussion:
> https://moderncrypto.org/mail-archive/messaging/2014/000086.html
> https://moderncrypto.org/mail-archive/messaging/2014/000113.html
> )
> On Wed, Mar 19, 2014 at 7:20 PM, Watson Ladd <watsonbladd at gmail.com> wrote:
>> Dear all,
>> I was recently thinking about the introduction problem: how do two
>> people meet find each other on a messaging system and bootstrap to a
>> trusted situation?
>> There seem to be two kinds of question: one is a low-entropy shared
>> secret, the other involves exchange of key material. The first would
>> involve cut the deck or two-dollar call trick (each person gets a half
>> with a serial number, or half a deck), and we have 48 bits in the case
>> of the deck or some number I haven't calculated yet in the case of the
>> bills.
>> With the low-entropy shared secret the issue is rendezvous without
>> exposing the secret. I don't have a solution for that.
> Me neither.
> I've heard proposals to have a rendezvous server return all messages to
> every client, within some time window.  The client would respond to every
> 1st-round PAKE message by calculating the potential shared secret and
> sending a trial 2nd-round message.  Only one received 2nd-round message
> would match.
> But this doesn't eliminate the online-guessing risk.  And it provides a
> large DoS amplification against the clients and server, so seems
> impractical.

FWIW, here's a thing I did years ago:


I'm told there's work being done on a less ad hoc mechanism...

More information about the Messaging mailing list