[messaging] Unlinkable rendezvous via human-sized keys (was: Re: Human sized keys)

Joseph Bonneau jbonneau at gmail.com
Sun Mar 23 07:53:57 PDT 2014

> Your approach eliminates the need to mask the intro-cert lookup via PIR or
> dummy traffic.  But it lowers the security of your long-term key from ~128
> bits to ~80 bits, and reduces "forward-secrecy of linkages", since
> compromise of the long-term ECDH key (which you've printed on your business
> card, so you're not going to rotate it frequently) allows going through
> published rendezvous messages and linking correspondents for the key's
> lifetime.

Something I think was missed when Trevor initially proposed the intro-cert
lookup process: we shouldn't assume the only use case is that Alice/Bob
meet, and later on there are time-correlated lookups for Alice and Bob's
intro-certs. It seems reasonably common that a group of people get together
and have a small key-exchange party. I'm assuming nobody wants to support
some group exchange protocol and we'd prefer pairwise exchanges, but this
means If N people get together, and then they all lookup a very similar set
of N-1 intro-certs promptly thereafter, this is going to be
hard-to-impossible to mask by timing noise and dummy traffic. I suspect
that if unlinkability is a goal then this approach requires PIR.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140323/df28489c/attachment.html>

More information about the Messaging mailing list