[messaging] Unlinkable rendezvous via human-sized keys (was: Re: Human sized keys)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sun Mar 23 17:56:50 PDT 2014

On 03/23/2014 07:59 PM, Trevor Perrin wrote:
> We're circling around a few ideas for the "physical meeting ->
> introduction secret -> unlinkable online rendezvous" scenario.  Are
> there other approaches we're missing?
> Ways to arrive at an "introduction secret" based on a physical
> meeting, and their downsides:
>  1) Secret exchange
>   - asking people to think up sufficient entropy on the fly seems
> risky and low useability
>   - using non-computer tools to generate entropy seems low useability
> (shuffling cards, rolling dice, tearing "tickets" in half, etc.)
>   - central rendezvous server / DHT needed
>  2) "Human-sized" ECDH key exchange
>   - smallish keys (32 base32 chars = 80 bit security)
>   - low "forward secrecy for linkages" unless you change the key frequently
>   - central rendezvous server / DHT needed
>   - needs user preparation before meeting
>  3) Directory Name + Fingerprint exchange
>   - needs PIR to make "intro-cert" lookups unlinkable
>   - needs user preparation before meeting

I think the proposal i mentioned earlier (one-use strong DH keys that
users print a stack of beforehand) is worth including in this bestiary.
Even if we decide ultimately that it is logisitically too expensive,
it's a useful contrast to the others.

This would be a proposal similar to (2) but would have stronger keys,
automatic forward secrecy, and different user preparation before
meeting.  there are ways to avoid the perforating/stapling/tape parts of
the process, fwiw, which would just leave the user with the job of
printing and carrying an introduction ticket stash and maybe carrying a pen.

This approach would be strongly unlinkable, since each key is only used


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140323/8ea125a5/attachment.sig>

More information about the Messaging mailing list