[messaging] Comparing introduction secret schemes (was Re: Unlinkable rendezvous via human-sized keys)

Trevor Perrin trevp at trevp.net
Sun Mar 23 18:56:20 PDT 2014 

On Sun, Mar 23, 2014 at 5:56 PM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
>
> I think the proposal i mentioned earlier (one-use strong DH keys that
> users print a stack of beforehand) is worth including in this bestiary.
> Even if we decide ultimately that it is logisitically too expensive,
> it's a useful contrast to the others.

OK,

Though I'm calling this "not great useability" because you still have
to print and carry a deck of cards, handle card halves, and type in
~256 bits of ECDH key (51 base32 chars?).

Some other changes:

 - If you're doing lookups through PIR mirrors instead of through the
user's intro-cert directory, maybe you don't need to exchange the
directory name?  The PIR thing is still a huge question mark, but I'll
pretend that works.

 - Fingerprint or multi-use ECDH keys have the benefit that you get
the user's long-term fingerprint which can be corroborated with
3rd-parties to make sure it's correct.

 - Fingerprint or multi-use ECDH keys have the downside that you get
the user's long-term pseudonym, so it doesn't have the "unlinkable
pseudonym" property by default -  users can figure out they're
corresponding with the same party.


Different methods and their disadvantages -

1) Secret exchange
 - asking people to think up sufficient entropy on the fly seems risky
and low useability
 - using non-computer tools to generate entropy seems low useability
(shuffling cards, rolling dice, tearing "tickets" in half, etc.)
 - central rendezvous server / DHT needed
 - fingerprints must be exchanged separately (if desired)

2) "Human-sized" ECDH key exchange
 - smallish keys (32 base32 chars = 80 bit security)
 - low "forward secrecy for linkages" unless you change the key frequently
 - central rendezvous server / DHT needed
 - needs user preparation before meeting
 - doesn't provide "unlinkable pseudonyms" - users can figure out
they're corresponding with the same party

3) "One-time cards" ECDH key exchange
 - not great useability (print / carry / exchange card halves, type in
~256 bits ECDH key per contact)
 - central rendezvous server / DHT needed (unless printed on card?)
 - needs user preparation before meeting
 - fingerprints must be exchanged separately (if desired)

4) Fingerprint exchange
 - needs PIR (??) to make "intro-cert" lookups unlinkable
 - needs user preparation before meeting
 - doesn't provide "unlinkable pseudonyms" - users can figure out
they're corresponding with the same party


Trevor

More information about the Messaging mailing list