[messaging] SafeSlinger's Ephemeral Fingerprint

[Trevor Perrin]

On Thu, Jun 26, 2014 at 2:35 PM, Michael Farb <mwfarb at cmu.edu> wrote:
>
> One approach we took with SafeSlinger was to reduce the set of 2-10 public
> keys of all users who are trying to simultaneously exchange keys to 24-bits
> through a real-time combined in-band and out-of-band protocol. The advantage
> is 2-10 people attesting to the same 24-bit ephemeral fingerprint goes
> pretty quickly.

Hi Michael,

Thanks for sending that!

We had earlier discussion on nearby people exchanging public keys and
other contact info by using their phones to execute a "pairing"
protocol, which users authenticate with a "Short Auth String".

SafeSlinger looks like a well-designed generalization of that for
small groups.  Everyone in the group verifies the same SAS, instead of
having each pair of users compare.

At the moment it looks like communications are through a server, with
a "compare amongst yourselves and enter lowest ID" step so the users
can form into groups while preserving client anonymity.

But that's a useability inconvenience, and the server contact still
seems like a risk for relationship info (you could contact it over
Tor, but Tor's not perfect).  I wonder what the prospects are for
making this work over Bluetooth or other short-range comms.  The
paper's analysis of message rounds and bandwidth is a little vague, it
would be nice to see more detail.

I'm also curious what led you to choose a tree-based group key
agreement rather than either
 (A) a ring-based GKA (like Burmester-Desmedt or Kim-Lee-Lee [1], e.g.
do DH with parties to left and right of you, publish the XOR), or
 (B) pairwise encryption to each user's public DH value (at <= 10
users, it seems like that could be a single message of a few hundred
bytes).

Trevor

[1] https://www.iacr.org/archive/asiacrypt2004/33290243/33290243.pdf