[messaging] Masking contact addresses with ECDH

Nick Badger nbadger1 at gmail.com
Mon Feb 29 13:06:42 PST 2016


Is the authorization step considered a direct interaction? I can't
personally think of a way to do this privately unless the "authorization to
create contact set intersection" step is ignored. Otherwise, best case
scenario, an adversary wishing to discover the contacts list can just
iterate across all known contacts, correct? If you have a single directory,
that implies that the directory has the capability to unmask everyone's
contacts. That being said, just because I can't think of one, doesn't mean
one doesn't exist. That's also something you could potentially mitigate
through an expensive one-way function like scrypt/argon2/etc. But now we're
talking risk management and not provable security, if that's what you're
going for.

If you do allow the one authorization step, I can think of fairly easy ways
of doing it -- as a simple example, Ben's suggestion of random + hmac (the
random would be reused for all contacts, and the authorization step would
be passing Bob the random). Alice is still giving Bob the ability to brute
force her entire contacts list, though, if he can query the directory.

That last problem (Bob brute forcing against the directory once he's
granted access to create a set against Alice's contacts) is, I think,
unsolvable: the socialist millionaire protocol doesn't protect against a
dishonest party if that dishonest party knows all possible values of X and
has the capacity to iterate against them, does it?


Nick Badger
https://www.ethyr.net
https://www.muterra.io
http://www.nickbadger.com
PGP fingerprint 37B9 22FC 2E47 50AA E06B 9CEC FB65 8930 46F0 333A, listed
at MIT <https://pgp.mit.edu/> and PGP <http://keyserver.pgp.com/>

On Mon, Feb 29, 2016 at 12:45 PM, Tony Arcieri <bascule at gmail.com> wrote:

> Sure, the original impetus for this was some discussion on the
> SimplySecure Slack of having a protocol which did not require any direct
> interactions between Alice and Bob for doing a private set intersection for
> contacts, mediated through a third party (the directory)
>
> On Monday, February 29, 2016, Joseph Bonneau <jbonneau at gmail.com> wrote:
>
>>
>>
>> On Mon, Feb 29, 2016 at 12:38 PM, Tony Arcieri <bascule at gmail.com> wrote:
>>
>>> On Monday, February 29, 2016, Joseph Bonneau <jbonneau at gmail.com> wrote:
>>>
>>>> I'm not sure exactly what the goal is here. Is it for Alice and Bob to
>>>> find out which contacts they have in common without each revealing the
>>>> whole set?
>>>>
>>>
>>> Yes. Moxie did a great job of spelling out the problem and various
>>> non-solutions here:
>>>
>>
>>>  https://whispersystems.org/blog/contact-discovery/
>>>
>>
>> That post describe the problem of Alice and Bob trying to find out if
>> they're both using the same service. I asked if the goal is for Alice and
>> Bob to find out which contacts they have in common without each revealing
>> the whole set, which is a quite different proposition. It sounds from your
>> original message like you were asking about this, since you mentioned "Bob
>> is authorized in the directory to view Alice's contacts"
>>
>>
>
> --
> Tony Arcieri
>
>
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20160229/58b9c9c1/attachment.html>


More information about the Messaging mailing list