anonymous DH & MITM

Zooko O'Whielacronx zooko at zooko.com
Thu Oct 2 15:08:38 EDT 2003 

 Bear wrote:
>
> If it's an anonymous protocol, then "credit" for being a good chess
> player is a misnomer at best; the channel cannot provide credit to
> any particular person.

I understand the objection, which is why I made the notion concrete by saying 
that Mitch wins if he gets the first player to accept the second player's 
move.  (I actually think that you can have some notion of "credit" -- for 
example a persistent pseudonym linked to a longer-term public key, but that 
isn't necessary to appreciate the current challenge.)


> > Now, obviously Mitch could always act as a passive proxy, forwarding
> > exactly the bits he receives, but in that case he can be defeated by
> > e.g. DH.  To make it concrete, suppose that the first player
> > includes both his move and his public key (or his public DH
> > parameters) in his message, and the second player encrypts his
> > message with the public key that arrived in the first message.
> 
> Public key? I thought we were talking about an open protocol between
> anonymous entities.  If Alice and Bob can identify each other's public
> keys, we're not talking about anonymous entities.

Right.  I proposed that the first player send a public key even though the 
second player has no way to authenticate it.  The effect of this is that Mitch 
can no longer act as a purely passive proxy (i.e., he can't act like an Eve), 
because if he does the second move will be encrypted so that he can't read 
it.  Oh -- whoops!  This doesn't suffice to deter Mitch from acting as a 
passive proxy, since we didn't specify that he had to actually see the second 
move in order to win.  Maybe we should add the requirement that for Mitch to 
win he has to know what the second player's move was.

Sorry about the incorrect detail.


> > Now, you might intuitively believe that this is one of those
> > situations where Mitch can't lose.  But there are several protocols
> > published in the literature that can help the players against Mitch,
> > starting with Rivest & Shamir's Interlock Protocol from 1984.
> 
> Hmmm.  I'll go read, and thanks for the pointer.  But I'm confident
> that if Mitch can be kept out, then either it's not fully anonymous
> participants, or it's not a fully open protocol.

I understand where you are coming from.  Your intuition about this is usually 
right (i.e., for pretty much all protocols that you have ever actually 
encountered), and it is an intuition that you share with most thinkers, even 
those who are brilliant and well-read cryptographers.  However the Interlock 
Protocol provides a counter-example to that intuition!  (Not for Chess 
Grandmaster, but for a full-duplex protocol such as Bughouse Grandmaster).

There are other counter-examples in the literature, which I would be happy to 
enumerate.  :-)


Please let me know if you find an on-line copy of Rivest & Shamir Interlock 
Protocol 1984.  I had to walk down to a library to read it.

Regards,

Zooko

http://zooko.com/log.html

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list