anonymous DH & MITM

[bear]

On Thu, 2 Oct 2003, Zooko O'Whielacronx wrote:

> I understand the objection, which is why I made the notion concrete
> by saying that Mitch wins if he gets the first player to accept the
> second player's move.  (I actually think that you can have some
> notion of "credit" -- for example a persistent pseudonym linked to a
> longer-term public key, but that isn't necessary to appreciate the
> current challenge.)

Wait.  That's not anonymity, that's pseudonymity.  And yes, you can
have pseudonymous open protocols that are immune to MITM.  My
contention was that you can't have anonymous open protocols that are
immune to MITM.

> Right.  I proposed that the first player send a public key even
> though the second player has no way to authenticate it.  The effect
> of this is that Mitch can no longer act as a purely passive proxy
> (i.e., he can't act like an Eve), because if he does the second move
> will be encrypted so that he can't read it.  Oh -- whoops!  This
> doesn't suffice to deter Mitch from acting as a passive proxy, since
> we didn't specify that he had to actually see the second move in
> order to win.  Maybe we should add the requirement that for Mitch to
> win he has to know what the second player's move was.

Okay, so the keypair is fresh-made and we are talking about an
anonymous protocol.  In that case Alice can't tell Mitch's key from
Bob's key and Bob can't tell Mitch's key from Alice's.

>> > starting with Rivest & Shamir's Interlock Protocol from 1984.
>>
>> Hmmm.  I'll go read, and thanks for the pointer.

Perhaps I spoke too soon?  It's not in Eurocrypt or Crypto 84 or 85,
which are on my shelf.  Where was it published?

				Bear

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com