how to defeat MITM using plain DH, Re: anonymous DH & MITM

Zooko O'Whielacronx zooko at zooko.com
Sat Oct 4 07:53:32 EDT 2003


 Ed Gerck wrote:
>
> It's possible to have at least one open and anonymous protocol
> immune to MITM -- which I called multi-channel DH.

This is a good idea!

I used to advocate it on the cypherpunks list (e.g. [1]).

Later I learned that it is called a "Merkle Channel".  From _MOV_ [2], page 48:

  """
  One approach to distributing public keys is the so-called Merkle Channel 
  (see Simmons, p.387).  Merkle proposed that public keys be distributed over 
  so many independent public channels (newspaper, radio, television, etc.) 
  that it would be improbably for an adversary to compromise all of them.
  """

Regards,

Zooko

[1] http://cypherpunks.venona.com/date/1995/10/msg00668.html
[2] http://www.cacr.math.uwaterloo.ca/hac/

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list