[Cryptography] ZK meeting scheduling protocol?

Ray Dillinger bear at sonic.net
Sun Jan 15 15:59:27 EST 2017 


On 01/14/2017 06:51 AM, Henry Baker wrote:
> As most of you already know, Microsoft Outlook provides some protocols for helping to schedule meetings via email.
> 
> Has anyone developed a zero knowledge protocol for such scheduling?

You mentioned zero-knowledge proofs but I do not see one in your
protocol requirements.  I'm assuming there isn't a ZKP going on
here. If I'm wrong, then who are Peggy and Victor?  What is
Peggy trying to prove and what is Victor trying to verify?

Otherwise this looks like the classic "Byzantine Generals"
problem, with additional security/privacy requirements.  The
additional security/privacy requirements look a lot like multi-
party Diffie-Hellman key exchange, or possibly look like they
might be accomplished using a Dining Cryptographers' Network.

At first blush I'd say something like "multi-party Diffie-
Hellman exchange or Byzantine-Generals protocol, either with
message blinding, or carried out over dining cryptographers'
network," but that's before analyzing the problem carefully,
and the communications overhead for either of those over a
DCN would be pretty cumbersome.

So start by reading up on those classic protocols.  But first
get a firm idea of the requirements in your mind so you can tell
when and how those protocols do and don't match them.

Now.  When attempting protocol design, you start with three
basic questions.


Let's consider.  First, what are your objectives?

1.  Before the protocol, Alice, Bob, Carol .... Xavier,
    Yvette, Zebulon want to schedule something but each
    has constraints on the time slots available during
    which they can schedule it.

2.  After the protocol, either they have determined some
    common time slot that doesn't violate any of their
    constraints (protocol success) or have determined
    that no such time slot exists (protocol failure).

Second, what are your security requirements?

1.  If anyone, including the participants, learns anything
    specific about the schedule constraints of any
    participant, beyond the fact that all have the agreed
    timeslot available or that no such time slot exists,
    then the protocol violates the privacy requirement.

2.  If a nonparticipant can determine what time slot has
    been agreed on, or determine that no such time slot
    exists, then the protocol violates the confidentiality
    requirement.

3.  If a nonparticipant can influence or choose which of
    several possible time slots are chosen, (for example
    by redirecting or resequencing protocol messages
    between participants) then the protocol violates the
    authenticity requirement.

4.  If any two participants can be led to have different
    beliefs about whether a common time slot is available or
    about which that time slot is, then the protocol violates
    the consistency requirement.

Third, what's your threat model?  ie, what are the capabilities
of the attackers trying to cause the above failures?  All the
attackers are assumed to have public keys but no private keys
of all participants.

1.  Eve (eavesdropper) is assumed to be present and will
    monitor the channels hoping to learn things about the
    participants' schedules, including but not limited to
    the event they're trying to schedule in this protocol.

2.  Eve's Big Sister Nessa (traffic and metadata analyst)
    will be monitoring traffic patterns and will learn
    something about schedules violating confidentiality if
    the sequence or direction of messages depends on any
    participant's (or any subset of participants') match
    or mismatch with a proposed schedule.

3.  Mallory (who can also intercept, change, block, redirect,
    or fake messages), is also a fairly constant threat.
    There's really no way to prevent Mallory from performing
    a Denial-of-Service, but that's essentially the same as
    saying you have to be able to communicate at all.

    Mallory must never get the opportunity to present an
    arbitrary string of bits that will get signed by a
    participant's private key, (not even in a protocol that
    will be aborted due to later detection of protocol
    violation) and no message from any participant, including
    messages exchanged in a previous or aborted iteration
    of the protocol, should be meaningful if Mallory
    misdirects it to a different participant or replays it
    to its original recipient.  Either of these conditions
    can lead to virtually any security violation.

4.  Sybil (malefactor pretending to be several participants)
    appears to be excluded because all participants have
    each others' private keys, and if they're scheduling
    meetings and know which private key corresponds to which
    participant they'd notice if the relation isn't 1-to-1.
    This is important because Sibyl can easily mount an
    undetectable denial-of-service in any agreement protocol.

5.  Trent (who normally does something beneficial but can
    screw people over by acting in bad faith) appears to be
    excluded from consideration here because if a Trent were
    tolerable this protocol would be trivial and you wouldn't
    even be thinking about it.

Those are the big five; if there are any other relevant
threat models for this protocol who are they?



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170115/5448713a/attachment.sig>

More information about the cryptography mailing list