[Cryptography] Secret Handshake problem.
Jerry Leichter
leichter at lrw.com
Sun Mar 12 16:11:15 EDT 2017
> A is an identity that is a member of a club.
>
> C and D are identities that are not members of this club.
>
> C wants to reveal to D that C and A are the same, that C is secretly a member of the club, if and only if D is secretly a member of the club under a different identity.
Let's split this into two subproblems.
If C is sure that D is a member, then C wants to send a proof of exactly the fact "C is actually the member known as A" to D. Zero-knowledge proof theory provides a solution to this problem.
But C would not wish to send this proof to a D who is *not* a member. So suppose all members of the group share a (symmetric) key K. C encrypts the proof with K and sends it to D. If D is a member, he decrypts it and learns about C. If not, D can't read the proof and learns nothing.
Except of course that D may wonder about the message. There are all kinds of "social engineering" excuses that could be made for the "misdirected" message. Or in some cases D might be expecting a message that he can't read anyway. For example, C and D might be running Tor forwarders. D decrypts a message and finds within it something it *expects* to look like next-step forwarding instructions, and then random bits. Except that if D knows K, those "random bits" are actually the proof. (Of course, in this situation, the proof is overkill - the fact that C knew the key to encrypt "I'm A" - with suitable redundancy - is enough.)
Alternatively, if C and D are using a protocol that allows for subliminal channels, C might be able to hide the message there.
-- Jerry
More information about the cryptography
mailing list