[Cryptography] Secret Handshake problem.

Jerry Leichter leichter at lrw.com
Sun Mar 12 16:11:15 EDT 2017


> A is an identity that is a member of a club.
> 
> C and D are identities that are not members of this club.
> 
> C wants to reveal to D that C and A are the same, that C is secretly a member of the club, if and only if D is secretly a member of the club under a different identity.
Let's split this into two subproblems.

If C is sure that D is a member, then C wants to send a proof of exactly the fact "C is actually the member known as A" to D.  Zero-knowledge proof theory provides a solution to this problem.

But C would not wish to send this proof to a D who is *not* a member.  So suppose all members of the group share a (symmetric) key K.  C encrypts the proof with K and sends it to D.  If D is a member, he decrypts it and learns about C.  If not, D can't read the proof and learns nothing.

Except of course that D may wonder about the message.  There are all kinds of "social engineering" excuses that could be made for the "misdirected" message.  Or in some cases D might be expecting a message that he can't read anyway.  For example, C and D might be running Tor forwarders.  D decrypts a message and finds within it something it *expects* to look like next-step forwarding instructions, and then random bits.  Except that if D knows K, those "random bits" are actually the proof.  (Of course, in this situation, the proof is overkill - the fact that C knew the key to encrypt "I'm A" - with suitable redundancy - is enough.)

Alternatively, if C and D are using a protocol that allows for subliminal channels, C might be able to hide the message there.

                                                        -- Jerry



More information about the cryptography mailing list