[Cryptography] Anonymous rendezvous (was Business opportunities in crypto)
Christian Huitema
huitema at huitema.net
Thu Apr 15 03:06:52 EDT 2021
On 4/15/2021 2:54 AM, Richard Outerbridge wrote:
>> On 2021-04-14 (104), at 16:58:10, Kent Borg <kentborg at borg.org> wrote:
>>
>> On 4/14/21 12:37 AM, Christian Huitema wrote:
>>> Anonymous rendezvous is a vexing problem.
>> When you put it that way, it sounds pretty impossible.
> Sounds pretty much reducible to PSSK.
Excuse my ignorance, but can you spell out PSSK?
Anonymous rendezvous is not entirely impossible. During the discussion
in the DNSSD working group, we saw one plausible proposal. Assume that
each of the parties has a public/private key pair, that authorized peers
know the public key of the party with which they want to rendezvous, and
that this public key is otherwise kept hidden from third parties. In
short, the public key is treated as a shared secret between parties
authorized to discover the owner of the key pair. The rendezvous can be
achieved by encrypting a message with the public key of the party that
want to be discovered, then broadcasting that message. Only the targeted
party can decrypt it, and nobody else can find who the message is for.
The message shall include suitable nonce to protect from replay attacks,
and the encryption must not reveal the public key. So, in a sense, the
problem is solved. On the other hand, there is a huge scaling issue
because every potential target shall try to decrypt every anonymous
discovery attempt. There were proposals to add various kind of hints to
reduce the processing requirement, but you quickly find out that every
additional hint reduces the puriy of the scheme and compromises
anonymity. So in that sense, the problem is not solved.
-- Christian Huitema
More information about the cryptography
mailing list