[Cryptography] Anonymous rendezvous (was Business opportunities in crypto)

Jerry Leichter leichter at lrw.com
Sat Apr 17 14:23:14 EDT 2021 

>> Look, we all know how this kind of thing works in practice; we've done it forever, without any cryptography.  The reason I bring this up is the long-standing false claim that public-key cryptography allows two parties who've never interacted previously to talk securely to each other, without any other parties being involved.  But it doesn't work like that - it *can't* work like that - in any meaningful sense.
> 
> I have no idea if I agree with you or not, but I feel compelled to comment.
> 
> I'm going to assert that it both *can* and *does* work that way, but I'm going to take the very same argument you make....
I think we agree on the underlying reality, but disagree on its implications.

There's a viewpoint one runs into with discussions of cryptography:  We want to use it to support systems that (a) are "strongly distributed" - "strongly" because we want to assume *no* connections between participants except those explicitly desired; (b) no trusted third parties.  It's from (a) that we get the whole notion of anonymous rendezvous:  Any two parties can engage in trusted communication of a set of messages with each other without any communication outside of those messages.  What I contend - and I believe you agree - is that requirement cannot be met.  And it cannot be met, not because of weaknesses in the cryptography, but because it simply makes no sense.  If you dig down, you end up with an assertion that "I communicated with someone and no one other than the someone I communicated with could have seen or modified the messages, but I have no idea who that someone actually is."  Which is something, but it's not in any meaningful sense of a rendezvous, which implies a meeting with *with some particular person*.

We in the crypto community are often careless in describing things outside of our own circles - and often even with each other.  When public key cryptography is described to people, it's often along the following lines:  "In the past, we used private key cryptography.  This required Alice and Bob to get together and share a secret key between them.  But now Bob can simply publish his public key and Alice can securely send him messages; they don't even need to meet.  Just what we need on the Internet."  Which is true in some sense but misses the underlying non-cryptographic issue:  Just how does "Bob publishes his public key" somehow get transformed into "Alice knows that she is encrypting with the public key of the exact Bob to whom she wishes to send a message?"  Once you start digging into that non-cryptographic question, you see that there are really only two alternatives:  Either Alice has already met "that Bob" and has some non-public information about him that lets her identify him; or the two of them trust some third party to provide them with such information.

So ... which of the two requirements of the assumed model of the kind of systems that some cryptos dream of do you want to give up?

Personally, I'm willing to - and do - give up *either* depending on circumstances.  Most of my communications are with people I've actually met.  Granted, we may not have ever shared something as explicit as keying information, but we are each reasonably confident that we know enough non-public (or at least non-forgeable) information about each other to bootstrap any level of necessary security between us.

I also have communications with "people" who, if I'm honest, aren't really "people": They are on-line personas, about whom I know only what they post or email to me.  For very many purposes that's fine, too.

Finally, there will be people or institutions who I need to communicate with but with whom I have no prior contact.  In that case, it's exactly a trusted third party I'll turn to:  A mutual contact, a listing in some directory that I place some trust in, a Google search result, a DNS resolution plus a cert signed by some CA.  The quality of these vary, but without *some* intermediary that I place *some* trust in, these would be contacts I'm forever walled off from.

Cryptography gives us a huge amount of power, but not everything can be solved with cryptographic protocols.  We make a serious mistake when we imply, or simply let others infer, otherwise.

                                                        -- Jerry

More information about the cryptography mailing list