[Cryptography] Anonymous rendezvous (was Business opportunities in crypto)

Christian Huitema huitema at huitema.net
Sat May 8 21:43:23 EDT 2021 

On 5/7/2021 11:39 AM, John Levine wrote:
> It appears that jrzx via cryptography <jrzx at protonmail.ch> said:
>>> 1) Allow a party with an established reputation to claim it on the Web.
>>> 2) To allow a party with no reputation to establish that they are accountable to some civil authority.
>> By now, however, all the important reputations are established *on* the web, so
>> moving existing reputations to the web no longer matters.
> This must be a different web than the rest of us use.
>
> When I use my bank's web site, I consider it rather important that
> the entity I deal with through the web site is the same one I deal
> with when I walk down to their physical branch.

This long thread told me one thing: anonymous rendezvous is a poor name 
for a problem, because it encompasses many different problems.

The initial problem that I had in mind is probably better called 
something like "discrete handshake". The typical scenario involve 
parties that know each and have exchanged credentials beforehand, like 
employees of the same company or devices belonging to the same owner. 
The problem is to establish a network connection without divulging their 
identities and presence to outside observers. For example, in the two 
employees scenario, their laptops discover each other by broadcasting 
messages over WiFi or Bluetooth, but these messages do not reveal to 
observers identifying information like static MAC Addresses, IP 
addresses or public key values.

There is a related problem in which the two parties have not previously 
met, but possess a shared cue, such as two halves of a torn dollar bill. 
I don't know whether that system reduces to the previous one. It 
probably does, but I have no proof of that. I could call it "discrete 
encounter".

Then there is the case of two parties that have never met and have no 
shared knowledge, but want to start a communication. The goal of these 
parties is to exchange credentials that could later prove that they are 
still communicating to the same partner. When the two parties are two 
devices, this typically reduces to "pairing". Solutions often involve an 
out of band channel for verification, such as the PIN numbers displayed 
and verified when pairing Bluetooth devices. There is quite a bit of 
literature on that subject.

I am personally more interested in the discrete handshake problem. For 
example, allowing WiFi clients to connect to WiFi servers without the 
server broadcasting a constant SSID, and without the client polling for 
a previously known SSID.

-- Christian Huitema

More information about the cryptography mailing list