On 20 March 2014 07:11, Trevor Perrin <[email protected]> wrote: > > (Context for this discussion: > > https://moderncrypto.org/mail-archive/messaging/2014/000086.html > https://moderncrypto.org/mail-archive/messaging/2014/000113.html > ) > > > On Wed, Mar 19, 2014 at 7:20 PM, Watson Ladd <[email protected]> wrote: >> >> Dear all, >> >> I was recently thinking about the introduction problem: how do two >> people meet find each other on a messaging system and bootstrap to a >> trusted situation? >> >> There seem to be two kinds of question: one is a low-entropy shared >> secret, the other involves exchange of key material. The first would >> involve cut the deck or two-dollar call trick (each person gets a half >> with a serial number, or half a deck), and we have 48 bits in the case >> of the deck or some number I haven't calculated yet in the case of the >> bills. >> >> With the low-entropy shared secret the issue is rendezvous without >> exposing the secret. I don't have a solution for that. > > > Me neither. > > I've heard proposals to have a rendezvous server return all messages to > every client, within some time window. The client would respond to every > 1st-round PAKE message by calculating the potential shared secret and > sending a trial 2nd-round message. Only one received 2nd-round message > would match. > > But this doesn't eliminate the online-guessing risk. And it provides a > large DoS amplification against the clients and server, so seems > impractical.
FWIW, here's a thing I did years ago: http://www.apache-ssl.org/apres.pdf I'm told there's work being done on a less ad hoc mechanism... _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
