Matchmaking

The seminal work that introduced Secret Handshakes has been presented by Balfanz et al. in 2003 [BDS⁺03]. Before this paper, a few other works have described protocols with similar objectives. In this Section we will describe these protocols, highlighting some new features whose understanding will be essential for the comprehensive study of the Secret Handshake design space.

In 1985, Baldwin and Gramlich introduced the concept of Matchmaking [BG85].

In Matchmaking protocols, the concept of property that we have referred to as part of Definition 4 become user-generated wishes; for instance, the authors present an example involving a company hiring a high-level manager from within the workforce of other – possibly competing – companies. On the one hand, a manager is reluctant to expose his willingness to leave his current employer; on the other hand, a company is not keen on publicizing that they need a replacement in the current management workforce.

Given the sensitiveness of the topics, both users express communication “wishes” on the nature of the other party; wishes can be – as it is the case in the example – fairly sensitive; therefore, users want to interact only with another user who has the same wish. The paper presents a set of protocols involving users and an external matchmaker, whose role is to guarantee fairness in the system. The matchmaker is assumed to be an honest-but-curious third party.

Matchmaking, as described in the paper, is a non-separable protocol that guarantees fairness (according to Definition 7) thanks to the use of a trusted third party. Since the protocol is non-separable, Credentials and Matching References are fused into a single token, namely the self-generated wish. The protocol can be summarized as follows:

users have certified public-private key pairs associated with their identities; users write in a public database a number of wish key-pairs associated with a pseudonym; users can then lookup a particular wish, fetching the respective keys. A user would then try to match another user under a particular wish by trying to compute a shared key out of the fetched ones; the key computation involves the public key of both users. If two users are trying to match one another under the same wish, they will end up computing the same key; the key will be published in the matchmaker’s database, associated with the pseudonyms users have chosen: this way, the interested users know of a matching while for the matchmaker and for other users remain oblivious.

The protocol preserves Unlinkability and Anonymity of users against the match-maker and against users engaging in unsuccessful matchmaking protocols. However the protocol fails to guarantee Unlinkability of properties against the matchmaker as observer. In this scheme, both proof and verification control are under the control of users who received a certificate for their keypair. In addition, although wishes can be generated autonomously by users, the fact that the key computation involves certified public keys associated with identities, prevents fraudulent matching attempts: assume

that u_i tries to match the wish w off u_j: then, only u_j (i.e. a user chosen and sup-posedly trusted byu_i), thanks to its private key, will be able to engage in a successful matching.

In [ZN01], Zhang and Needham present another protocol, similar to Baldwin and Gramlich’s. This protocol relies on an untrusted matchmaker, acting as a public database where users publish encrypted versions of their wishes. In this case how-ever, there is no proof and verification control: any user is able to search for a match and fake one; in addition, the encryption of wishes is deterministic, and therefore dic-tionary attacks are not prevented. Last, for the same reason, the protocol does not guarantee Unlinkability of properties.

In [Mea86], Meadows presents a new Matchmaking protocol. The starting point of this work is the fact that Baldwin and Gramlich’s solution requires an online third party, which is arguably too strong a requirement in many scenarios. The protocol builds on top of the Diffie-Hellman key exchange [DH03]. The protocol operates as follows: a series of organization federate by exchanging public keys. Each organization can then issue Credentials associated with properties. When two users engage in a protocol run, they exchange Credentials and can tell whether the other party has the same Credential or not. On top of this binary answer, they exchange a key they can use to secure later communications.

Despite referencing Baldwin and Gramlich’s work as closest related work, Mead-ows’ protocol achieves significantly different results. The protocol is non-separable as Baldwin and Gramlich’s, but it achieves fairness according to Definition 8. Other dif-ferences include the fact that, although Anonymity and Unlinkability of properties are preserved, Unlinkability of users is not, since users exchange all the time the same Credential. The biggest change however resides in proof and verification control; since the protocol is non-separable, there is a single token acting as both Credential and Matching Reference. This token is generated by an organization acting as certification authority, which therefore keeps the control over who can prove and who can verify which property.

In [Hoe08], Hoepman presents a very simple protocol – similar to Meadows’ [Mea86]

– and also based on the Diffie-Hellman key exchange.