[messaging] Deniable authenticated group messaging

Michael Rogers michael at briarproject.org
Fri Apr 17 02:54:00 PDT 2015 

Hi all,

I have a crypto problem that you might find interesting. The setting is
a private group discussion. The membership of the group is fixed and
known to all members. Each member knows a long-term public signature key
for each other member. These public signature keys may also be known to
people outside the group.

Members should be able to send messages to the group, such that any
member of the group can verify that a message was written by the owner
of a particular signature key, but can't prove it to anyone outside the
group.

Now, as far as I understand (which isn't far), there are various
deniable group key agreement protocols that achieve the above, but they
all require some more or less exotic crypto. On the other hand there's a
simple combination of signatures and Diffie-Hellman (or ECDH if you
prefer) that seems to achieve the above - but presumably if it did so,
the exotic schemes wouldn't be necessary. So can you explain what's
wrong with it?

The simple solution looks like this: each member of the group generates
a long-term DH key pair and signs their long-term public DH key with
their long-term signature key. The public DH keys may be known outside
the group, just like the public signature keys.

Each member of the group can derive a shared secret from their own
private DH key and another member's public DH key, and be sure that the
owner of the signature key that signed the public DH key is the only
other party that knows the secret. They can then derive a MAC key from
the shared secret. When a member posts a message to the group they
attach one MAC for each other member of the group using the MAC key they
share with that member.

If you want to save bandwidth at the cost of computation, you can do a
single MAC-authenticated exchange of ephemeral public signature keys at
the start of the discussion and then sign the messages with the
ephemeral signature keys.

So why doesn't this work, or what doesn't it achieve that a more exotic
protocol achieves?

Cheers,
Michael

P.S. There's an even simpler solution where you use the same long-term
public EC key for both signing and ECDH, but as far as I understand
there are security concerns about doing that.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150417/42304ccf/attachment.sig>

More information about the Messaging mailing list