[messaging] Deniable authenticated group messaging

[Ben Laurie]

On 17 April 2015 at 11:54, Michael Rogers <michael at briarproject.org> wrote:

> Hi all,
>
> I have a crypto problem that you might find interesting. The setting is
> a private group discussion. The membership of the group is fixed and
> known to all members. Each member knows a long-term public signature key
> for each other member. These public signature keys may also be known to
> people outside the group.
>
> Members should be able to send messages to the group, such that any
> member of the group can verify that a message was written by the owner
> of a particular signature key, but can't prove it to anyone outside the
> group.
>
> Now, as far as I understand (which isn't far), there are various
> deniable group key agreement protocols that achieve the above, but they
> all require some more or less exotic crypto. On the other hand there's a
> simple combination of signatures and Diffie-Hellman (or ECDH if you
> prefer) that seems to achieve the above - but presumably if it did so,
> the exotic schemes wouldn't be necessary. So can you explain what's
> wrong with it?
>
> The simple solution looks like this: each member of the group generates
> a long-term DH key pair and signs their long-term public DH key with
> their long-term signature key. The public DH keys may be known outside
> the group, just like the public signature keys.
>
> Each member of the group can derive a shared secret from their own
> private DH key and another member's public DH key, and be sure that the
> owner of the signature key that signed the public DH key is the only
> other party that knows the secret.


BTW, this is surely the flaw if you believe in the fantasy requirement: the
private DH key can be shared, and thus the derived key.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150417/962189e8/attachment.html>