[messaging] Deniable authenticated group messaging

Michael Rogers michael at briarproject.org
Fri Apr 24 02:59:51 PDT 2015


On 19/04/15 05:14, Peter Gutmann wrote:
>> It's not a fantasy requirement, it's a standard property of MACs. If Alice
>> and Bob share a MAC key and Alice uses it to create a MAC, Bob knows that
>> since he didn't create the MAC, Alice must have done. But Bob can't prove to
>> Carol that it was Alice rather than Bob who created it.
> 
> You do have to be a bit careful about how you use the word "prove" here.  If
> it's "prove in an abstract theoretical sense" (which includes "prove to a
> bunch of geeks") then the above works.  If it's "prove in a court of law" then
> it doesn't, because that works on balance of probabilities and not how clever
> the defendant thinks they are (or, to look at it another way, they use belief
> in the law rather than belief in mathematically abstractions).  I was told of
> a case some years ago in which the court pretty much ignored the digital
> signature as incomprehensible (and inconsequential) gobbledigook and instead
> considered what the likelihood was that the message accurately conveyed the
> intent of the sender... which is actually what courts have been doing for
> about as long as contract law has existed.

Understood, and thanks for returning the conversation to reality!

As I said in reply to Ximin just now, my feeling is that although the
difference between signed and unsigned messages may (very reasonably) be
irrelevant to a court of law, I think there might be less formal
settings where it's more likely for people to lie, and therefore more
important to distinguish between what's said and what can be proven.

This is only a hunch though, and perhaps not a strong enough one to
justify the extra complexity that seems to be involved in avoiding
signatures.

Cheers,
Michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150424/d3add42e/attachment.sig>


More information about the Messaging mailing list