[messaging] pond alike lists (was: Re: pond alike group messaging)

[Trevor Perrin]

On Wed, Jun 17, 2015 at 12:15 PM, Jeff Burdges <burdges at gnunet.org> wrote:
>
>
> We should not give us so easily since SCIMP style hash iteration
> ratchets provide some forward secrecy.  I'm too tired to think through
> this clearly right now, but one idea :
>
> - Send the group a chain key ck using an underlying pairwise channel
> protected by Axolotl.  Redo this operation occasionally.
>
> - Iterate the chain key ck using a hash operation.  Obtain the message
> encryption keys from ck using a different hash operation.

That works, I've been calling that "sender keys":

 * The sender first sends a symmetric "sender key" using pairwise
messages, then uses it (or keys chained from it) to encrypt subsequent
messages.

 * Thus after the first message to N recipients, the sender only has
to send one copy of subsequent messages.  The server can fan that copy
out to N recipients.

Moxie mentioned this in a post:

https://whispersystems.org/blog/private-groups/

Parties could periodically send a new sender key via pairwise
messages, as you mention.  So in an Axolotl / OTR-like ratchet the
Diffie-Hellman ratchet would still be happening, but at a reduced
frequency.


> If you're on the list then you can impersonate anyone else on the list,
> but your victim's client will see the impersonation attempt and issue a
> retraction.
>
> We could issue temporary signing keys with ck to prevent impersonation,
> but that violates deniability.

That doesn't violate deniability because the only people who know your
temporary signing public key are group members you're also encrypting
all signed messages to.  So there's no deniability attack where they
show each other your messages.

If they show your messages to a judge outside the group, they can't
convince the judge that the public key belonged to you, provided the
pairwise messages had deniability.  This is an idea from mpOTR.


Trevor