<p dir="ltr">A git-like scheme with an elected master could make the transcript totally ordered. Basically, all the peers would receive the messages and still keep them in an unstaged area, partially ordered so still useful for the UI. Then the master would chime in and provide the definite message order, kind of like a merge in git. The peers then reorder their transcript accordingly.</p>
<p dir="ltr">If you do not trust the master, it is not a problem: he is only in charge of the transcript, and clients would verify that what he broadcasts is alright (example: messages include the "current commit" hash). Once a peer detects the master is malicious, a new election could be called.</p>
<div class="gmail_quote">Le 16 avr. 2014 22:58, "Moxie Marlinspike" <<a href="mailto:moxie@thoughtcrime.org">moxie@thoughtcrime.org</a>> a écrit :<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
TextSecure supports group messaging. I've been meaning to write up a<br>
blog post about it, but if I understand correctly, you're mostly asking<br>
about transcript consistency in a "pairwise group" model.<br>
<br>
We believe this can be as simple as including the truncated hash of the<br>
(sender, plaintext, counter) tuple for the last messages seen with every<br>
message sent.<br>
<br>
This allows each client to build a view of a message transcript that's<br>
reminiscent of a git commit log, where each message is a commit. One<br>
could imagine visualizing this like an old-school email client<br>
visualizes conversation threads, which would make transcript<br>
inconsistencies and "reply intent" clear. That way if Bob sends a<br>
message to everyone that says "Who wants to kill the president?" except<br>
Alice, who Bob instead sends "Who wants to get some ice cream?," when<br>
Alice responds "I do, how about this afternoon!" -- it'd be clear to<br>
everyone in the conversation that Alice is responding to something they<br>
didn't see.<br>
<br>
Unfortunately, that type of UI isn't really possible on mobile devices,<br>
and even desktop communication apps are moving away from those types of<br>
threaded views. For now, TextSecure conversations are "linearized," and<br>
the way to *display* transcript consistency for untrusted groups like<br>
these remains an open UI/UX question for us.<br>
<br>
But at least at the protocol level, it's pretty simple even in an<br>
asynchronous environment.<br>
<br>
- moxie<br>
<br>
<br>
On 04/16/2014 08:36 AM, Michael Rogers wrote:<br>
> -----BEGIN PGP SIGNED MESSAGE-----<br>
> Hash: SHA256<br>
><br>
> Hi all,<br>
><br>
> I've been thinking about ways to cut down the forward-secret group<br>
> chat problem to a manageable size. I'm looking for a core problem<br>
> that's big enough to be worth solving, but small enough to be solved;<br>
> then we can think up some solutions, prototype them, and see whether<br>
> we can extend them to solve bigger problems.<br>
><br>
> Here's a suggestion for a core problem we could start with:<br>
><br>
> * Small groups, so O(n^2) bandwidth or processing cost is OK<br>
> * Group membership is fixed for the duration of the chat<br>
> * All members know the membership of the group somehow<br>
> * All members have pairwise OTR connections to all other members<br>
> * We accept that any member can prevent the chat from making progress<br>
><br>
> Goals:<br>
><br>
> * Messages are forward secret<br>
> * Messages can be authenticated by group members<br>
> * Messages are repudiable<br>
> * All members agree about which messages are part of the chat<br>
> * All members agree about the order of the messages in the chat<br>
> * Messages can only be added to the end of the chat<br>
><br>
> In some ways this is an easier problem than mpOTR, but I think a tool<br>
> that met these goals would be worth having. As far as I know, that<br>
> tool doesn't exist yet.<br>
><br>
> Here's a sketch of one possible approach to solving this problem. It's<br>
> basically an append-only log with two-phase commit. Messages aren't<br>
> shown in the UI until they've been committed. (If used over a<br>
> high-latency transport there would need to be some intermediate UI<br>
> state for messages that had been sent but not yet committed.)<br>
><br>
> Each member of the group has a copy of the log and a staging area for<br>
> uncommitted messages. Messages in the log are numbered sequentially,<br>
> and each message has a retransmission counter. When a member wants to<br>
> send a message, she assigns the first unused sequence number to the<br>
> message, stages the message, and sends a copy of the numbered message<br>
> to every other member. Each member who receives the message stages it<br>
> and sends an ack to every other member, including the author. The ack<br>
> includes a hash over the author's identity, the sequence number, the<br>
> retransmission counter and the content, so everyone knows whether<br>
> everyone else is acking the same message. Each member who receives an<br>
> ack from every other member except the author commits the staged<br>
> message to the log.<br>
><br>
> If a member receives a message with the same sequence number as a<br>
> staged message, she sends a nack to every other member and discards<br>
> both messages. Anyone who receives a nack for a staged message<br>
> discards the message, except the author, who unstages the message. If<br>
> two or more authors try to send messages with the same sequence<br>
> number, every colliding message will be nacked by at least one member,<br>
> unstaged by its author and discarded by everyone else, and the<br>
> sequence number will remain unused. Each author waits for a random<br>
> interval and then resends her message with an incremented<br>
> retransmission counter and the first unused sequence number, which may<br>
> be the same as before, or higher if another message has been committed<br>
> in the meantime.<br>
><br>
> The retransmission counter prevents confusion between acks or nacks<br>
> for different transmissions of the same message. The retransmission<br>
> interval increases exponentially to avoid repeated collisions.<br>
><br>
> What do you reckon - is this a problem worth tackling, and does this<br>
> solution seem sound?<br>
><br>
> Cheers,<br>
> Michael<br>
> -----BEGIN PGP SIGNATURE-----<br>
> Version: GnuPG v1.4.12 (GNU/Linux)<br>
><br>
> iQEcBAEBCAAGBQJTTqNnAAoJEBEET9GfxSfMaRsH/1rcIdMBh2X/z07EWMcGzA2T<br>
> HenJNsz0KjrYixmUnvCRTwaHnf6QZh5OhJq8Mc8ULZLJH6rRdXP9K4YB/XDeDHqx<br>
> NuLgbtGj3lQcGgn31VPyOJiFSWBu+5qHss4/NHfH5MRR9CDydBeZY/lllDYVJDH7<br>
> mLBnjhVfJOEINcjXJfv7TY5ayG0iYLVmb0fBeTDqXi4ylHTyzAIYro5boODiutcn<br>
> RpFshVB5wXj2SpB3PVXpgAfuMAWGzhkc5XRbBBsvz7wryWyImPaKPgLxZqvwIA5H<br>
> 5zpY+Hv9pJh0HvQSsMyimLKvXoE/y+gqIhaUBm3ZGHSwSYZggky2PFUxnDaSh74=<br>
> =/TKv<br>
> -----END PGP SIGNATURE-----<br>
> _______________________________________________<br>
> Messaging mailing list<br>
> <a href="mailto:Messaging@moderncrypto.org">Messaging@moderncrypto.org</a><br>
> <a href="https://moderncrypto.org/mailman/listinfo/messaging" target="_blank">https://moderncrypto.org/mailman/listinfo/messaging</a><br>
><br>
><br>
<br>
--<br>
<a href="http://www.thoughtcrime.org" target="_blank">http://www.thoughtcrime.org</a><br>
_______________________________________________<br>
Messaging mailing list<br>
<a href="mailto:Messaging@moderncrypto.org">Messaging@moderncrypto.org</a><br>
<a href="https://moderncrypto.org/mailman/listinfo/messaging" target="_blank">https://moderncrypto.org/mailman/listinfo/messaging</a><br>
</blockquote></div>