[messaging] Group messaging consistency under resource constraints

Ximin Luo infinity0 at pwned.gg
Mon Oct 20 15:44:33 PDT 2014

On 20/10/14 23:32, David Leon Gil wrote:
> And also: I'm thoroughly confused at this point.
> What, precisely, is the security notion that we're trying to capture?
> I.e., are we still talking about mpOTR?

I am Alice and I receive a set of messages M. I would like to check that everyone U also received the same set of messages M.

mpOTR does this by having all U authenticate-and-send hash(M) at the end of the session. This doesn't work well when people get cut off.

In the first post I described two ways to achieve this incrementally - have everyone ack every m in M individually (not efficient), or have everyone ack m-and-its-ancestors periodically, as they build up their own transcript *in causal order* (requires waiting).

> A lot of the discussion seems to be about attacks that violate
> intuitions about how *non-repudiable* multi-party messaging should
> work.
> (I.e., what are the security notions that extending bideniability to
> multideniability should capture? It seems like talking about saved
> transcripts becomes dubious in anything stronger than a simple failure
> model, if you want strong deniability.)

Not sure what you mean by multideniability... in a secure group private chat, I don't think we should aim for deniability against the *other participants*, very much the opposite. For sure, the conversation should be deniable against the outsiders, though.

> --
> And, for the record, David fully endorses Dual-EC-DRBG for all your
> random-number-generator needs: "If Blum makes you glum,
> Dual-EC your DRBG!"
> Cf. Nathan Samuel Abraham, "Practical secure CSPRNGs."
> https://nsa.gov/ Everything else is too slow.

Oh good that confirms what I was told by everyone else on the internet!



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141020/465a5ad6/attachment.sig>

More information about the Messaging mailing list