[messaging] Value of deniability

Sam Lanning sam at samlanning.com
Wed Dec 10 16:29:39 PST 2014

On 10/12/14 22:41, Eleanor Saitta wrote:
> Un-signed and deniable are distinct properties.  I'm definitely not
> arguing against unsigned transcripts; making an active effort to make
> repudiation difficult is a very different question than designing for
> the field utility of deniability.

Unfortunately it's not that simple. In most cases with security
protocols, these two are mathematically as useful as each other,
not-deniable (but with authenticity) is as good as signed.

At a high level, there are 3 main ways in which you can send a digital
message to n people.

a) send the message, unsigned in any way, to each of the n people. This
provides deniability, is unsigned, but has no authenticity.

b) send the message, with a signature using a long-living key (e.g.
PGP), to each person. this is signed, is not-deniable, but has authenticity.

c) send an individual message to each recipient, in such a way so that
each message could only have been written by the sender and the
recipient of that message. This is more work (except for the case where
communication is only between 2 parties, in which case we can have this
for free). Messages are unsigned (not tied to a single identity, each
message is tied to 2 identities), deniable, and authentic.

More concretely messages can be:

- tied to 0 identities
  (deniability, no authenticity)
- tied to 1 identity (signed)
  (no deniabilty, authenticity)
- tied to 2 identities (in effect, signed by 1 of 2 identities)
  (deniability, authenticity)

Which leads me to this conclusion:

If we want to have authenticity in a secure messaging protocol, we either:

 - sign every message (not deniable). Basically every message is
provably by the owner of a long-lived identity. Should hold up in a
court of law as strongly as a chain of PGP-Signed emails, which we have
already discussed previously in this thread.
 - use deniability (more costly when more than 2 people are communicating)



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141211/b8fef14d/attachment.sig>

More information about the Messaging mailing list