[messaging] Value of deniability

Trevor Perrin trevp at trevp.net
Fri Dec 12 02:23:09 PST 2014


On Wed, Dec 10, 2014 at 6:56 PM, Eleanor Saitta <ella at dymaxion.org> wrote:
>
> Actively signing a message and failing to support deniability are not
> the same, as I have explained elsewhere.

"""
Un-signed and deniable are distinct properties.  I'm definitely not
arguing against unsigned transcripts; making an active effort to make
repudiation difficult is a very different question than designing for
the field utility of deniability.
"""
https://moderncrypto.org/mail-archive/messaging/2014/001191.html

I think some people (like myself) do think of deniability as mostly
about not signing messages.  Or more strongly: not producing any
signed evidence of conversations by default.

I'll agree there's other notions of deniability floating around, but
I'd like to defend this modest interpretation.

First, I don't think this needs to be explained to users, because it's
not a change from what they're used to.  On the contrary, having
signed, hard-to-disavow traces of conversations lying around seems
like a significant and surprising change.  I'd be much more worried
about explaining *that* to users.

Second, I'd argue this form of deniability is fairly easy to achieve:

In a 2-party case you can achieve it with signature-less key
agreements like MQV, TripleDH, NaCl, etc.  You could even use a signed
key agreement, if you only sign your own ephemeral DH public key (and
of course, take care to hash identity info into the session key).

These are good choices even aside from deniability, so deniability
isn't imposing much of a constraint here.  The only trade-off I see is
that if the sender signs messages directly, there's a nice property
that the recipient's ability to authenticate does not depend on any
recipient private keys, and so will survive even if the recipient's
keys are compromised.  That's not compatible with deniability, but
this seems minor and acceptable.

In a multiparty case, authentication is generally done via pairwise
2-party key agreements (see mpOTR, (n+1)sec, TextSecure).  If messages
are also encrypted pairwise, then no new signatures are added, so
deniability is preserved.

To reduce traffic, some multiparty protocols might have the sender
encrypt messages with a single symmetric key and sign them with some
ephemeral signing key, where the ephemeral signing keys are exchanged
over the pairwise protocol.  But even though this introduces
signatures, it still doesn't affect this sort of deniability.  As
mpOTR argues: "Because the key exchange protocol is deniable, there is
no transferable proof that any party has committed to use any given
[ephemeral signing] key".


Trevor


More information about the Messaging mailing list