[messaging] Deniable authenticated group messaging

Natanael natanael.l at gmail.com
Fri Apr 17 09:34:50 PDT 2015

Den 17 apr 2015 11:55 skrev "Michael Rogers" <michael at briarproject.org>:
> Hi all,
> I have a crypto problem that you might find interesting. The setting is
> a private group discussion. The membership of the group is fixed and
> known to all members. Each member knows a long-term public signature key
> for each other member. These public signature keys may also be known to
> people outside the group.
> Members should be able to send messages to the group, such that any
> member of the group can verify that a message was written by the owner
> of a particular signature key, but can't prove it to anyone outside the
> group.

This made me think of textsecure's axolotl, and they do their group
messaging encryption pairwise among the members as well.

Except they start off with triple DH to establish the chat session keys and
they use ratcheting for the encryption and authentication keys.

The design is meant to enable asynchronous deniable authenticated chats,
i.e. it isn't necessary to be online simultaneously to preserve the
security. Just decrypt the messages when you get them, ratchet the keys to
get the keys to be used for the next message and then delete the old keys.

They also use triple DH to be able to deny the fact that a real chat
happened, as you can't distinguish a ciphertext log of a real chat from a
faked one, unlike with standard OTR.

Even if your keys later are leaked, only you (and the other party of the
chat, if course) knows which chats are real on the basis of being the only
one *who knows the origin* of the keys. You know they came from the
authenticated key exchange. Nobody else can be certain, because all the
nonces and session keys are long gone.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150417/d714cca5/attachment.html>

More information about the Messaging mailing list