[messaging] Deniable authenticated group messaging

Trevor Perrin trevp at trevp.net
Fri Apr 17 12:08:08 PDT 2015

On Fri, Apr 17, 2015 at 2:54 AM, Michael Rogers
<michael at briarproject.org> wrote:
> Hi all,
> I have a crypto problem that you might find interesting. The setting is
> a private group discussion. The membership of the group is fixed and
> known to all members. Each member knows a long-term public signature key
> for each other member. These public signature keys may also be known to
> people outside the group.
> The simple solution looks like this: each member of the group generates
> a long-term DH key pair and signs their long-term public DH key with
> their long-term signature key.

Unclear to me why you're using long-term signing keys and long-term DH
keys, why not just give the parties direct knowledge of each other's
DH keys?

The lack of ephemeral keys here means you don't have properties like
"forward secrecy" or "key compromise impersonation resistance", but I
guess that's not what you're asking about.

When we last discussed "deniability" what it actually means was open to debate.

IMO there's a useful notion something like "don't leave signed
messages around by default" and then stronger academic notions around
the idea of "interacting with Alice doesn't give Bob anything he
couldn't simulate", which are somewhat dubious (again, IMO) since once
you start considering that Bob is actively trying to defeat Alice's
deniability he could simply share his private key with the 3rd-party
judge and have the judge execute the protocol as him.

But anyways, comparing your key agreement to these notions:

 * Are the signed ECDH keys published so anyone can retrieve them?  If
not, then possession of Alice's signature by Bob would provide
evidence that they communicated, perhaps even violating the "useful"
form of deniability.

 * Suppose Bob signs a bogus ECDH public key that's made of digits of
pi or something, so it's obvious that Bob doesn't know the private key
for his own public key.  Bob won't be able to decrypt Alice's message,
but he could give it to some judge.  If the judge can compromise
Alice's private key, the judge can confirm this message came from
Alice and was intended for Bob (thanks to Matt Green, who once pointed
this out to me).  Maybe not a big deal, but if Alice's message used an
ephemeral DH key - a good idea anyway - this could probably be


More information about the Messaging mailing list