[messaging] Deniable authenticated group messaging

Michael Rogers michael at briarproject.org
Fri Apr 17 14:17:09 PDT 2015

On 17/04/15 18:44, Ben Laurie wrote:
>     The simple solution looks like this: each member of the group generates
>     a long-term DH key pair and signs their long-term public DH key with
>     their long-term signature key. The public DH keys may be known outside
>     the group, just like the public signature keys.
>     Each member of the group can derive a shared secret from their own
>     private DH key and another member's public DH key, and be sure that the
>     owner of the signature key that signed the public DH key is the only
>     other party that knows the secret.
> BTW, this is surely the flaw if you believe in the fantasy requirement:
> the private DH key can be shared, and thus the derived key.

Yes of course, in any system that uses asymmetric crypto people can
share their private keys, and any assumptions about keys being bound to
identities are broken if they do so.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150417/e5bb215c/attachment.sig>

More information about the Messaging mailing list