[messaging] Deniable authenticated group messaging

Ben Laurie ben at links.org
Fri Apr 17 14:35:40 PDT 2015

On 17 April 2015 at 23:10, Michael Rogers <michael at briarproject.org> wrote:

> On 17/04/15 18:37, Ben Laurie wrote:
> >
> > On 17 April 2015 at 11:54, Michael Rogers <michael at briarproject.org
> > <mailto:michael at briarproject.org>> wrote:
> >
> >     Members should be able to send messages to the group, such that any
> >     member of the group can verify that a message was written by the
> owner
> >     of a particular signature key, but can't prove it to anyone outside
> the
> >     group.
> >
> >
> > Isn't this a fantasy requirement? That is, if I am a member of the group
> > and I want to prove it to someone outside the group, don't I just have
> > them look over my shoulder?
> It's not a fantasy requirement, it's a standard property of MACs. If
> Alice and Bob share a MAC key and Alice uses it to create a MAC, Bob
> knows that since he didn't create the MAC, Alice must have done. But Bob
> can't prove to Carol that it was Alice rather than Bob who created it.

If Carol knows everything Bob knows, then Carol also knows Alice created
it. That's my point.

I don't believe it is possible for Bob to prove there is no Carol.

All I'm really saying is the property you can have is something a little
weaker, as Ximin has expounded on at some length.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150417/62f5c0a9/attachment.html>

More information about the Messaging mailing list