[messaging] Deniable authenticated group messaging
Ben Laurie
ben at links.org
Fri Apr 17 14:35:40 PDT 2015
On 17 April 2015 at 23:10, Michael Rogers <michael at briarproject.org> wrote:
> On 17/04/15 18:37, Ben Laurie wrote:
> >
> > On 17 April 2015 at 11:54, Michael Rogers <michael at briarproject.org
> > <mailto:michael at briarproject.org>> wrote:
> >
> > Members should be able to send messages to the group, such that any
> > member of the group can verify that a message was written by the
> owner
> > of a particular signature key, but can't prove it to anyone outside
> the
> > group.
> >
> >
> > Isn't this a fantasy requirement? That is, if I am a member of the group
> > and I want to prove it to someone outside the group, don't I just have
> > them look over my shoulder?
>
> It's not a fantasy requirement, it's a standard property of MACs. If
> Alice and Bob share a MAC key and Alice uses it to create a MAC, Bob
> knows that since he didn't create the MAC, Alice must have done. But Bob
> can't prove to Carol that it was Alice rather than Bob who created it.
>
If Carol knows everything Bob knows, then Carol also knows Alice created
it. That's my point.
I don't believe it is possible for Bob to prove there is no Carol.
All I'm really saying is the property you can have is something a little
weaker, as Ximin has expounded on at some length.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150417/62f5c0a9/attachment.html>
More information about the Messaging
mailing list