[messaging] Deniable authenticated group messaging

Michael Rogers michael at briarproject.org
Fri Apr 17 14:38:58 PDT 2015 

On 17/04/15 20:08, Trevor Perrin wrote:
> Unclear to me why you're using long-term signing keys and long-term DH
> keys, why not just give the parties direct knowledge of each other's
> DH keys?

The signing keys are already used in another context, and I'm trying to
work out whether it's possible to bootstrap from signing keys to
unsigned group messaging without using exotic crypto.

> The lack of ephemeral keys here means you don't have properties like
> "forward secrecy" or "key compromise impersonation resistance", but I
> guess that's not what you're asking about.

Right. Forward secrecy is handled at another layer, and I'm happy to
accept that if someone's private key is compromised it can be used to
impersonate them.

> When we last discussed "deniability" what it actually means was open to debate.

I have zero interest in reopening that discussion. :-) Debates about the
true meaning of words are best left to theologians. I'm happy to use the
word zorgability instead of deniability if it will avoid a discussion
about the true meaning of deniability.

> IMO there's a useful notion something like "don't leave signed
> messages around by default" and then stronger academic notions around
> the idea of "interacting with Alice doesn't give Bob anything he
> couldn't simulate", which are somewhat dubious (again, IMO) since once
> you start considering that Bob is actively trying to defeat Alice's
> deniability he could simply share his private key with the 3rd-party
> judge and have the judge execute the protocol as him.

"Don't leave signed messages around" is fine for now.

> But anyways, comparing your key agreement to these notions:
> 
>  * Are the signed ECDH keys published so anyone can retrieve them?  If
> not, then possession of Alice's signature by Bob would provide
> evidence that they communicated, perhaps even violating the "useful"
> form of deniability.

They can be published, yes. But even if they're not published, each
person has one signed DH key that they use for all their deniable
conversations, so everyone Alice has communicated with has her signed DH
key and could potentially have given it to Bob without Alice and Bob
ever having communicated.

>  * Suppose Bob signs a bogus ECDH public key that's made of digits of
> pi or something, so it's obvious that Bob doesn't know the private key
> for his own public key.  Bob won't be able to decrypt Alice's message,
> but he could give it to some judge.  If the judge can compromise
> Alice's private key, the judge can confirm this message came from
> Alice and was intended for Bob (thanks to Matt Green, who once pointed
> this out to me).

Interesting. Wouldn't this also work for OTR, or any other system that
relies on MACs derived from DH being deniable?

(Minor point: I'm not proposing any encryption at this layer, just
authentication - but the rest of what you said still applies.)

> Maybe not a big deal, but if Alice's message used an
> ephemeral DH key - a good idea anyway - this could probably be
> avoided.

Because it would allow Alice to dispose of her private key after the
conversation? OK, let's do that then.

Cheers,
Michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150417/05d533bf/attachment.sig>

More information about the Messaging mailing list