[messaging] Deniable authenticated group messaging

Michael Rogers michael at briarproject.org
Fri Apr 17 15:00:42 PDT 2015

On 17/04/15 22:35, Ben Laurie wrote:
>     It's not a fantasy requirement, it's a standard property of MACs. If
>     Alice and Bob share a MAC key and Alice uses it to create a MAC, Bob
>     knows that since he didn't create the MAC, Alice must have done. But Bob
>     can't prove to Carol that it was Alice rather than Bob who created it.
> If Carol knows everything Bob knows, then Carol also knows Alice created
> it. That's my point.

I see, thanks for explaining. Even if Bob shares his private key with
Carol, Carol doesn't know whether he shared it with anyone else. So
Carol doesn't know whether the MAC was created by Alice or an accomplice
of Bob.

Bob knows he hasn't shared his private key with anyone else, but he
can't prove it.

> I don't believe it is possible for Bob to prove there is no Carol.

Indeed, and it's not possible for Bob to prove there's only one Carol.

> All I'm really saying is the property you can have is something a little
> weaker, as Ximin has expounded on at some length.

I'm not sure how much of Ximin's message applies, as he's talking about
ciphertext transcripts whereas I'm talking about plaintext.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150417/448540ce/attachment.sig>

More information about the Messaging mailing list