[messaging] Deniable authenticated group messaging

Ben Laurie ben at links.org
Sat Apr 18 06:12:10 PDT 2015

On 18 April 2015 at 00:00, Michael Rogers <michael at briarproject.org> wrote:
> On 17/04/15 22:35, Ben Laurie wrote:
>>     It's not a fantasy requirement, it's a standard property of MACs. If
>>     Alice and Bob share a MAC key and Alice uses it to create a MAC, Bob
>>     knows that since he didn't create the MAC, Alice must have done. But Bob
>>     can't prove to Carol that it was Alice rather than Bob who created it.
>> If Carol knows everything Bob knows, then Carol also knows Alice created
>> it. That's my point.
> I see, thanks for explaining. Even if Bob shares his private key with
> Carol, Carol doesn't know whether he shared it with anyone else. So
> Carol doesn't know whether the MAC was created by Alice or an accomplice
> of Bob.
> Bob knows he hasn't shared his private key with anyone else, but he
> can't prove it.

Fair point.

>> I don't believe it is possible for Bob to prove there is no Carol.
> Indeed, and it's not possible for Bob to prove there's only one Carol.
>> All I'm really saying is the property you can have is something a little
>> weaker, as Ximin has expounded on at some length.
> I'm not sure how much of Ximin's message applies, as he's talking about
> ciphertext transcripts whereas I'm talking about plaintext.

Yeah, it was properties of transcripts I was thinking about.

More information about the Messaging mailing list