[messaging] Deniable authenticated group messaging

Ximin Luo infinity0 at pwned.gg
Sat Apr 18 09:30:19 PDT 2015

On 18/04/15 17:19, Berkant Ustaoglu wrote:
> Quoting Michael Rogers <michael at briarproject.org>:
>> On 17/04/15 20:08, Trevor Perrin wrote:
>>> IMO there's a useful notion something like "don't leave signed
>>> messages around by default" and then stronger academic notions around
>>> the idea of "interacting with Alice doesn't give Bob anything he
>>> couldn't simulate", which are somewhat dubious (again, IMO) since once
>>> you start considering that Bob is actively trying to defeat Alice's
>>> deniability he could simply share his private key with the 3rd-party
>>> judge and have the judge execute the protocol as him.
>> "Don't leave signed messages around" is fine for now.
> What is your opinion if I there are signed messages around but also the
> private key with which the message was singed? Would that meet your notion
> of deniability?

If something is forgeable, then it is deniable. However, as the prover, it is only safe (for authentication purposes) to reveal the private key, after one is sure that other people (the verifiers) have acknowledged / promised that they

- have verified your signature, and
- will no longer make use of the same public key to verify subsequent messages



More information about the Messaging mailing list