[messaging] Deniable authenticated group messaging

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sat Apr 18 21:14:11 PDT 2015

Michael Rogers <michael at briarproject.org>
>On 17/04/15 18:37, Ben Laurie wrote:
>> On 17 April 2015 at 11:54, Michael Rogers <michael at briarproject.org
>> <mailto:michael at briarproject.org>> wrote:
>>     Members should be able to send messages to the group, such that any
>>     member of the group can verify that a message was written by the owner
>>     of a particular signature key, but can't prove it to anyone outside the
>>     group.
>> Isn't this a fantasy requirement? That is, if I am a member of the group
>> and I want to prove it to someone outside the group, don't I just have
>> them look over my shoulder?
>It's not a fantasy requirement, it's a standard property of MACs. If Alice
>and Bob share a MAC key and Alice uses it to create a MAC, Bob knows that
>since he didn't create the MAC, Alice must have done. But Bob can't prove to
>Carol that it was Alice rather than Bob who created it.

You do have to be a bit careful about how you use the word "prove" here.  If
it's "prove in an abstract theoretical sense" (which includes "prove to a
bunch of geeks") then the above works.  If it's "prove in a court of law" then
it doesn't, because that works on balance of probabilities and not how clever
the defendant thinks they are (or, to look at it another way, they use belief
in the law rather than belief in mathematically abstractions).  I was told of
a case some years ago in which the court pretty much ignored the digital
signature as incomprehensible (and inconsequential) gobbledigook and instead
considered what the likelihood was that the message accurately conveyed the
intent of the sender... which is actually what courts have been doing for
about as long as contract law has existed.


More information about the Messaging mailing list