[messaging] Deniable authenticated group messaging

Michael Rogers michael at briarproject.org
Fri Apr 24 02:53:57 PDT 2015

On 18/04/15 16:19, Berkant Ustaoglu wrote:
> Quoting Michael Rogers <michael at briarproject.org>:
>> On 17/04/15 20:08, Trevor Perrin wrote:
>>> IMO there's a useful notion something like "don't leave signed
>>> messages around by default" and then stronger academic notions around
>>> the idea of "interacting with Alice doesn't give Bob anything he
>>> couldn't simulate", which are somewhat dubious (again, IMO) since once
>>> you start considering that Bob is actively trying to defeat Alice's
>>> deniability he could simply share his private key with the 3rd-party
>>> judge and have the judge execute the protocol as him.
>> "Don't leave signed messages around" is fine for now.
> What is your opinion if I there are signed messages around but also the
> private key with which the message was singed? Would that meet your notion
> of deniability?

That might work, but I can see a couple of difficulties:

1. A party may leave the conversation unexpectedly before publishing
their private key, in which case their messages aren't deniable.

2. The signature key that gets published must be ephemeral, so it must
somehow be bound to the long-term signature key - is this any easier
than binding an ephemeral DH key to a long-term signature key?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150424/0941be3a/attachment.sig>

More information about the Messaging mailing list