[messaging] pond alike lists (was: Re: pond alike group messaging)

Trevor Perrin trevp at trevp.net
Wed Jun 17 22:55:24 PDT 2015

On Wed, Jun 17, 2015 at 12:15 PM, Jeff Burdges <burdges at gnunet.org> wrote:
> We should not give us so easily since SCIMP style hash iteration
> ratchets provide some forward secrecy.  I'm too tired to think through
> this clearly right now, but one idea :
> - Send the group a chain key ck using an underlying pairwise channel
> protected by Axolotl.  Redo this operation occasionally.
> - Iterate the chain key ck using a hash operation.  Obtain the message
> encryption keys from ck using a different hash operation.

That works, I've been calling that "sender keys":

 * The sender first sends a symmetric "sender key" using pairwise
messages, then uses it (or keys chained from it) to encrypt subsequent

 * Thus after the first message to N recipients, the sender only has
to send one copy of subsequent messages.  The server can fan that copy
out to N recipients.

Moxie mentioned this in a post:


Parties could periodically send a new sender key via pairwise
messages, as you mention.  So in an Axolotl / OTR-like ratchet the
Diffie-Hellman ratchet would still be happening, but at a reduced

> If you're on the list then you can impersonate anyone else on the list,
> but your victim's client will see the impersonation attempt and issue a
> retraction.
> We could issue temporary signing keys with ck to prevent impersonation,
> but that violates deniability.

That doesn't violate deniability because the only people who know your
temporary signing public key are group members you're also encrypting
all signed messages to.  So there's no deniability attack where they
show each other your messages.

If they show your messages to a judge outside the group, they can't
convince the judge that the public key belonged to you, provided the
pairwise messages had deniability.  This is an idea from mpOTR.


More information about the Messaging mailing list