[messaging] KCI in X3DH

Jeff Burdges burdges at gnunet.org
Fri Jan 19 17:01:08 PST 2018


On Fri, 2018-01-19 at 13:57 +0100, Natanael wrote:
> I assume that having Alice sign her ephemeral key breaks deniability
> for her? That the construction expects only the receiver to have
> signed medium term keys? 

Yes, but see rant below.

> I'm can't say I know enough to say for sure, but doesn't DH(static a,
> static b) also partially hurt deniability? One big difference between
> OTR and Signal / 3DH is denying that you ever have had contact. In the
> case of a compromise of a static key, then the pre-existence of this
> value #4 proves at least that either a or b at minimum considered
> starting a conversation with the other... Right? 

Yes, it proves either Alice or Bob knew about the conversation, or
someone who compromised one key.  There are no working transports that
avoid this evidence though anyways.

Ian Goldberg and Nik Unger have recent interesting work on deniability: 
https://www.cypherpunks.ca/~iang/pubs/dake-ccs15.pdf
https://www.cypherpunks.ca/~iang/pubs/dakez-popets18.pdf


<rant>
In my opinion, we should avoid deniability because it's actively harmful
to the people we most want to protect.  Activists, whistle blowers, etc.
are convicted with little more than plain text files as evidence, so
these people may actually be safest if cops cannot manipulate
transcripts.  It'll only be when a prosecutor is looking for an excuse
not prosecute a powerful person that deniability will play any role.

As I've said before, small anonymity sets only benefit people who
already have power.  This principle applies to Monero vs ZCash or Taler,
PIR or DC-nets vs Mixnets, and to deniable key exchanges.  

Now one might imagine a future in which signature schemes are used so
heavily that juries start demanding cryptographic proof, like the "CSI
effect" where they now demand more physical evidence.  In that world, we
might find deniability useful, but we'd need decades without deniability
first, so yes please do design everything with signatures for now. 

Finally, you cannot do static-static with any existing post-quantum key
exchange anyways because they all do the Fujisaki-Okamoto transform from
IND-CPA to IND-CCA.  In other words, they must send the private
ephemeral key to prevent attacks on static keys.  Yet, post-quantum
signature schemes exist. 
</rant>

Jeff

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20180120/e88e24aa/attachment.sig>


More information about the Messaging mailing list