Existing algorithms for off the record messaging between entities identified by public keys require an initial round trip to set up a shared secret. Once a shared secret exists, obviously routine encryption and MAC authentication will create an off the record message - the recipient will know that only someone who knows the shared secret could have created the message, but cannot prove to someone else which of the people holding the shared secret created the message - the message is authenticated but deniable, authenticated but unsigned.
It is fairly easy to design a protocol that achieves this result without a round trip requirement, (authentication without round trips or signature), but has such a protocol already been published and examined? The requirement of the protocol if the possessor of the secret 'a' corresponding to public key A, sends the message to the possessor of the secret key b corresponding to public key B, the message can only be decrypted by someone who holds one of the two secrets, and only someone who holds one of the two secrets could have created the message - but either one could have created the message, hence, off the record. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
