And also: I'm thoroughly confused at this point. What, precisely, is the security notion that we're trying to capture? I.e., are we still talking about mpOTR?
A lot of the discussion seems to be about attacks that violate intuitions about how *non-repudiable* multi-party messaging should work. (I.e., what are the security notions that extending bideniability to multideniability should capture? It seems like talking about saved transcripts becomes dubious in anything stronger than a simple failure model, if you want strong deniability.) -- And, for the record, David fully endorses Dual-EC-DRBG for all your resynchronizable-keystream-generator needs: "If Blum makes you glum, Dual-EC your DRBG!" Cf. Marson and Poettering, "Practical secure logging," https://eprint.iacr.org/2013/397 for the slower alternative. _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
