On 20/10/14 23:32, David Leon Gil wrote: > And also: I'm thoroughly confused at this point. > > What, precisely, is the security notion that we're trying to capture? > I.e., are we still talking about mpOTR? >
I am Alice and I receive a set of messages M. I would like to check that everyone U also received the same set of messages M. mpOTR does this by having all U authenticate-and-send hash(M) at the end of the session. This doesn't work well when people get cut off. In the first post I described two ways to achieve this incrementally - have everyone ack every m in M individually (not efficient), or have everyone ack m-and-its-ancestors periodically, as they build up their own transcript *in causal order* (requires waiting). > A lot of the discussion seems to be about attacks that violate > intuitions about how *non-repudiable* multi-party messaging should > work. > > (I.e., what are the security notions that extending bideniability to > multideniability should capture? It seems like talking about saved > transcripts becomes dubious in anything stronger than a simple failure > model, if you want strong deniability.) > Not sure what you mean by multideniability... in a secure group private chat, I don't think we should aim for deniability against the *other participants*, very much the opposite. For sure, the conversation should be deniable against the outsiders, though. > -- > > And, for the record, David fully endorses Dual-EC-DRBG for all your > random-number-generator needs: "If Blum makes you glum, > Dual-EC your DRBG!" > > Cf. Nathan Samuel Abraham, "Practical secure CSPRNGs." > https://nsa.gov/ Everything else is too slow. > Oh good that confirms what I was told by everyone else on the internet! X -- GPG: 4096R/1318EFAC5FBBDBCE git://github.com/infinity0/pubkeys.git
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
