Hi all, I have a crypto problem that you might find interesting. The setting is a private group discussion. The membership of the group is fixed and known to all members. Each member knows a long-term public signature key for each other member. These public signature keys may also be known to people outside the group.
Members should be able to send messages to the group, such that any member of the group can verify that a message was written by the owner of a particular signature key, but can't prove it to anyone outside the group. Now, as far as I understand (which isn't far), there are various deniable group key agreement protocols that achieve the above, but they all require some more or less exotic crypto. On the other hand there's a simple combination of signatures and Diffie-Hellman (or ECDH if you prefer) that seems to achieve the above - but presumably if it did so, the exotic schemes wouldn't be necessary. So can you explain what's wrong with it? The simple solution looks like this: each member of the group generates a long-term DH key pair and signs their long-term public DH key with their long-term signature key. The public DH keys may be known outside the group, just like the public signature keys. Each member of the group can derive a shared secret from their own private DH key and another member's public DH key, and be sure that the owner of the signature key that signed the public DH key is the only other party that knows the secret. They can then derive a MAC key from the shared secret. When a member posts a message to the group they attach one MAC for each other member of the group using the MAC key they share with that member. If you want to save bandwidth at the cost of computation, you can do a single MAC-authenticated exchange of ephemeral public signature keys at the start of the discussion and then sign the messages with the ephemeral signature keys. So why doesn't this work, or what doesn't it achieve that a more exotic protocol achieves? Cheers, Michael P.S. There's an even simpler solution where you use the same long-term public EC key for both signing and ECDH, but as far as I understand there are security concerns about doing that.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
