On Fri, 2018-01-19 at 13:57 +0100, Natanael wrote: > I assume that having Alice sign her ephemeral key breaks deniability > for her? That the construction expects only the receiver to have > signed medium term keys?
Yes, but see rant below. > I'm can't say I know enough to say for sure, but doesn't DH(static a, > static b) also partially hurt deniability? One big difference between > OTR and Signal / 3DH is denying that you ever have had contact. In the > case of a compromise of a static key, then the pre-existence of this > value #4 proves at least that either a or b at minimum considered > starting a conversation with the other... Right? Yes, it proves either Alice or Bob knew about the conversation, or someone who compromised one key. There are no working transports that avoid this evidence though anyways. Ian Goldberg and Nik Unger have recent interesting work on deniability: https://www.cypherpunks.ca/~iang/pubs/dake-ccs15.pdf https://www.cypherpunks.ca/~iang/pubs/dakez-popets18.pdf <rant> In my opinion, we should avoid deniability because it's actively harmful to the people we most want to protect. Activists, whistle blowers, etc. are convicted with little more than plain text files as evidence, so these people may actually be safest if cops cannot manipulate transcripts. It'll only be when a prosecutor is looking for an excuse not prosecute a powerful person that deniability will play any role. As I've said before, small anonymity sets only benefit people who already have power. This principle applies to Monero vs ZCash or Taler, PIR or DC-nets vs Mixnets, and to deniable key exchanges. Now one might imagine a future in which signature schemes are used so heavily that juries start demanding cryptographic proof, like the "CSI effect" where they now demand more physical evidence. In that world, we might find deniability useful, but we'd need decades without deniability first, so yes please do design everything with signatures for now. Finally, you cannot do static-static with any existing post-quantum key exchange anyways because they all do the Fujisaki-Okamoto transform from IND-CPA to IND-CCA. In other words, they must send the private ephemeral key to prevent attacks on static keys. Yet, post-quantum signature schemes exist. </rant> Jeff
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging
