On 17 April 2015 at 11:54, Michael Rogers <[email protected]> wrote:
> Hi all, > > I have a crypto problem that you might find interesting. The setting is > a private group discussion. The membership of the group is fixed and > known to all members. Each member knows a long-term public signature key > for each other member. These public signature keys may also be known to > people outside the group. > > Members should be able to send messages to the group, such that any > member of the group can verify that a message was written by the owner > of a particular signature key, but can't prove it to anyone outside the > group. > > Now, as far as I understand (which isn't far), there are various > deniable group key agreement protocols that achieve the above, but they > all require some more or less exotic crypto. On the other hand there's a > simple combination of signatures and Diffie-Hellman (or ECDH if you > prefer) that seems to achieve the above - but presumably if it did so, > the exotic schemes wouldn't be necessary. So can you explain what's > wrong with it? > > The simple solution looks like this: each member of the group generates > a long-term DH key pair and signs their long-term public DH key with > their long-term signature key. The public DH keys may be known outside > the group, just like the public signature keys. > > Each member of the group can derive a shared secret from their own > private DH key and another member's public DH key, and be sure that the > owner of the signature key that signed the public DH key is the only > other party that knows the secret. BTW, this is surely the flaw if you believe in the fantasy requirement: the private DH key can be shared, and thus the derived key.
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
