Forwarding Matthew's mail, since it didn't get posted in the list for some reason (maybe he is not subscribed):
---------------------------- Original Message ---------------------------- Subject: Re: [OTR-dev] Improved Deniable Signature Key Exchange for mpOTR From: "Matthew Van Gundy" <[email protected]> Date: Sat, March 16, 2013 12:40 pm To: "George Kadianakis" <[email protected]> Cc: [email protected] [email protected] -------------------------------------------------------------------------- Hi George, I don't have my full notes at my fingertips. However, the choice of Bohli et al.'s Deniable Group Key Agreement was motivated by its properties: deniable / forgeable, group/conference key agreement, symmetry (no user is trusted more than others), mutual authentication. One of the major sticking points was deniability / forgeability. We wanted a deniability / forgeability property that was stronger than most existing notions in the following sense: * The forger need not be in the set of participants. A third party (A) can forge transcripts between a set of other participants P = { B, C, D, ... } (not including A) without knowing the private keys of the participants in the transcript. * The judge gets the private keys of all participants P. Even then, the judge cannot distinguish between a forged transcript and a legitimate transcript between the participants P sending the same messages. Without going into all the details of why I didn't feel that these met the requirements, some of the references I was considering at the time include: * SIGMA, SKEME, MQV, HMQV * Mario Di Raimondo, Rosario Gennaro, Hugo Krawczyk: Deniable authentication and key exchange. ACM Conference on Computer and Communications Security 2006: 400-409. * Dwork, Naor, Sahai. Deniable Authentication. * Deniable Encryption http://eprint.iacr.org/1996/002 * Chameleon Signatures www.isoc.org/isoc/conferences/ndss/2000/proceedings/042.pdf http://eprint.iacr.org/2006/318 * Deniable Ring Authentication www.wisdom.weizmann.ac.il/~naor/PAPERS/denring.pdf http://link.springer.com/chapter/10.1007%2F978-3-540-24852-1_11 * Designated Verifier Proofs http://www.informatics.indiana.edu/markus/papers/dvp.pdf * Multi-designated Verifier Signatures http://www.sciencedirect.com/science/article/pii/S0020019006003504 http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1524311&tag=1 * Limited Verifier Signatures http://link.springer.com/chapter/10.1007%2F978-3-540-24852-1_10 * Broadcast Interactive Zero-Knowledge Proofs http://link.springer.com/chapter/10.1007%2F3-540-46416-6_7?LI=true#page-1 * Concurrent Zero-Knowledge Proofs http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.21.6818 Cheers, Matt On Fri, Mar 15, 2013 at 03:51:12PM -0700, George Kadianakis wrote: > Hi Matt, > > I recently read your "Improved Deniable Signature Key Exchange for mpOTR" > article, which lead me to "Deniable Group Key Agreement" by Bohli et al., > which then lead me to "Constant-Round Authenticated Group Key > Exchange for Dynamic Groups" by Hyun-Jeong Kim et al. and "Secure Group > Key Establishment Revisited" by Bohli et al. > > Looking at the references of all these papers, I find myself with a big > TOREAD list of Authenticated Group Key Exchange papers. Consequently, I > started wondering how you selected "Deniable Group Key Agreement" as the > basis of your paper. Is it because it's one of the few papers that present > deniable variants of group key exchanges? What other papers/research did > you have in mind when you were selecting protocols for your DSKE? > > Thanks! > > (CCing otr-dev and Ian) > > _______________________________________________ > OTR-dev mailing list > [email protected] > http://lists.cypherpunks.ca/mailman/listinfo/otr-dev > _______________________________________________ OTR-dev mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
