On Wed, Oct 23, 2013 at 9:10 AM, David Goulet <[email protected]> wrote: > > I'm no crypto expert but my understanding is that deniability with OTR > done by broadcasting the ephemeral keys after usage, [...] > Considering that, if correct, I feel like deniability seems a non > trivial part here
I know I'm not making friends here, but to rehash what I've said before... Deniability is easily achieved if you just use Diffie-Hellman based key agreements without signatures (like MQV, NTor, TripleDH, etc.). Which should be probably done anyways, as these are the "best" key agreements (simplest, most efficient, most flexible). Deniability is achieved because any party could forge records of communication with other parties that a 3rd-party judge could not, post-facto, cryptographically distinguish from actual records. Because such forgery is possible, "malleablility" of transcripts isn't necessary, and the OTR / mpOTR rigamarole around "modifiable transcripts" and publishing signing/MAC keys becomes unnecessary. If you can *forge* transcripts from scratch, there's no need to modify existing ones. Trevor _______________________________________________ OTR-dev mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
