On Wed, Oct 23, 2013 at 10:13 AM, Greg Troxel <[email protected]> wrote: > > It seems that the hard property is to simultaneously achieve: > > deniability > > authentication to the counterparty in real time > > confidentiality, which means more than encryption, but also being > sure that you are encrypting in a key that only the authorized > counterparty has > > It seems that OTR does all of this, and I don't understand how you > propose to get the second two properties with unsigned DH.
Easily, see several decades of literature on implicitly-authenticated key agreement (MTI/A0, MQV, NTor, Unified Model, TripleDH, CurveCP, Naxos, etc and etc...) My favorite is the NTor / TripleDH-style of hashing ephemeral-static and static-static DHs together, see: NTor: http://cacr.uwaterloo.ca/techreports/2011/cacr2011-11.pdf TripleDH: https://whispersystems.org/blog/simplifying-otr-deniability/ http://www.isg.rhul.ac.uk/~kp/theses/CKthesis.pdf Trevor _______________________________________________ OTR-dev mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
