On Wed, Dec 18, 2013 at 7:52 AM, George Kadianakis <[email protected]> wrote: > I've been thinking of modifying tripleDH for the multiparty scenario > since I read: > https://whispersystems.org/blog/simplifying-otr-deniability/ > > Doing tripleDH pairwise is definitely possible, but a broadcast > variant is more fun. > > My naive idea: Let's assume n participants P_1...P_n. Each participant > P_i has long-term Diffie-Hellman (public key, private key) as (PK_i, > SK_i). > > a) Each participant P_i generates ephemeral DH keypair (pk_i, sk_i). > > b) Each participant publishes their public keys (both ephemeral and > long-term). That is, they publish (PK_i, pk_i). [0] > > c) Each participant collects public keys till all n are received (or > timeout happens XXX). > > d) Each participant generates a group key by doing a tripleDH with > each other participant, concatenating the resulting secrets and > plugging them in a KDF. That is, for participant P_1, we have: > k = KDF[DH(PK_1, pk_2), DH(pk_1, PK_2), DH(pk_1, pk_2), > DH(PK_1, pk_3), DH(pk_1, PK_3), DH(pk_1, pk_3), > DH(PK_1, pk_4), DH(pk_1, PK_4), DH(pk_1, pk_4), > ..., > DH(PK_1, pk_N), DH(pk_1, PK_N), DH(pk_1, pk_N)]
Hmm, that "k" isn't going to be derivable by any other participant, though? You could probably use "tripleDH" as the "deniable AKE" within an mpOTR-type protocol, but I'm not sure about anything cleverer than that... > (Alternatively, maybe the tripleDH scheme could be combined with the > Burmester-Desmedt broadcast cyclic group key agreement scheme [1] to > make a broadcast protocol.) I think hashing all the DH results together in tripleDH probably destroys the algebraic structure for things like that work. Trevor _______________________________________________ OTR-dev mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
