[OTR-users] mpOTR question: denAKE() and deniability in front of J

Ian Goldberg ian at cypherpunks.ca
Wed Aug 25 17:26:22 EDT 2010


On Wed, Aug 25, 2010 at 08:58:03PM +0200, Christoph A. wrote:
> Hi,
> 
> I'm studying the mpOTR design and would have some questions regarding
> algorithm 4 and some other questions regarding chapter 3.2.3 of the  paper:
> http://www.cypherpunks.ca/~iang/pubs/mpotr.pdf
> 
> - Is denAKE(A,B) equal or similar to the OTR protocol? (if that is not
> the case where can I find more information about denAKE)

It's reference [7] (see p. 8, col. 2, par. 3).

> - Is k the encryption key and km the key for the MAC?

Yes.

> - If that is the case, why is km in line 4 (Send(B, SymEnc(Sign())..))
> used if there is no MAC (just SymEnc)?

Fair enough; km just gets ignored by that function, I suppose.

> Regarding the deniability in the case where a
> judge forces participants of a chat session (c1) to disclose their long
> term private keys:
> 
> From chapter 3.2.3:
> "
> Our privacy requirement is stronger than the settings presented in [11,
> 12] because J must not be able to distinguish between Alice’s
> transcripts and forgeries even if J gets Alice’s long-term secrets.
> "
> 
> later on:
> "
> We accept that users cannot convincingly
> deny their static secrets in order to achieve a less compli-
> cated protocol. The users can still deny taking part in any
> fixed chatroom and the content of messages that they sent.
> "
> 
> My question:
> Is this last sentence true, even if a judge gets the long-term keys of
> all participants of a given chat session, or was the requirement in
> chapter 3.2.3 sacrified for a "less complicated" design?

Yes, the last sentence is still true.  Even if all private keys are
revealed to a judge, the judge should not be able to distinguish a real
transcript from a fake one.  Participants *cannot* deny that those were
their actual private keys, though.  So the keys are not deniable, but
the messages and the participation are.

> I found some slides of talk at CCS:
> http://goliath.cs.ucdavis.edu/~matt/pubs/mpotr-ccs09/mpotr-ccs09-slides.pdf
> Does someone know if this talk is available somewhere?

That *is* the talk.  Or do you mean a video of it?  I don't know if the
talks were recorded.  Matt, do you remember?

   - Ian



More information about the OTR-users mailing list