[OTR-dev] The mpOTR diary: multiparty tripleDH
Trevor Perrin
trevp at trevp.net
Wed Dec 18 16:27:41 EST 2013
On Wed, Dec 18, 2013 at 7:52 AM, George Kadianakis <desnacked at riseup.net> wrote:
> I've been thinking of modifying tripleDH for the multiparty scenario
> since I read:
> https://whispersystems.org/blog/simplifying-otr-deniability/
>
> Doing tripleDH pairwise is definitely possible, but a broadcast
> variant is more fun.
>
> My naive idea: Let's assume n participants P_1...P_n. Each participant
> P_i has long-term Diffie-Hellman (public key, private key) as (PK_i,
> SK_i).
>
> a) Each participant P_i generates ephemeral DH keypair (pk_i, sk_i).
>
> b) Each participant publishes their public keys (both ephemeral and
> long-term). That is, they publish (PK_i, pk_i). [0]
>
> c) Each participant collects public keys till all n are received (or
> timeout happens XXX).
>
> d) Each participant generates a group key by doing a tripleDH with
> each other participant, concatenating the resulting secrets and
> plugging them in a KDF. That is, for participant P_1, we have:
> k = KDF[DH(PK_1, pk_2), DH(pk_1, PK_2), DH(pk_1, pk_2),
> DH(PK_1, pk_3), DH(pk_1, PK_3), DH(pk_1, pk_3),
> DH(PK_1, pk_4), DH(pk_1, PK_4), DH(pk_1, pk_4),
> ...,
> DH(PK_1, pk_N), DH(pk_1, PK_N), DH(pk_1, pk_N)]
Hmm, that "k" isn't going to be derivable by any other participant, though?
You could probably use "tripleDH" as the "deniable AKE" within an
mpOTR-type protocol, but I'm not sure about anything cleverer than
that...
> (Alternatively, maybe the tripleDH scheme could be combined with the
> Burmester-Desmedt broadcast cyclic group key agreement scheme [1] to
> make a broadcast protocol.)
I think hashing all the DH results together in tripleDH probably
destroys the algebraic structure for things like that work.
Trevor
More information about the OTR-dev
mailing list