[OTR-dev] The mpOTR diary: multiparty tripleDH

Trevor Perrin trevp at trevp.net
Wed Dec 18 16:27:41 EST 2013

On Wed, Dec 18, 2013 at 7:52 AM, George Kadianakis <desnacked at riseup.net> wrote:
> I've been thinking of modifying tripleDH for the multiparty scenario
> since I read:
> https://whispersystems.org/blog/simplifying-otr-deniability/
> Doing tripleDH pairwise is definitely possible, but a broadcast
> variant is more fun.
> My naive idea: Let's assume n participants P_1...P_n. Each participant
> P_i has long-term Diffie-Hellman (public key, private key) as (PK_i,
> SK_i).
> a) Each participant P_i generates ephemeral DH keypair (pk_i, sk_i).
> b) Each participant publishes their public keys (both ephemeral and
>    long-term). That is, they publish (PK_i, pk_i).         [0]
> c) Each participant collects public keys till all n are received (or
>    timeout happens XXX).
> d) Each participant generates a group key by doing a tripleDH with
>    each other participant, concatenating the resulting secrets and
>    plugging them in a KDF. That is, for participant P_1, we have:
>             k = KDF[DH(PK_1, pk_2), DH(pk_1, PK_2), DH(pk_1, pk_2),
>                     DH(PK_1, pk_3), DH(pk_1, PK_3), DH(pk_1, pk_3),
>                     DH(PK_1, pk_4), DH(pk_1, PK_4), DH(pk_1, pk_4),
>                     ...,
>                     DH(PK_1, pk_N), DH(pk_1, PK_N), DH(pk_1, pk_N)]

Hmm, that "k" isn't going to be derivable by any other participant, though?

You could probably use "tripleDH" as the "deniable AKE" within an
mpOTR-type protocol, but I'm not sure about anything cleverer than

> (Alternatively, maybe the tripleDH scheme could be combined with the
> Burmester-Desmedt broadcast cyclic group key agreement scheme [1] to
> make a broadcast protocol.)

I think hashing all the DH results together in tripleDH probably
destroys the algebraic structure for things like that work.


More information about the OTR-dev mailing list