[OTR-dev] Improved Deniable Signature Key Exchange for mpOTR

George Kadianakis desnacked at riseup.net
Sun Mar 17 20:29:27 EDT 2013

Forwarding Matthew's mail, since it didn't get posted in the list for some
reason (maybe he is not subscribed):

---------------------------- Original Message ----------------------------
Subject: Re: [OTR-dev] Improved Deniable Signature Key Exchange for mpOTR
From:    "Matthew Van Gundy" <matt at singlethink.net>
Date:    Sat, March 16, 2013 12:40 pm
To:      "George Kadianakis" <desnacked at riseup.net>
Cc:      otr-dev at lists.cypherpunks.ca
         iang at cs.uwaterloo.ca

Hi George,

I don't have my full notes at my fingertips.  However, the choice of
Bohli et al.'s Deniable Group Key Agreement was motivated by its
properties: deniable / forgeable, group/conference key agreement, symmetry
user is trusted more than others), mutual authentication.

One of the major sticking points was deniability / forgeability.  We
wanted a deniability / forgeability property that was stronger than
most existing notions in the following sense:

  * The forger need not be in the set of participants. A third party
    (A) can forge transcripts between a set of other participants
    P = { B, C, D, ... } (not including A) without knowing the private
    keys of the participants in the transcript.

  * The judge gets the private keys of all participants P.  Even then,
    the judge cannot distinguish between a forged transcript and a
    legitimate transcript between the participants P sending the same

Without going into all the details of why I didn't feel that these met
the requirements, some of the references I was considering at the time


  * Mario Di Raimondo, Rosario Gennaro, Hugo Krawczyk: Deniable
    authentication and key exchange. ACM Conference on Computer and
    Communications Security 2006: 400-409.

  * Dwork, Naor, Sahai. Deniable Authentication.

  * Deniable Encryption

  * Chameleon Signatures

  * Deniable Ring Authentication

  * Designated Verifier Proofs

  * Multi-designated Verifier Signatures

  * Limited Verifier Signatures

  * Broadcast Interactive Zero-Knowledge Proofs

  * Concurrent Zero-Knowledge Proofs


On Fri, Mar 15, 2013 at 03:51:12PM -0700, George Kadianakis wrote:
> Hi Matt,
> I recently read your "Improved Deniable Signature Key Exchange for mpOTR"
> article, which lead me to "Deniable Group Key Agreement" by Bohli et al.,
> which then lead me to "Constant-Round Authenticated Group Key
> Exchange for Dynamic Groups" by Hyun-Jeong Kim et al. and "Secure Group
> Key Establishment Revisited" by Bohli et al.
> Looking at the references of all these papers, I find myself with a big
> TOREAD list of Authenticated Group Key Exchange papers. Consequently, I
> started wondering how you selected "Deniable Group Key Agreement" as the
> basis of your paper. Is it because it's one of the few papers that present
> deniable variants of group key exchanges? What other papers/research did
> you have in mind when you were selecting protocols for your DSKE?
> Thanks!
> (CCing otr-dev and Ian)
> _______________________________________________
> OTR-dev mailing list
> OTR-dev at lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-dev

More information about the OTR-dev mailing list