[OTR-dev] Improved Deniable Signature Key Exchange for mpOTR
George Kadianakis
desnacked at riseup.net
Sun Mar 17 20:29:27 EDT 2013
Forwarding Matthew's mail, since it didn't get posted in the list for some
reason (maybe he is not subscribed):
---------------------------- Original Message ----------------------------
Subject: Re: [OTR-dev] Improved Deniable Signature Key Exchange for mpOTR
From: "Matthew Van Gundy" <matt at singlethink.net>
Date: Sat, March 16, 2013 12:40 pm
To: "George Kadianakis" <desnacked at riseup.net>
Cc: otr-dev at lists.cypherpunks.ca
iang at cs.uwaterloo.ca
--------------------------------------------------------------------------
Hi George,
I don't have my full notes at my fingertips. However, the choice of
Bohli et al.'s Deniable Group Key Agreement was motivated by its
properties: deniable / forgeable, group/conference key agreement, symmetry
(no
user is trusted more than others), mutual authentication.
One of the major sticking points was deniability / forgeability. We
wanted a deniability / forgeability property that was stronger than
most existing notions in the following sense:
* The forger need not be in the set of participants. A third party
(A) can forge transcripts between a set of other participants
P = { B, C, D, ... } (not including A) without knowing the private
keys of the participants in the transcript.
* The judge gets the private keys of all participants P. Even then,
the judge cannot distinguish between a forged transcript and a
legitimate transcript between the participants P sending the same
messages.
Without going into all the details of why I didn't feel that these met
the requirements, some of the references I was considering at the time
include:
* SIGMA, SKEME, MQV, HMQV
* Mario Di Raimondo, Rosario Gennaro, Hugo Krawczyk: Deniable
authentication and key exchange. ACM Conference on Computer and
Communications Security 2006: 400-409.
* Dwork, Naor, Sahai. Deniable Authentication.
* Deniable Encryption
http://eprint.iacr.org/1996/002
* Chameleon Signatures
www.isoc.org/isoc/conferences/ndss/2000/proceedings/042.pdf
http://eprint.iacr.org/2006/318
* Deniable Ring Authentication
www.wisdom.weizmann.ac.il/~naor/PAPERS/denring.pdf
http://link.springer.com/chapter/10.1007%2F978-3-540-24852-1_11
* Designated Verifier Proofs
http://www.informatics.indiana.edu/markus/papers/dvp.pdf
* Multi-designated Verifier Signatures
http://www.sciencedirect.com/science/article/pii/S0020019006003504
http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1524311&tag=1
* Limited Verifier Signatures
http://link.springer.com/chapter/10.1007%2F978-3-540-24852-1_10
* Broadcast Interactive Zero-Knowledge Proofs
http://link.springer.com/chapter/10.1007%2F3-540-46416-6_7?LI=true#page-1
* Concurrent Zero-Knowledge Proofs
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.21.6818
Cheers,
Matt
On Fri, Mar 15, 2013 at 03:51:12PM -0700, George Kadianakis wrote:
> Hi Matt,
>
> I recently read your "Improved Deniable Signature Key Exchange for mpOTR"
> article, which lead me to "Deniable Group Key Agreement" by Bohli et al.,
> which then lead me to "Constant-Round Authenticated Group Key
> Exchange for Dynamic Groups" by Hyun-Jeong Kim et al. and "Secure Group
> Key Establishment Revisited" by Bohli et al.
>
> Looking at the references of all these papers, I find myself with a big
> TOREAD list of Authenticated Group Key Exchange papers. Consequently, I
> started wondering how you selected "Deniable Group Key Agreement" as the
> basis of your paper. Is it because it's one of the few papers that present
> deniable variants of group key exchanges? What other papers/research did
> you have in mind when you were selecting protocols for your DSKE?
>
> Thanks!
>
> (CCing otr-dev and Ian)
>
> _______________________________________________
> OTR-dev mailing list
> OTR-dev at lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
>
More information about the OTR-dev
mailing list