Re: [MLS] Deniability without pairwise channels.

Jeff Burdges <> Wed, 22 January 2020 17:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E882B120108 for <>; Wed, 22 Jan 2020 09:21:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.532
X-Spam-Status: No, score=-3.532 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Z7hdBP46Vdtp for <>; Wed, 22 Jan 2020 09:21:36 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 99199120807 for <>; Wed, 22 Jan 2020 09:21:36 -0800 (PST)
Received: from [] ( [IPv6:2001:4ca0:2001:42:225:90ff:fe6b:d60]) by (Postfix) with ESMTP id 84CDF1C00D2; Wed, 22 Jan 2020 18:24:58 +0100 (CET)
From: Jeff Burdges <>
Message-Id: <>
Content-Type: multipart/signed; boundary="Apple-Mail=_8283065D-D3AF-4761-8FBF-1B91B098730B"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Wed, 22 Jan 2020 12:21:26 -0500
In-Reply-To: <>
Cc: Sasa Radomirovic <>, Raphael Robert <>, Ian Miers <>
To: Messaging Layer Security WG <>
References: <> <>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <>
Subject: Re: [MLS] Deniability without pairwise channels.
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 22 Jan 2020 17:21:39 -0000

> On 22 Jan 2020, at 10:54, Raphael Robert <> wrote:
> I hope I understood your correctly, you are essentially proposing a “sign & reveal” scheme. If not, I’m sorry, and please let me know.
> What has become clearer in some of the discussion is that a “sign & reveal” scheme puts the burden of proof on the victim to some (large) extent. The attacker can publish a signature chain that starts with the public identity of the victim and ends with the signature of a specific message. This signature chain will most likely look valid to a third party at first sight. It then becomes the duty of the victim to prove that they indeed published secret keys and that therefore anyone could have signed the last part in the signature chain. For the victim, this is painful at best and impossible at worst. It would be much nicer if the attacker couldn’t publish such a signature chain in the first place.

Interesting thanks!

I suppose the victim could often be prevented from providing this proof too, like by evidence being “lost”, making this worse than no deniability.

It appears the golden rule for deniability is
  (*) anytime the parties have unequal power then deniability heavily favours party with more power,
so your observation provides a case when “sign & reveal” just makes (*) even worse.

I’ve never seen a “user story” that contradicts (*) but please do let me know if you think you know one, maybe off list if that’s a derail here.  I’d love to participate in some more user oriented formalisation of deniability eventually.  I do think deniability becomes useful when both parties have relatively equal power, although maybe the user interface suffices for the common messaging cases, but presumably properties related to full deniability become really useful in layer 2 blockchain scaling solutions like state channels.

Anyways in the vein of "sign & reveal” making (*) worse, I also want to caution that deniability schemes based on ring signatures actually make (*) worse because they prove that some party made the comment.  If you assume the parties have unequal power, as in a court case, then a ring signature effectively means the more powerful party can convince the court that the less powerful party signed the document.