[cryptography] deniable store and forward with integrity protection?

James A. Donald jamesd at echeque.com
Mon Feb 14 22:13:43 EST 2011

Existing algorithms for off the record messaging between
entities identified by public keys require an initial round
trip to set up a shared secret.  Once a shared secret exists,
obviously routine encryption and MAC authentication will
create an off the record message - the recipient will know
that only someone who knows the shared secret could have
created the message, but cannot prove to someone else which
of the people holding the shared secret created the message -
the message is authenticated but deniable, authenticated but

It is fairly easy to design a protocol that achieves this
result without a round trip requirement, (authentication
without round trips or signature), but has such a protocol
already been published and examined?

The requirement of the protocol if the possessor of the
secret 'a' corresponding to public key A, sends the message
to the possessor of the secret key b corresponding to public
key B, the message can only be decrypted by someone who holds
one of the two secrets, and only someone who holds one of the
two secrets could have created the message - but either one
could have created the message, hence, off the record.

More information about the cryptography mailing list