Deniable Group Key Agreement

摘要

Especially for key establishment protocols to be used in internet applications, the (privacy) concern of deniability arises: Can a protocol transcript be used—possibly by a participant—to prove the involvement of another party in the protocol? For two party key establishment protocols, a common technique for achieving deniability is the replacement of signature-based message authentication with authentication based on symmetric keys. We explore the question of deniability in the context of group key establishment: Taking into account malicious insiders, using a common symmetric key for authentication is critical, and the question of how to achieve deniability arises.rnBuilding on a model of Bresson et al., we offer a formalization of deniability and present a group key agreement offering provable security in the usual sense, deniability, and security guarantees against malicious insiders. Our approach for achieving deniability through a suitably distributed Schnorr-signature might also be of independent interest.