[Cryptography] Cryptographic challenge

[jamesd at echeque.com]

On 4/28/2018 6:39 AM, Phillip Hallam-Baker wrote:
> When a message is end to a single recipient, the DH scheme has the 
> property that it is free of subliminal channels. There is no part of the 
> output message that is not either constrained by the input or has been 
> processed through a one way function. The generator of the message can 
> choose the ephemeral private key but can only use the public key as a 
> channel through 'brute force' type approaches requiring vast amounts of 
> processing or large numbers of messages to communicate.

Assume that each party that is entitled to access the data has a well 
known public key, identified under the Zooko triangle scheme, or the 
Zooko quadrangle/namecoin scheme, where there is a consensus merkle 
patricia tree associating human readable names with keys.

Using the notation that the combination two points on an elliptic curve 
to give a third point on the same elliptic curve is denoted by addition, 
that points on the elliptic curve are denoted by capitals, that integers 
are denoted by lower case letters, and that adding the point P to itself 
n times is denoted by n*P.

Bob's secret key is b, his public key is b*G = B
Carol's secret key is c, her public key is c*G = C
Dave's secret key is d, his public key is d*G = D

We want to encrypt some data so that Bob, Carol, and Dave all have 
access to it, and there are no subliminal channels stored with the data.

In forming the group Bob plus Carol plus Dave, the group members create 
and make public the keys c*d*G, b*d*G, and b*c*G

The secret key for group data, that all members of the group can look 
at, is, b*c*d*G.

This procedure has no forward secrecy.  To obtain forward secrecy, group 
members from time to time generate new transient keys signed by their 
durable keys.