[Cryptography] A simpler group communication scheme...

jrzx jrzx at protonmail.ch
Wed Feb 24 23:10:36 EST 2021

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, February 23, 2021 10:25 PM, Phillip Hallam-Baker <phill at hallambaker.com> wrote:

> Alice, Bob and Carol want to hold a group chat, Doug through Zeake might join in at some point. How do we establish and manage keys for the channel?
> The reason for bringing this up is that I am trying to work out if the ratcheting tree proposed in MLS actually delivers any value.

The simple, obvious, solution is that each of them uses asymmetric cryptography to
establishe symmetric encryption shared secrets with each of the others, each party
with n-1 shared secrets in a group chat with n participants, with control messages
going over the channel with the room organizer.

Why do anything more complicated?

Alice chats to Bob. Bob invites Carol. Bob knows Carol's durable public elliptic point,
and sends her a single use elliptic point with a single use secret scalar known only to
Bob when he sends her the invite. If she accepts the invite, she sends single use
elliptic points whose secret scalars are known only to her to Bob for each of the other
participants, and Bob sends those elliptic points to each of the other participants with the
durable elliptic point of Carol.

If messages are being distributed through a single central point (Bob) Alice encrypts each message with a random secret, different each time, and sends the exclusiveor of the symmetric secret with n-1 shared secrets with each message.

But sending the messages directly to each participant is just as efficient, though it has the problem that none of the participants can know if all of the participants are seeing the same messages.

Setting up a reliable broadcast channel, such that everyone knows that everyone is seeing the same thing, is considerably more complex, though I have a solution for that also.

Indeed I have a solution for a reliable anonymous broadcast channel, where you can send a message from an unknown participant to all, and all will know that all have received it, or send it to one participant, and all will know that someone sent a message to someone, and the sender will know that the recipient received it, but only the recipient knows who received it, and only the sender knows both the sender and the recipient.

This latter solution is needed for the One True Lightning network, as an unreliable anonymous broadcast channel would allow check kiting on the lightning network, and the not exactly anonymous lightning network is recapitulating the evils of marginal reserve banking and central banking.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210225/a98fc3fc/attachment.htm>

More information about the cryptography mailing list