keychat on Nostr: Let's explore the concept of a medium group from an interesting perspective. Suppose ...
Let's explore the concept of a medium group from an interesting perspective.
Suppose a medium group consists of three regular members, A, B, and C, along with one special member, D. Why is D special? Because the identity of D is shared among A, B, and C. When A sends a group message, it is effectively sending a message to D, allowing us to reuse Keychat's one-on-one chat functionality. Members B and C use D's identity to receive and decrypt the message sent by A.
However, D does not respond to messages, meaning that the messaging in the Medium group utilizes only one of the ratchets in the double ratchet algorithm (the symmetric ratchet), and not the DH ratchet. Therefore, messages in the Medium group have forward secrecy similar to one-on-one messages but lack backward secrecy.
How can we achieve some degree of backward secrecy? By changing D, for instance to E, which effectively resets the DH ratchet. When the Medium group adds or removes members, the special member is updated, thereby gaining some degree of backward secrecy.
If there's a need for more efficient and frequent changes of the special member, then we turn to the MLS protocol.
Suppose a medium group consists of three regular members, A, B, and C, along with one special member, D. Why is D special? Because the identity of D is shared among A, B, and C. When A sends a group message, it is effectively sending a message to D, allowing us to reuse Keychat's one-on-one chat functionality. Members B and C use D's identity to receive and decrypt the message sent by A.
However, D does not respond to messages, meaning that the messaging in the Medium group utilizes only one of the ratchets in the double ratchet algorithm (the symmetric ratchet), and not the DH ratchet. Therefore, messages in the Medium group have forward secrecy similar to one-on-one messages but lack backward secrecy.
How can we achieve some degree of backward secrecy? By changing D, for instance to E, which effectively resets the DH ratchet. When the Medium group adds or removes members, the special member is updated, thereby gaining some degree of backward secrecy.
If there's a need for more efficient and frequent changes of the special member, then we turn to the MLS protocol.
quoting note1kmd…ycrx6/n
Keychat is on the verge of launching an updated model known as the upgraded sender key group, expected to be released this week and will be termed "medium group" in the new version.
Unlike the sender key group, where each member communicates their initial key, k0, to all other members, the upgraded sender key group has members sharing a common group key, k, akin to the mechanism used in the shared key group. Each member derives their personal k0 using a Diffie-Hellman calculation with their ID and the shared group key. They then encrypt their first message with k1 = kdf(k0), and subsequent messages with sequentially derived keys, like k2 = kdf(k1).
Other members decrypt incoming messages by sequentially deriving keys from the sender's k0. After use, these encryption keys are discarded. Thus, the upgraded sender key group maintains forward secrecy, meeting the third requirement, but does not offer backward secrecy, failing to meet the fourth requirement.
Efficiently updating the group key, k, would enable the group to meet the fourth requirement concerning backward secrecy.
If a member who has disclosed confidential chat information needs to be removed, a new group formation is necessary. The group admin must then individually share the new encryption key, k, with each member, where N represents the number of members.
This upgraded approach reduces the need for member updates from N*N individual chats in the sender key group to just N chats in the upgraded sender key group, significantly enhancing efficiency and maintaining forward secrecy.
Alternatively, this model could be described as an upgraded shared key group because, compared to the original shared key group, it offers forward secrecy and simplifies member updates to only N individual chats.
Yet, the requirement for N individual chats to update members remains a significant challenge for larger groups.