chosen application attack on groups

[dominictarr]

I've just realized that there could be a chosen application attack on groups. if the symmetric keys are used directly, say alice creates group that happens to have bob's one way key in it. This would make it appear that bob is posting to the group.

to mitigate this... basically we have just have to ensure that group keys can never collide.
so, you publish a group key x but before encrypting with it, you hmac group_key = hmac(x, "GROUP"), one way groups would use a different hmac key oneway_key = hmac(x, "ONEWAY") this would mean to have the same group key as a one way key would require a hash collision.

[dominictarr]

since oneway keys are tied to a specific feed, it doesn't really matter if my oneway key and your oneway key are the same. however, if there are two group keys that are the same, you would see the posts from both, but think it was one group.

one solution might be to always hmac the key with the message which created that group. (the first type: 'key'? then additional people can be added to that group by sharing them the decryption key for that specific message... hmm, that would mean you'd need out of order message for this to work. also, indexing will need to handle a message that becomes decryptable later...