Off-The-Record messaging sounds nice in theory. I mean, I can even achieve a poor man’s zero-knowledge version of it by publishing my private key somewhere, after signing a private message with it. The recipient would then not be able to prove someone else didn’t have this private key, so they can’t prove that I signed it vs someone (including them) forging it. In fact, since you can’t really prove a negative, technically ANY message signed by a symmetric MAC or even asymmetric one is a “zero-knowledge” proof.
However, the actual situation used in the real world for “proving” that Alice signed a message with “her” private key, is that she posted it to some hub which then disseminated it to everyone. This hub, or network of trust around it, is really what the “proof” is rooted in. The more people who are in this network, or trust the hub, the stronger the belief is that Alice was the one who signed the message.
That’s because the “politics” of the system make it exponentially less likely, the more participants are in the message relay ecosystem, that the system would have propagated a forged message.
Sure, Alice may have stolen someone else’s key to impersonate them, but the protocol employed by the participants in the chat and the nodes relaying the messages would have supposedly rejected the signature based on the mismatch in some trusted database of pre-committed cryptographic payloads (eg long-term identity keys).
Alice could have signed into someone else’s account and sent the message as them. But again, the system doesn’t contemplate this “out-of-network” activity, same as “offchain activities” like stealing a painting.
So, now we come to Off-The-Record Messaging. The protocol can publish the MAC in the next message, but what does “publish” mean? If a trusted hub receives and disseminates messages in a linear order to nodes, then they’ll simply “trust” it to know the message came from Alice due to the message ordering. Alice denying it would amount to her saying the hub compromised the messages and forged the order. I guess that’s the only “deniability” that OTR Messaging really offers?
Of course, if the “publishing” of the MAC is delayed until most recipients receive the previous message(s) signed with it, then Alice’s ability to deny signing it reduce even further, as it is not just the hub that supposedly changed the order of the messages but most people in the chat got them out-of-order and didn’t know it? It seems exponentially less likely the more people are in the chat and saw the message!
