Home

Awesome

Private-Groups Spec | v2.0.0

A specification for implementing private groups in scuttlebutt.

The fundamentals of this spec are:

  1. uses envelope for encryption of content
  2. has group_ids which are safe to share publicly
  3. adding people to the group is done with group's knowledge
  4. supports disclosing of message content
    • but this leaks info about the group (peak at other messages / authors)

envelope encryption in scuttlebutt

In adition to the envelope-spec, there are some scuttlebutt-specific specifications

See spec here

recipient key derivation

box1 took feedIds from the content.recps field and directly used these for encryption.

In envelope, we instead take "ids" from content.recps, and map each to a key+scheme pair { key, scheme } where":

Type of idHow key is derivedscheme
private group ida key-store"envelope-large-symmetric-group"
feedId (someone else)diff-hellman styles"envelope-id-based-dm-converted-ed25519"
feedId (yours)locally stored key"envelope-symmetric-key-for-self"
P.O. Box iddiffie-hellman styles"envelope-id-based-pobox-curve25519"

see key-schemes.json for the canonical list of accepted schema labels

recipient restrictions

We talk about key_slots or recipients / recps a little interchangeably. Let's assume content.recps are mapped to key_slots preserving their order.

:warning: The following restrictions must be followed :

  1. there are max 16 slots on a message
  2. if there is a group key
    • a) there is only 1 group key
    • b) the group key is in the first key_slot
  3. we disallow you from making a shared DM key with yourself

More detail:

group management

A minimal amount of agreement to make coordination easier:


TODO

describe

changes in v2

Group IDs have moved from being sigil links like

%g/JTmMEjG4JP2aQAO0LM8tIoRtNkTq07Se6h1qwnQKb=.cloaked

to being SSB URIS like

ssb:identity/group/g_JTmMEjG4JP2aQAO0LM8tIoRtNkTq07Se6h1qwnQKb=

scuttlebutt private-groups spec (v3 ?)

Could modify this spec:

    • same
    • same
    • same
  1. supports privacy fiendly disclosing of message content
    • all internal cypherlinks are "cloaked"

Security considerations

While we have tried our best to create a secure end-to-end encrypted communication protocol, this spec is not fit for use in safety critical situations. The specification has not been vetted by an independent party. Even assuming a bug-free spec, we have intentionally left out several security features that are considered state of the art in other apps such as Signal, such as "forward secrecy".

Because of this, we advise that anyone that implements this spec in an app, includes prominent UI that warns the user about possible risks.

Links