To provide OTR (off the record) security for XMPP group chats we've discussed an idea for a Diffie-Hellman key exchange algorithm for multiple users. It should work as follows:
- Choose a cyclic group $G$ with the order $p$ prime and a generator $g$ for that group. Both, $p$ and $g$ are considered public.
- Alice chooses her random secret $a$ out of $\lbrace1,\ldots,p-1 \rbrace$ and Bob chooses his random secret $b$ out of the same set. Both, $a$ and $b$ are considered private.
- Alice calculates $A \equiv g^a \mod p$ and Bob $B \equiv g^b \mod p$. Both, $A$ and $B$ are considered public and both parties exchange that value.
- Alice calculates $S \equiv B^a \mod p$ and Bob $S \equiv A^b \mod p$ to get the common secret $S$, which is considered private.
- Now carol wants to join the group. She get's $p$ and $g$ and chooses her own random secret $c$ out of $\lbrace1,\ldots,p-1 \rbrace$ and calculates $C \equiv g^c \mod p$, which is considered public.
- Alice and Bob calculate $T \equiv g^S \mod p$, which is considered public.
- Now Carol can calculate $S' \equiv T^c \mod p$, which is the new common secret.
- Since Alice and Bob already know $S$, they can calculate $S'$, e.g. Alice calculates $S' \equiv C^S \mod p$.
Because that seems to be too easy, we are afraid, that we miss something. Maybe something profane or something with the iterative use of exponentiation like $S' \equiv (g^c)^{((g^a)^b)} \mod p$ or something else.
Any tought? Any hint?