[cryptography] deniable store and forward with integrity protection?

David-Sarah Hopwood david-sarah at jacaranda.org
Tue Feb 15 23:35:52 EST 2011

On 2011-02-16 03:49, Adam Back wrote:
> Ian Brown and I proposed a simpler, non-interactive, approach for use in
> openPGP we called "non-transferable signatures"
>     http://www.cs.ucl.ac.uk/staff/i.brown/nts.htm
> The basic idea is you use an integrity protected (non-malleable) symmetric
> encryption option in PGP, and then change the signature packet to be a
> public key signature of the hash of the symmetric key and the recipients
> public key.
>     RSA_Enc( B_pub, sk ) +
>     RSA_Sig( A_pri, H( sk, B_pub ) ) +
>     c = Sym_Enc( sk, M ) +
>     Mac( sk, c )
> it proves A sent B a message, but only proves the content of the message to
> B, if B attempts to transfer the signature to C, C cant distinguish whether
> B forged the message vs A signed the message.

This protocol and the one I gave in my earlier reply on this thread are
similar, but this one uses Encrypt-and-Sign rather than Encrypt-then-Sign.
It relies on the fact that B_pub is included in H( sk, B_pub ) to prevent
the forgery attacks I pointed out there.

David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 292 bytes
Desc: OpenPGP digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20110216/84be1aa1/attachment.asc>

More information about the cryptography mailing list