[cryptography] deniable store and forward with integrity protection?

Thierry Moreau thierry.moreau at connotech.com
Wed Feb 16 09:01:57 EST 2011

Adam Back wrote:
> Ian Brown and I proposed a simpler, non-interactive, approach for use in
> openPGP we called "non-transferable signatures"
>     http://www.cs.ucl.ac.uk/staff/i.brown/nts.htm
> The basic idea is you use an integrity protected (non-malleable) symmetric
> encryption option in PGP, and then change the signature packet to be a
> public key signature of the hash of the symmetric key and the recipients
> public key.
>     RSA_Enc( B_pub, sk ) +
>     RSA_Sig( A_pri, H( sk, B_pub ) ) +
>     c = Sym_Enc( sk, M ) +
>     Mac( sk, c )
> it proves A sent B a message, but only proves the content of the message to
> B, if B attempts to transfer the signature to C, C cant distinguish whether
> B forged the message vs A signed the message.
> Adam

What about
      c'=RSA_Enc( B_pub, sk ) +
      RSA_Sig( A_pri, H( sk, c' ) ) +

This achieves at least the same security level. It *might* achieve more.

Also, H( sk, B_Pub ) must have context data (time window, reference to 
transport mechanism, ...) so that replay attacks are detected.

Finally, you may have an optional proof of freshness (to the benefit of 
B) with a preliminary step:

      A gets sk' from B, else uses sk'=0

      c'=RSA_Enc( B_Pub, sk" ) +
      RSA_Sig( A_pri, sk' || H( sk", sk', c' ) ) +

B maintains a database of outstanding values for sk' if it wishes to 
validate the freshness.


- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1

Tel. +1-514-385-5691

More information about the cryptography mailing list