On 2011-02-16 03:49, Adam Back wrote: > Ian Brown and I proposed a simpler, non-interactive, approach for use in > openPGP we called "non-transferable signatures" > > http://www.cs.ucl.ac.uk/staff/i.brown/nts.htm > > The basic idea is you use an integrity protected (non-malleable) symmetric > encryption option in PGP, and then change the signature packet to be a > public key signature of the hash of the symmetric key and the recipients > public key. > > RSA_Enc( B_pub, sk ) + > RSA_Sig( A_pri, H( sk, B_pub ) ) + > c = Sym_Enc( sk, M ) + > Mac( sk, c ) > > it proves A sent B a message, but only proves the content of the message to > B, if B attempts to transfer the signature to C, C cant distinguish whether > B forged the message vs A signed the message.
This protocol and the one I gave in my earlier reply on this thread are similar, but this one uses Encrypt-and-Sign rather than Encrypt-then-Sign. It relies on the fact that B_pub is included in H( sk, B_pub ) to prevent the forgery attacks I pointed out there. -- David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
signature.asc
Description: OpenPGP digital signature
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
