On 17/04/15 22:35, Ben Laurie wrote: > It's not a fantasy requirement, it's a standard property of MACs. If > Alice and Bob share a MAC key and Alice uses it to create a MAC, Bob > knows that since he didn't create the MAC, Alice must have done. But Bob > can't prove to Carol that it was Alice rather than Bob who created it. > > > If Carol knows everything Bob knows, then Carol also knows Alice created > it. That's my point.
I see, thanks for explaining. Even if Bob shares his private key with Carol, Carol doesn't know whether he shared it with anyone else. So Carol doesn't know whether the MAC was created by Alice or an accomplice of Bob. Bob knows he hasn't shared his private key with anyone else, but he can't prove it. > I don't believe it is possible for Bob to prove there is no Carol. Indeed, and it's not possible for Bob to prove there's only one Carol. > All I'm really saying is the property you can have is something a little > weaker, as Ximin has expounded on at some length. I'm not sure how much of Ximin's message applies, as he's talking about ciphertext transcripts whereas I'm talking about plaintext. Cheers, Michael
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
