crypto flaw in secure mail standards

dmolnar dmolnar at
Fri Jun 22 16:08:31 EDT 2001

On Fri, 22 Jun 2001, Jeffrey I. Schiller wrote:

> However, having said all this, Don has a point. There may be a class
> of message where you want to prove that you originated it *only to the
> original sender*.  If he has a way to do that, it sounds like a good
> thing.

One way to do this is called a "designated verifier signature,"
originally AFAIK discussed by Jakobsson, Impagliazzo, and Sako. Rivest
has a paper up on his web page right now giving a particularly nice way of
implementing it by means of "ring signatures." In a ring signature, you
can determine that the message was signed by a member of a set S, but
not who exactly that member is.

So Alice signs document D as being from the set {Alice, Bob} and sends it
to Bob. Now Bob knows he didn't write D, so he believes it's from Alice.
If he passes D along to Charlene, she can't determine whether Alice
wrote D or Bob came up with it himself.

In fact, IIRC, the paper suggests the sorts of scenarios discussed in this
thread explicitly as the motivation for this use of ring signatures. The
paper then goes on to argue for the practicality of implementing ring sigs
in mail clients.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list