Public key encrypt-then-sign or sign-then-encrypt?

Anne & Lynn Wheeler lynn at garlic.com
Wed Apr 25 19:26:28 EDT 2007


Mads Rasmussen wrote:
> 
> Hugo Krawczyk [1] showed in the symmetric key setting that the 
> encrypt-then-authenticate was the way to go about securing the integrity 
> of an encrypted message.
> 
> What about the public key setting?
> 
> Jee Hea An, Yevgeniy Dodis and Tal Rabin claims that the order doesn't 
> matter [2]. Encrypt-then-sign or sign-then-encrypt is equally secure.
> Is this really true? My feeling was that the principle from Krawczyk's 
> paper should apply to the public key setting as well.

the discussion in this thread was about potentially long-lived document contents
carrying digital signature for authentication and integrity. this is a more
of a business issue than a traditional security/confidentiality issue
http://www.garlic.com/~lynn/2007h.html#15 asymmetric cryptography + digital signature
http://www.garlic.com/~lynn/2007h.html#21 asymmetric cryptography + digital signature

the contents plus digital signature might be encrypted for transmission purposes
(or other confidentiality reasons). 

one might contend that if the document has to always be kept encrypted
... for confidentiality reasons ... then it might be useful to apply
the digital signature to the encrypted version.

however, if it is a long-term electronic document normally processed in
clear-text ... then clear-text digital signature can be used for check of
integrity and authentication (of the document contents) and it may only 
rarely or never require encryption for confidentiality

part of this is that in the symmetric key example ... encryption can be viewed
as doing double duty for confidentiality and integrity .... with authentication 
a separate item. in the asymmetric key scenario, the digital signature is doing 
double duty for integrity and authentication ... with (encryption) confidentiality 
a separate operation ... in which, also using encryption for integrity can be viewed 
as redundant.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list