Public key encrypt-then-sign or sign-then-encrypt?

Travis H. travis+ml-cryptography at subspacefield.org
Wed May 9 18:22:02 EDT 2007 

On Thu, May 03, 2007 at 07:57:18PM +1000, James A. Donald wrote:
> Assume Ann's secret key is a, and her public key is A = G^a mod P
> 
> Assume Bob's secret key is b, and his public key is B = G^b mod P
> 
> Bob wants to send Ann a message.
> 
> Bob generates a secret random number x, and sends Ann X = G^x mod P
> 
> Ann responds with Y = G^y mod P, where y is another secret random number.
> 
> Ann calculates [(B*X)^(a+y)] mod P

This appears to simplify to:

(G^b * G^x)^(a+y) = (G^(b+x))^(a+y) = G^((b+x)(a+y))

Right?

This doesn't appear to be anything like the latest rev of the OTR protocol:

http://www.cypherpunks.ca/otr/Protocol-v2-3.0.0.html

Apparently they key exchange is now a variant of the SIGMA protocol,
and relies upon the implementation to disclose MAC keys automagically
as the related session keys are destroyed/expired.

Apparently this fixes an identity-binding flaw:

http://lists.cypherpunks.ca/pipermail/otr-users/2005-July/000316.html

And this illustrates a subtlety:

> For example, if Bob thinks he's talking to Mallory, he may tell her
> something in confidence he would not want Alice to hear.  Note that
> although Mallory could relate this confidential information to Alice
> herself, but in the attack scenario Alice has assurance that the
> message came from Bob rather than having to take Mallory's word for it.

Contrast this to sign-then-encrypt, where Mallory could decrypt, then
forward to Alice.  Compare with encrypt-then-sign.

But it brings up an interesting point; that when a party relays a
piece of data it may not be equivalent to receiving it directly; that
is, authenticity may not be transitive.

Put another way, maybe it's not the information that matters, but who
says it.  The New York Times may say that someone did XYZ, but that's
not entirely the same as the person admitting it under oath.  In
international politics, many believe that admitting to having
performed some provocative action can be more provocative than
actually the action itself, even if everyone already knows who is
responsible.  If you believe this, I suppose the official lie can be
said to serve the interest of both sides, as the government receiving
the provocation can allow the story to go unchallenged, and probably
not be forced into taking an overt retaliatory action.  Thus it
preserves their options, and avoids forcing them into what could be a
disastrous confrontation.  If they are too weak to confront the
provocateur, they aren't likely to shout this from the rooftops.

-- 
Kill dash nine, and its no more CPU time, kill dash nine, and that
process is mine. -><- <URL:http://www.subspacefield.org/~travis/>
For a good time on my UBE blacklist, email john at subspacefield.org.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20070509/4ab47180/attachment.pgp>

More information about the cryptography mailing list