Public key encrypt-then-sign or sign-then-encrypt?
Hal Finney
hal at finney.org
Tue May 15 18:00:52 EDT 2007
James A. Donald writes:
> The flaw in the protocol that you point out is that
> Carol can allow Alice to use her public key without
> having to reveal the public key to Alice, so that Alice
> can pretend to be Carol. Thus the flaw is that with
> prearrangement, Carol may prove to one other person, but
> to no one else, that Bob is saying such and such to
> Carol, provided she knows in advance that Bob is going to say it.
...
> Is there any way to fix this without introducing an
> additional exponentiation? Perhaps by introducing an
> additional multiplication? It does not seem worth while
> introducing an additional public key operation, for such
> a low value attack.
In theory there is no way to prevent this, because Carol can always do
whatever she needs to do to decrypt using her secrets, and then prove
in zero knowledge to Alice that she did it correctly. As long as Alice
sees via physical surveillance that the packets come from Bob, Carol
can convince her of what is inside of them.
In practice a full ZK proof is often not needed, as in the example you
give of defeating sign-then-encrypt in a hybrid encryption scheme.
Note that it is easy to prove that an RSA or ElGamal/DH decryption
is valid even without revealing your long term secret keys.
Hal Finney
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list