[Cryptography] Does PGP use sign-then-encrypt or encrypt-then-sign?
Natanael
natanael.l at gmail.com
Tue Jan 21 18:48:52 EST 2014
Den 22 jan 2014 00:32 skrev "Jerry Leichter" <leichter at lrw.com>:
>
> On Jan 21, 2014, at 5:13 PM, Tony Arcieri wrote:
> > I am distinguishing MACs from "signatures", as at least in my
nomenclature digital signature systems are an inherently pubkey system.
> MAC's and digital signature systems are different in a more fundamental
way: With a signature system, Bob can prove to anyone that a message was
signed by Alice without himself being able to produce messages with Alice's
signature on them. With a MAC, Bob has everything needed to produce
messages "MAC'ed" by Alice. But that's fine, because the entire purpose of
a MAC is for Bob to be able to prove *to himself* that Alice produced a
message. There's not much point in him forging a message and then proving
to himself that he forged it!
>
> While this certainly has a flavor similar to the symmetric/asymmetric
system distinction, it's not quite the same thing. DSA does signatures,
but doesn't in and of itself provide an asymmetric encryption system. And
while it's much less convenient and requires a trusted third party, you can
construct a signature-like system using only symmetric primitives: The
trusted third party holds the actual MAC key and will apply it for message
creation only for Alice, but for anyone for message verification. (Alice's
messages to the trusted third party are MAC'ed using a key known only to
the two of them; the TTP can forge messages from Alice, but we assume that
away because it's *trusted*. Similarly the TTP shares a unique key with
anyone who might want a signature verification done. Bob still can't prove
to anyone else that the message was from Alice - but he can point anyone at
the TTP to do it for him.)
You can do signatures directly with symmetric primitives like hashes.
See Lamport signatures (commit to 2*[signature hash bitlength] hashes that
are numbered, reveal one per pair chosen depending on if the corresponding
signature hash bits are 1 or 0) and the Fawkes signature scheme (commit to
a codeword and timestamp it, commit to a message that also reveals the
codeword & timestamp, and optionally commits to a new codeword, then reveal
that message.)
- Sent from my phone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140122/95c5c969/attachment.html>
More information about the cryptography
mailing list