quasi-deniable signing
John Kane <jkane89@softhome.net> Sat, 13 April 2002 20:19 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA28679 for <openpgp-archive@odin.ietf.org>; Sat, 13 Apr 2002 16:19:50 -0400 (EDT)
Received: by above.proper.com (8.11.6/8.11.3) id g3DK1GV07289 for ietf-openpgp-bks; Sat, 13 Apr 2002 13:01:16 -0700 (PDT)
Received: from softhome.net (jive.SoftHome.net [66.54.152.27]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3DK1Fm07285 for <ietf-openpgp@imc.org>; Sat, 13 Apr 2002 13:01:15 -0700 (PDT)
Received: from softhome.net ([209.6.136.254]) (AUTH: PLAIN jkane89@softhome.net) by softhome.net with esmtp; Sat, 13 Apr 2002 14:01:00 -0600
Message-ID: <3CB847D5.5065E309@softhome.net>
Date: Sat, 13 Apr 2002 10:59:33 -0400
From: John Kane <jkane89@softhome.net>
X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: ietf-openpgp@imc.org
Subject: quasi-deniable signing
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Content-Transfer-Encoding: 7bit
Think of the MAC scheme as one example of a 'volatile' sig. It might be a little easier to follow in this variant: Suppose someone anonymously publishes symmetric_encrypt( K, msg ) [K is a session key] encrypt_Bob( sign_Alice( encrypt_Bob(K) )) Then Bob 'knows' that only he and Alice initially have K, and since K decrypts the message, Alice is the only one who could have encrypted it. Bob can disclose 'msg' to others, and can disclose K to demonstrate that he was a recipient of the anonymously-posted message, but that's it. Unless Bob reveals his private decryption key, he can't prove that Alice had any knowledge of K, or of 'msg'. Even if he does that, he can only show Alice sent him K, and it might have been Bob himself who 'forged' sym(K,msg). The essence of this scheme is that Alice never signs anything derived from the message content, and only authenticates a shared secret. Anyone can generate sym(K,msg), and the signature is not bound to the message. (Alice can't send a message with sign_Alice(encrypt_EVE(K)) and sign_Alice(encrypt_Bob(K)) safely, because it allows Eve to forge sym( K, msg-2 ), intercept Bob's copy of the message, and impersonate Alice. This scheme's not appropriate for general multiple-recipient situations.) ** ** ** In the other 1-of-N "how to leak a secret" scheme, Alice needs N-1 other people's public keys to *generate* the signature, but the resulting signature is public and can be verified at any time by any person who knows the N public keys. Applying the N public keys to the N-part signature gives the hash of the message, so the signature is bound to the message in the normal non-volatile way. Call me silly, but I don't think the OpenPGP protocol really needs either of these modes as part of the standard.
- quasi-deniable signing John Kane
- Re: quasi-deniable signing Hal Finney