Re: Recipient-verifiable messages

[Jon Callas <jon@callas.org>]

At 8:06 PM -0400 4/11/02, David P. Kemp wrote:

>What is the difference between a "recipient-verifiable signature" and
>a MAC?
>
>One of the properties of a digital signature mechanism is that it
>is computationally infeasible for any entity other than the signer
>to find, for any message, a signature value that is valid for that
>message.  [HAC, p.23]
>
>Thus it would seem that a "signature" that can't be bound later
>to the signer is an oxymoron.  Why not just call it an authentication
>code, where it is accepted that anyone who can verify a MAC has
>the information necessary to create it.

The obvious difference is this:

If the shared secret (shared by, say, Alice and Bob) used to generate a MAC
is leaked -- suppose Charlie learns it -- then anyone, Alice, Bob, or
Charlie can rewrite the MAC undetectably.

On the other hand if Alice generates one of these signatures and sends it
to Bob, a third party, Teresa can verify the signature but:

 * not be able to create one of her own and
 * cannot tell from the signature itself whether Alice or Bob made it.

I'm not sure how useful it is in the real world, but it's a fascinating thing.

I could sign a message to this list combining a dozen keys and thus create
a presumption that I made it without explicit demonstration of it.

	Jon