Hal Finney writes:
The plaintext would be followed by a SHA-1 hash of the plaintext data.
I have an unconditionally secure MAC that's much faster than SHA-1---in
fact, even faster than MD5. The alpha implementation is available from
Please send any comments or questions to the hash127 mailing list. To
subscribe, send an empty message to
many people don't like to sign their messages for legal reasons,
Why? Because signatures can't be repudiated?
One easy solution, under the original Diffie-Hellman system, is to use a
MAC as above, where the MAC key is generated from the Diffie-Hellman
shared secret. The receiver can generate new MACs under the same key, so
he can't prove to a judge that a message came from you.
(There are similar solutions using RSA, but Diffie-Hellman is faster.)