----- Original Message -----
From: "Hal Finney" <hal(_at_)finney(_dot_)org>
To: <ietf-openpgp(_at_)imc(_dot_)org>
Sent: Thursday, April 11, 2002 11:45 AM
Subject: Recipient-verifiable messages, was: forwarding an encrypted PGP
message is useless
...
I proposed a different method, which basic idea is expressed in a paper
by Rivest, Shamir and Tauman, "How to Leak a Secret", available from
http://theory.lcs.mit.edu:80/~rivest/publications.html. This paper shows
how to produce a signature which can be verified to be from a specific
list of keys, but you can't tell which key on the list made the signature.
It is very simple and efficient for RSA keys. I think extensions are
possible for discrete log keys, but the paper doesn't cover that.
For the recipient-verifiable signature, Alice would create one of these
multiple-signer signatures based on exactly two keys, Bob's and hers.
Anyone can verify that the resulting message has been signed by Alice or
Bob, but there is no way to tell which. Alice then sends the message
to Bob. He knows that he didn't sign it, so it must have been Alice.
But if he shows it to someone else, all they can see is that either
Bob or Alice signed it, so Bob could have created a signature like this
for any message he wanted. Again there is no way for Bob to show the
message convincingly to a third party, and Alice is protected.
...
Unfortunately I think that adding a new flavor of signature would tend
to create confusion among users who at best barely understand public
key cryptography. The new kind of signature would have very different
security properties and usage scenarios, so it would add additional
complexity for people to deal with.
...
no new signature type is needed.
this can be done now with a split key setup, for either an RSA or DH key:
Alice or Bob produces a new key 'Alice&Bob'
the share is set for 1, and the 'Alice&Bob' key is split with a share to
Alice's key, and a share to Bob's key,
either Alice or Bob can now sign with the 'Alice&Bob' key, without anyone
being able to detect whether it was Alice or Bob,
and it will verify as a good signature from the 'Alice&Bob' key.
the 'Alice&Bob' split key can be imported into gnupg and the signatures
verified,
but gnupg cannot (yet) rejoin, sign or decrypt with a split shared system
if this is worthwhile/necessary, perhaps it could be considered for addition
to the gnupg system.
hth,
vedaal