At 8:06 PM -0400 4/11/02, David P. Kemp wrote:
What is the difference between a "recipient-verifiable signature" and
One of the properties of a digital signature mechanism is that it
is computationally infeasible for any entity other than the signer
to find, for any message, a signature value that is valid for that
message. [HAC, p.23]
Thus it would seem that a "signature" that can't be bound later
to the signer is an oxymoron. Why not just call it an authentication
code, where it is accepted that anyone who can verify a MAC has
the information necessary to create it.
The obvious difference is this:
If the shared secret (shared by, say, Alice and Bob) used to generate a MAC
is leaked -- suppose Charlie learns it -- then anyone, Alice, Bob, or
Charlie can rewrite the MAC undetectably.
On the other hand if Alice generates one of these signatures and sends it
to Bob, a third party, Teresa can verify the signature but:
* not be able to create one of her own and
* cannot tell from the signature itself whether Alice or Bob made it.
I'm not sure how useful it is in the real world, but it's a fascinating thing.
I could sign a message to this list combining a dozen keys and thus create
a presumption that I made it without explicit demonstration of it.