Hal Finney <hal(_at_)finney(_dot_)org>:
Adam Back writes:
What we proposed is related. Rather
than the normal encrypted signed message:
Encrypt_Bob(K), Encrypt(K, Sign_Alice(Hash(msg)), msg)
Encrypt_Bob(K), Encrypt(K, Sign_Alice(Hash(K||Bob_PK)), msg)
with the additional restriction that the encryption mode should be one
of the MDC modes (ie appended MAC with K outside encryption, or
appended hash of msg inside encryption).
To break that down: we hash Bob's public key so that Bob can't turn
around and forge an arbitrary an arbitrary message from Alice to
Charlie using signed K. What Bob is left with is proof that Alice
sent him a message, but no evidence of what the message body was.
I see, that seems to work well too. [...]
Does it? If Bob is willing to reveal K and additional data such as
padding used for RSA encryption, can't everyone verify that this is
indeed a valid signature by Alice on 'msg'?
Bodo Möller <moeller(_at_)cdc(_dot_)informatik(_dot_)tu-darmstadt(_dot_)de>
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036