Ben Laurie wrote:
Hal Finney wrote:
This paper doesn't apply to systems like OpenPGP which compose public
key signatures with public key encryption. Rather, it investigates the
composition of symmetric encryption (e.g. AES) with MAC.
...
This does not seem to me to be true. OpenPGP uses symmetric encryption
under the hood, and signs the plaintext rather than the ciphertext. All
that is needed is an oracle which will say whether the signature is
correct or not.
Krawczyk's paper is about combining MAC and symmetric encryption.
That's not what OpenPGP does. We don't do MACs.
Furthermore, OpenPGP does not use CBC, so the security proof from the
paper doesn't help.
That's true, but the point is that the paper is not about systems like
OpenPGP at all.
Hal Finney