James A. Donald writes:
> The flaw in the protocol that you point out is that
> Carol can allow Alice to use her public key without
> having to reveal the public key to Alice, so that
Alice
> can pretend to be Carol. Thus the flaw is that with
> prearrangement, Carol may prove to one other person,
but
> to no one else, that Bob is saying such and such to
> Carol, provided she knows in advance that Bob is going
to say it.
...
> Is there any way to fix this without introducing an
> additional exponentiation? Perhaps by introducing an
> additional multiplication? It does not seem worth
while
> introducing an additional public key operation, for
such
> a low value attack.
In theory there is no way to prevent this, because Carol can
always do
whatever she needs to do to decrypt using her secrets, and
then prove
in zero knowledge to Alice that she did it correctly. As
long as Alice
sees via physical surveillance that the packets come from
Bob, Carol
can convince her of what is inside of them.
In practice a full ZK proof is often not needed, as in the
example you
give of defeating sign-then-encrypt in a hybrid encryption
scheme.
Note that it is easy to prove that an RSA or ElGamal/DH
decryption
is valid even without revealing your long term secret keys.
Hal Finney
------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomo metzdowd.com
|
