[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

repudiable signatures (was Re: Digital Signatures & THE LAW???)

To: [email protected]
Subject: repudiable signatures (was Re: Digital Signatures & THE LAW???)
From: Adam Back <[email protected]>
Date: Mon, 30 Jun 1997 00:06:55 +0100
CC: [email protected]
In-reply-to: <[email protected]>([email protected])
Sender: [email protected]

William Geiger <[email protected]> writes:
> Has there been any concideration for the difference between a
> digital signature that is used only for authentication and one that
> is legally binding??
>
> I would hate for these Digital Signature Laws make every e-mail
> message I sent a legally binding document. :(

Not a complete solution, but one technical fix, if you're sending
e-mail to an individual, rather than a post to a group such as this is
to use repudiable signatures.

These work by ensuring that the recipient and only the recipient can
forge the signature.  As the recipient can forge the signature it
falls back to his word against yours, which is the situation without
signatures.  However he (the recipient) will be convinced that you
wrote the signed document, or at least as convinced as he is that
someone else hasn't covertly obtained a copy of his private key.

If you're using a repudiable signature, it won't hold up in court, or
at least it shouldn't, if you can get the jury to grok that.

Personally I can't see any reason for individuals not to use
repudiable signatures for email.  Email is generally regarded as
private, and to give someone a signed email allows them to not only
post your email which you may not want, but to undeniably prove that
you wrote it!

Mathematically an easy way to create deniable signatures with RSA is:

Alice sending Bob a signed email.  We want:

	( X ^ A_pub ) xor ( Y ^ B_pub ) = hash( message )

Alice chooses random Y, and computes X:

	X = [ ( Y ^ B_pub ) XOR hash( message ) ] ^ A_pri

Now the repudiable digital signature is X and Y.

To verify the signature the recipient checks that:

	X ^ A_pub XOR Y ^ B_pub = hash( message )

Repudation is possible because Bob could also produce that same
signature with knowledge of B_pri, for Bob X is a random number, and Y
is calculated:

	Y = [ ( X ^ A_pub ) XOR hash( message ) ] ^ B_pri

(In practice you would have to store X and Y in random order,
otherwise if the sender always comes first, it's no longer repudiable.
As a result to check the signature you may have to swap X and Y if the
signature fails first time).

Adam
-- 
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`

References:
- Digital Signatures & THE LAW???
  - From: "William H. Geiger III" <[email protected]>

Prev by Date: Re: Dr. Dobbs Cryptography and Security CD-ROM
Next by Date: Re: Dr. Dobbs Cryptography and Security CD-ROM
Prev by thread: Digital Signatures & THE LAW???
Next by thread: Re: Digital Signatures & THE LAW???
Index(es):
- Date
- Thread