Re: PGP Lame question

Kristian Gjøsteen wrote:

> vedaal <vedaal@xxxxxxxxx> wrote:
> >is there objective confirmation that Alice signed 'something' ?
>
> I'll try to do the argument in full. Let me reiterate the encryption
> rule:
>
> c0 = (R^e_b mod n_b)^d_a mod n_a
> k1 = h1(R)
> k2 = h2(R)
> c1 = Enc(k1,m)
> c2 = Mac(k2,c1)
>
> c = c0 || c1 || c2 .
>
> The full ciphertext is valid only if the mac tag is valid.

ok

>
> Since R passes through a hash function (which we model as a random
> oracle), anyone who does not know (almost) all the bits of
>
> (c0^e_a mod n_a)^d_b mod n_b
>
> cannot create a valid mac tag.
>
> The (unproven) claim is now that only Bob and Alice can create pairs
> (R,c0) such that c0 = (R^e_b mod n_b)^d_a mod n_a .

ok
i agree, and have always agreed to this above part,

Alice can do it, because she can do ^d_mod n_a for anything,
and if she chose (R^e_b mod n_b) as one of the 'anythings', then fine

Bob can do it, because he can do ^d_b mod n_b and recover R
and anyone knowing R
can do (R^e_b mod n_b)
as long as they have Bob's public key

>
> If this claim is true, then Alice and Bob are the only people who
> can create valid ciphertexts. Bob can therefore use the following
> argument to prove (to himself) that Alice sent the message:
>
> 1. Since the ciphertext is valid, it must have been
> created by either Alice or me.
>
> 2. I did not create the ciphertext.
>
> 3. Therefore, Alice created the ciphertext.
>
> Note that only Bob believes in the second item. When Bob tries to
> convince Carol that Alice sent him this ciphertext (possibly by
> showing Carol his private key), Carol cannot reach the same conclusion
> because she does not believe in the second item.
>
> (Again, Bob could convince her by some non-cryptographic argument
> that the second item is true, but no cryptographic argument can
> convince Carol of that.)

again, agree to all the above

i am questioning a *different* aspect,
not :
' did Bob create it, or did Alice create it ?'
(which i agree remains unknown to anyone but Bob and Alice)

but rather :
'could Bob have created this without having something signed by
Alice,
that Alice (and everyone else with Bob's key), knows is connected to
Bob?'

in this case,

is it correct to say the following two things:

(1) only Alice can do: (R^e_b mod n_b)^d_a mod n_a
[clear to me]

(2) given C = (R^e_b mod n_b), Alice *can* find a ciphertext C' that
decrypts to anything meaningful other than R

(i.e.
can Alice claim,

" i do not know Bob, i don't have his key,
i have never seen (R) or (R^e_mod n_b),

i was just minding my own business,
and created C' by encrypting a random R' using algorithm X
which happened to produce an output exactly equal to C

if you don't believe me,
here is R'
encrypt it yourself the same way i did using Algorithm X,
and you will get C' which happens to equal C = (R^e_b mod n_b) " )


if (2) is true,
(which is not immediately obvious to me,
but which i will take your word for, if you say that it is
cryptographically so ),

then i understand,
and agree that Alice cannot be linked to Bob


if (2) is *not* true,

then either Alice signed random ciphertext presented to her by someone
else
who created (R^e_b mod n_b)
[not credible]

or Alice possessed Bob's key and chose an R to get (R^e_b mod n_b)


if this is correct, ( that (2) is *not* true ),

and the authorities have both Alice's and Bob's public keys,
then can't the authorities say to Alice:

" we aren't interested in *who* sent the message, or what was in it,
all we want to know is, what your connection is to Bob?

we know you know him, because only you could do
(R^e_b mod n_b)^d_a mod n_a

and if you didn't know Bob, or have his key,
and claim (rightly) that anyone else that does have his key,
can create (R^e_b mod n_b),

then our question to you is,
what interest do you have in this, that would cause you to perform
(R^e_b mod n_b)^d_a mod n_a
on a (R^e_b mod n_b) that you did not create? "

so,
my (re-stated clearly, i hope ;-) , question is:

is (2) true or not ?

(again, i will take your word for it if it is,
and then try to do reading to find out why it is so ;-) )

Thanks Again!

vedaal

.

Relevant Pages

  • Re: A complete schism with numbers is needed - adacrypt
    ... the way Alice and Bob operate is this, ... for the ciphertext vector for U ... there is a solution because Alice generated the solutions. ...
    (sci.crypt)
  • Re: A complete schism with numbers is needed - adacrypt
    ... Further to the earlier posting on a "Numberless Displacement Cipher" ... the way Alice and Bob operate is this, ... Alice assigns a vector say ... This is Alice's ciphertext for the letter 'U '. ...
    (sci.crypt)
  • Re: [C++] Encryption statistic)
    ... Your mistake is in thinking that the modulo operator is an encryption ... Alice and Bob wish to have a secure conversation. ... for A (unless Eve knows a shortcut for reversing modular exponentiation). ...
    (alt.comp.lang.learn.c-cpp)
  • Re: Random Order of Multiple Encryption and Decryiption
    ... random order of multiple encryption and decryption. ... Bob converts his Original Message to First Cipher -- say 1 minute ... Bob sends the First Cipher to Alice - split second ... If Mike pretended to be Alice, ...
    (sci.crypt)
  • Is this a hoax or real?
    ... Coan's free Hidden File Detector software. ... Alice is the bad guy. ... location of a file that Bob, the good guy, can get to. ... Alice has her own Web server. ...
    (microsoft.public.security)