Score:2

Designated verifier signature from Diffie–Hellman and a MAC

ru flag

Here is an idea for a designated verifier signature scheme. Suppose Alice and Bob know each other’s public keys and Alice wants to send a message to Bob, such that only he will be convinced of its authenticity.

Alice will do Diffie–Hellman between their keys and then MAC the message using the derived secret. To verify, Bob will derive the secret doing his side of Diffie–Hellman and verify the MAC. It is designated verifier since only those who know the DH secret can verify the MAC and also Bob can fake Alice’s “signature” as he knows the MAC key.

Intuitively, to forge Alice’s signature, one needs to either break the MAC to produce it without knowing the secret or break CDH to learn the secret. This is not a proof, of course, since it goes in the opposite direction to the desired reduction and also I don’t think “cannot be verified without knowing the secret key” is among standard guarantees of a MAC?

So, is there something wrong with this scheme? Can its correctness be proven? Has something like this been done?

fgrieu avatar
ng flag
I find the intuition pretty convincing with a symmetric MAC as practiced (HMAC), which has the property of being undistinguishable from random without the key. But I don't see either a proof or a counterexample using standard MAC definition. That makes the question interesting (though I can't think of a circumstance making _«Bob can fake Alice’s “signature” as he knows the MAC key»_ a feature rather than a drawback).
ru flag
“Bob can fake Alice’s “signature” as he knows the MAC key” – this is just a standard way of making sure that the signature is to a designated verifier (Bob, that is), since it guarantees that Bob will not be able to convince anyone else in the validity of the signature even if he discloses his secret information to that other party.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.