Score:1

Is it possible to cryptographically sign a message with a private key while keeping the pre-image content public?

sa flag
A W

Essentially, I am looking for a way for user A to create a signed message that user B can 1) verify user A wrote (ie using ecrecover) and 2) the content of the message can be read by user B without needing user A’s private key.

I know it is possible for user A to use asymmetric encryption to sign a message that can be verified to be authentic, but I want user B to be able to read the content of that message and be able to rely on it without having to ask user A for a separate unencoded version of the message since user A could lie in the unencoded version.

knaccc avatar
es flag
The whole point of a signature is that the signer cannot lie about which message is being signed.
fgrieu avatar
ng flag
I don't see anything in what's asked that a standard signature does not do. In particular, "the content of the message can be read by user B without needing user A’s private key" is a standard feature of any signature scheme. The receiver does not need the signer's private key; they need the _public_ key. And "use asymmetric encryption to sign a message" has a terminology error: encryption encrypts, it does not sign. Perhaps you mean "use asymmetric _cryptography_ to sign a message".
Score:3
in flag

The security of the signature schemes doesn't require the message to be encrypted. The hash algorithm and the signature algorithm parameters are publicly known and the only secret the signer's key must be kept secret all the time. The hashing before signing is part of the signature scheme since the first true signature scheme; Rabin Signature scheme.

In signature schemes security we have an adversary, forger, whose aim is forging a signature of a message that is never signed before. For a simple game, you can consider that the forger obtained $n$ pairs of $(\sigma_i,m_i)$ those are the message and its signature pair. Now, if the forger can output a new message $m \neq m_i$ for $i \in \{1,n\}$ with a valid signature $(\sigma,m)$ we call this a forgery for the digital signature with Existantial Forgery.

Is it possible to cryptographically sign a message with a private key while keeping the pre-image content public?

Yes. As long as the message doesn't require to be confidential, there is no problem with the secure signature schemes like RSASSA-PSS, DSA, ECDSA, EdDSA, Schnoor, etc. The message can be signed unencrypted. This is common in digital media. You can see the content and the signature of a PDF, image, government documents, etc. and verify the signature if you have the true public key of the signer.

Keep in mind that, if the hash algorithm is not second pre-image resistant, then forgery is imminent. Use Collision resistant Cryptographic function to achieve at least Universal Forgery (UF) under Chosen-Message Attack (CMA) UF-CMA, like SHA2, SHAKE of SHA3, and BLAKE2.

If one only relies on the second pre-image resistance of the SHA-1 then, there are attacks on the collision of $\operatorname{SHA-1}$ like;

  • Alice creates two messages that have the same SHA-1 value, $m_1$ is what Bob wants to sign and $m_2$ is what Alice has the advantage for their own.
  • Alice sends $m_1$ to Bob and Bob reads and signs. $$(\sigma,m_1) = Sign( \operatorname{SHA-1}(m_1))$$
  • Alice sends $(\sigma,m_2)$ to Charlie.
  • Charlie verify the sign since $\operatorname{SHA-1}(m_1) = \operatorname{SHA-1}(m_2)$
  • Alice benefits.

Do not set security on broken schemes even if they mitigate the current risks.

mafu avatar
kr flag
I do not understand this sentence: *Hopefully, none of the cryptographic hash algorithms ... are secure on their second pre-image resistance.*
kelalaka avatar
in flag
@mafu I need to re-write that part. If one uses the collision resistance broken hash function, there is an attack. So always use collision-resistant hash functions.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.