Discussion:
question regarding signcryption
Amitabh Saxena
2005-08-07 21:44:01 UTC
Doesn't the original Diffie Hellman key agreement provide signcryption
(without non-repuditation) functionality by default? Let me
demonstrate.

Define generator g for a large prime p.

Assume we have users Alice and Bob with secret keys x and y
respectively and the corresponding public keys a = (g^x mod p) and b =
(g^y mod p).

Alice is the sender and Bob is the receiver. To digitally signcrypt a
message m, first Alice computes m1=(a||m) [concatenation]
Alice then computes c = ((b^x mod p) XOR m1) and sends c to Bob.

Bob computes the message m1 = (c XOR (b^x mod p)) and checks that the
leftmost bits of m1 correspond to a. The message is the rest of the
part.
David Wagner
2005-08-07 22:20:12 UTC
Post by Amitabh Saxena
Assume we have users Alice and Bob with secret keys x and y
respectively and the corresponding public keys a = (g^x mod p) and b =
(g^y mod p).
Alice is the sender and Bob is the receiver. To digitally signcrypt a
message m, first Alice computes m1=(a||m) [concatenation]
Alice then computes c = ((b^x mod p) XOR m1) and sends c to Bob.
This is insecure.

It is insecure as an encryption scheme: If Alice sends two messages to
Bob, then Alice is essentially using a two-time pad.

It is insecure as a signature scheme: A man in the middle can flip the
last bit in c to get the variant ciphertext c', then forward c' on to Bob.
Bob will now think that Alice sent m' (not m), where m' differs from m
only in its last bit; yet of course Alice did not approve transmission
of m'; a successful forgery.