Dear CFRG list:
Some IETF messaging protocols, including CMS (and perhaps JOSE) offer messaging protocols in which both the sender and the recipient have authenticated keys (public keys, shared symmetric keys, or passwords) and the message is authenticated
(and possibly also encrypted), but not signed in the usual sense of a public-key signature.
1. What benefits does this form of recipient-specific sender authentication have over signing? In particular, is the main benefit adding non-malleability (integrity protection (***)) to encryption (*)?
2. What is the best cryptographic research defining formal security definitions for this kind of operation?
3. How do the current IETF designs fare under these cryptographic research goals?
4. Suppose a message has multiple recipients, one of whom is malicious. Should a malicious recipient be allowed to manipulate the message? Should a malicious recipient be allowed to generate a new "authenticated" message from the sender
with a different recipient list, in particular, including only a single honest recipient (**)? If these features are allowed, should it be called "authentication"?
I seek your answers, but provide my tentative answers:
1. Two benefits: (a) signatures have less plausible deniability, and (b) signatures have constant authentication cost per recipient, whereas recipient-specific authentication has a cost proportional to the number of recipients (which may
be one way to resist spam). A parallel (but not necessarily a benefit): TLS offers, optionally, client authentication without a client signature on every (or even any) message, which presumably has benefits. So, the benefit is much greater than adding non-malleability
(aka integrity protection).
2. I recall some work done on designated verifiers, but I think that is slightly different and trickier functionality. My rather bad IACR eprint on deniable authentication does not qualify.
3. The security should be okay in the single recipient case, but it would hard to prove for most schemes. The security of the current CMS methods are not so good in the multiple recipient case.
4. Probably not. Definitely not (because how would an honest recipient determine previous messages). Definitely not. (*)
(*) I've been told that the purpose of the CMS "authentication" methods is actually only to provide non-malleable (aka integrity protection) -- but not in those exact words -- and that for true sender authentication, one should use signatures
instead. I’ve also been told that the term "authentication" only applies to whoever has the MAC key. I translate this into an alternative answer to 4 which is not my own:
4' Definitely yes. Probably yes. Yes.
(**) This seems possible for the current CMS methods. My opinion is that benefits of recipient-specific authentication are sufficient to take some countermeasures against this possibility.
(***) I now see, after writing most of this, that JOSE includes signatures under the term "integrity protection", which seems to conflict with how I (and I think others too) have used this term use to describe the non-malleability property
of PKE. I really think that the terminology should be resolved.
Research In Motion Limited
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.