[3780] in cryptography@c2.net mail archive
Re: Recovering message from signature
daemon@ATHENA.MIT.EDU (David Hayes)
Wed Dec 9 20:45:42 1998
Date: Wed, 09 Dec 1998 19:24:32 -0600
To: staym@accessdata.com, cryptography@c2.net
From: David Hayes <david.hayes@mci.com>
In-Reply-To: <366DB7ED.943@accessdata.com>
At 04:36 PM 12/8/98 -0700, staym@accessdata.com wrote:
>I seem to recall hearing of a signature scheme wherein the message is
>recovered from the signature. Does this ring a bell for anyone? Any
>pointers?
You may be thinking of Ron Rivest's "chaffing and winnowing" proposal. The
message is sent a single bit at a time. For each bit position, two
"signatures" are sent, representing that bit in it's "zero" and "one"
states. One of the signatures is valid, the other is just a random number.
When the receiver get this (huge) set of signatures, she reconstructs the
message one bit at a time. Each bit position's two signatures are verified.
The actual output bit in the message is depends on which of the two
signatures for that bit position verified correctly.
There's some bits I'm leaving out here. The result, though, is that Rivest
uses authentication technology, which is not export controlled, to
implement a privacy service.
--
David Hayes David.Hayes@MCI.Com
Switch Systems Planning & Engineering voice: 972-729-7236
MCI Communications, Inc. VNET: 777-7236
--If these thoughts were MCI's official opinions, the line above would
--read "MCI - Law & Public Policy Department".
