1

Essentially, I am looking for a way for user A to create a signed message that user B can 1) verify user A wrote (ie using ecrecover) and 2) the content of the message can be read by user B without needing user A’s private key.

I know it is possible for user A to use asymmetric encryption to sign a message that can be verified to be authentic, but I want user B to be able to read the content of that message and be able to rely on it without having to ask user A for a separate unencoded version of the message since user A could lie in the unencoded version.

kelalaka
  • 49,797
  • 12
  • 123
  • 211
A W
  • 21
  • 1

1 Answers1

3

The security of the signature schemes doesn't require the message to be encrypted. The hash algorithm and the signature algorithm parameters are publicly known and the only secret the signer's key must be kept secret all the time. The hashing before signing is part of the signature scheme since the first true signature scheme; Rabin Signature scheme.

In signature schemes security we have an adversary, forger, whose aim is forging a signature of a message that is never signed before. For a simple game, you can consider that the forger obtained $n$ pairs of $(\sigma_i,m_i)$ those are the message and its signature pair. Now, if the forger can output a new message $m \neq m_i$ for $i \in \{1,n\}$ with a valid signature $(\sigma,m)$ we call this a forgery for the digital signature with Existantial Forgery.

Is it possible to cryptographically sign a message with a private key while keeping the pre-image content public?

Yes. As long as the message doesn't require to be confidential, there is no problem with the secure signature schemes like RSASSA-PSS, DSA, ECDSA, EdDSA, Schnoor, etc. The message can be signed unencrypted. This is common in digital media. You can see the content and the signature of a PDF, image, government documents, etc. and verify the signature if you have the true public key of the signer.

Keep in mind that, if the hash algorithm is not second pre-image resistant, then forgery is imminent. Use Collision resistant Cryptographic function to achieve at least Universal Forgery (UF) under Chosen-Message Attack (CMA) UF-CMA, like SHA2, SHAKE of SHA3, and BLAKE2.

If one only relies on the second pre-image resistance of the SHA-1 then, there are attacks on the collision of $\operatorname{SHA-1}$ like;

  • Alice creates two messages that have the same SHA-1 value, $m_1$ is what Bob wants to sign and $m_2$ is what Alice has the advantage for their own.
  • Alice sends $m_1$ to Bob and Bob reads and signs. $$(\sigma,m_1) = Sign( \operatorname{SHA-1}(m_1))$$
  • Alice sends $(\sigma,m_2)$ to Charlie.
  • Charlie verify the sign since $\operatorname{SHA-1}(m_1) = \operatorname{SHA-1}(m_2)$
  • Alice benefits.

Do not set security on broken schemes even if they mitigate the current risks.

kelalaka
  • 49,797
  • 12
  • 123
  • 211