Cryptography Reference
In-Depth Information
their signature: because of their resistance to collisions, if a
single bit
of the
message is changed, the hash function will generate a different fingerprint,
ensuring that signature verification will fail.
Non-repudiation
In Diffie and Hellman's original formulation, a cryptographic signature
attests not only to the origin of the signed message (the private key that
produced the signature) and its integrity (no modification was possible, as
otherwise the verification would have failed), but also a third, essential,
effect:
no other party than the signer, including the verifier, could have produced
the signature.
Thus, the final security service of digital signatures requires
that they provide a form of
evidence
external to the two parties engaged in
the transaction, from which an authorized third party—in particular, a
judge—may draw conclusions. Rivest, in a 1990 survey of the field, synthe-
sized the difference between mere authentication and signature: in the first
case, “the recipient of a message can
convince himself
that a message as
received originated with the alleged signer,” while in the second case, “the
recipient of a message can
convince a third party
that the message as received
originated with the alleged signer.”
20
Over the years, this putative power to
convince has become referred to as
non-repudiation
, a term whose origin
and gradual evolution warrants closer examination (see figure 4.5). This
evolution is characterized by a constant ambiguity over the extent of sig-
natures' evidential power: with respect to third parties' evaluation of the
authenticity of the signed message, does the signature merely serve as one
element among many, or is it instead of such a compelling nature that this
evaluation is reduced to mere confirmation of the signature's verification
process?
Although the early scientific cryptographic literature does not directly
employ the term of non-repudiation, the figure of the judge seems to make
its first appearance in the RSA paper: “The recipient of a signed message
has proof that a signed message originated from the sender. This quality
is stronger than mere authentication (where the recipient can verify that
the message originated from the sender); the recipient can convince a
'judge' that the signer sent a message.”
21
The RSA patent is already positioned slightly differently, stating that
public-key cryptography provides a “recognizable, unforgeable, document-
dependent, digitized signature whose authenticity
the signer cannot later
deny
.”
22
Ron Rivest's 1990 survey of the field proceeds along a similar line,
