"This scheme also provides nonrepudiation since it proves that Alice sent the message; if the hash value recovered by Bob using Alice's public key proves that the message has not been altered, then only Alice could have created the digital signature."
This is a common misconception.
Just because a signature verifies under Alice's public key, it does not necessarily imply Alice generated the signature. For many common signature schemes, if Bob makes a signature using their public/private key, Alice can produce a different private/public key such that Bob's signature will verify under Alice's key.
We discuss this exact attack (and blog post) in Section 5.1 of the paper :).
IIRC: it was missed by both an academic analysis of LE and a 3rd party audit of their crypto design. Thankfully Andrew spotted it a few weeks before they went live in major browsers!
> In the process, we find new attacks on DRKey and SOAP's WS-Security, both protocols which were previously proven secure in traditional symbolic models.
Does that mean the previous proofs were wrong? or that they proved a narrower version of "secure" that didn't include those particular attacks?
The latter. The tools in question (Tamarin and ProVerif) use a model of signatures that goes back to 2000/2001 which is around when these key substitution properties were discovered. Consequently, they were missed from the models and because the properties themselves aren't that well known, it took a while before it was noticed.
It depends what you consider to be non-repudiation!
With key substitution, you have a signature that can verify under multiple public keys. However, each key was either honestly generated and used to sign the message, or was maliciously generated and intended to appear to have signed the message.
In this sense, the party associated with each public is indisputably associated with the corresponding signature.
However, this gets a bit more confusing with message key substitution (two public keys, two messages, one signature) or colliding signature (one public key, any number of messages, one signature). For example, a malicious party might produce a signature which is valid for any message. Does the fact that they've "signed everything" mean they can repudiate having signed anything? (The connection between intent to sign and the signature has arguably been lost).
We do discuss these other properties in the paper, but we don't really delve into non-repudiation in the informal sense.
It’s also worth pointing out that non-repudiation requires stronger properties than cryptography alone can guarantee. If I surreptitiously leak my private key onto the internet I can later plausible deny that I signed messages. (The Signal protocol deliberately leaks old MAC keys for this reason).
If you really want non-repudiation then you have to have hardware, legal, and procedural controls in place.
I may be misunderstanding the author's use of terms here, but this seems wrong (section 3.1):
> A block cipher is so-called because the scheme encrypts one block of data at a time using the same key on each block. In general, the same plaintext block will always encrypt to the same ciphertext when using the same key in a block cipher whereas the same plaintext will encrypt to different ciphertext in a stream cipher.
A block cipher will turn the same plaintext into the same ciphertext only if you're using it with the ECB mode; otherwise, the same plaintext in different places with the same key will encrypt into different ciphertext.
If he means "key" in the sense of "final thing that gets XORed to make the ciphertext", then that's true, but then it's equally true of stream ciphers as well.
To me at least, it makes sense to introduce a complex topic gradually, in stages. But regardless, I still agree that the wording in the paragraph you called out could be improved for better clarity.
I don't know in what context it would be reasonable even as a simplification to say that block ciphers are semantically insecure like that. Anyone who listed that as a disadvantage to block ciphers should be regarded as confused, not speaking from a big picture perspective.
Furthermore, even if you're going to explain it that way as a result of building up the complexity gradually, you need to explicitly "unring" that bell, e.g. "Earlier I said X, but actually Y...". This author didn't.
Shameless plug: I’ve been writing my own introduction for students/developers/consultants/... and you can read it online for free it seems (or at least some chapters): https://www.manning.com/books/real-world-cryptography
Side note: Diffie-Hellman predates RSA. I attended a talk by Rivest once, where he vividly described how that paper triggered them into exploring whether public key crypto was really possible or not. They ended up constructing RSA from those sessions.
"In many of the descriptions below, two communicating parties will be referred to as Alice and Bob; this is the common nomenclature in the crypto field and literature to make it easier to identify the communicating parties. If there is a third and fourth party to the communication, they will be referred to as Carol and Dave, respectively. A malicious party is referred to as Mallory, an eavesdropper as Eve, and a trusted third party as Trent."
Holy smokes - I 'ran' into this website a few weeks ago whilst cleaning up an old computer.... and chuckled (my copy that I had saved on this computer is/was old - lets just say that).
And then I chance upon it being talked about on HN. Small world and maybe the universe is telling me something ;-)
It's a great read if you're not too in depth on the topic and want an overview, but it is badly in need of a modern revision that removes some of the more speculative parts of the last chapter and replaces it with what actually happened in the last 20 years.
It does say at the top "originally written in 1998" and it was basically amended over time, but regardless I still love learning about "historical" views.
Example: A textbook from '95 had a pretty large section on "the future" of ECC and "current" trends in research. It was interesting seeing what came true, or what was still being worked on.
This is a common misconception.
Just because a signature verifies under Alice's public key, it does not necessarily imply Alice generated the signature. For many common signature schemes, if Bob makes a signature using their public/private key, Alice can produce a different private/public key such that Bob's signature will verify under Alice's key.
Paper (we) wrote on the impacts of this: https://eprint.iacr.org/2019/779