suppose I have a packet of data and that I am sending the data to 10 users. I want to add an attribute to this data, something like a digital signature. Each of the 10 users would have a different "key". When they apply their key to this special signature on the data packet it returns either true or false. However they cannot determine, using their key, whether or not the other users are true or false.
A:
Assuming the data packet is small:
Encrypt the data with the public keys of the users that you want to be "True". Encrypt it with more random keys, so that the total number adds up to ten. The "True" users will be able to read the file. "False" users will not. All users will only see that it has been encrypted to ten users, including (maybe) themselves.
If the data packet is large, encrypt it with a symmetric scheme, and just treat the password for that encryption in the above fashion.
If the data packet only contains the information true or false, you may also just encrypt this value (and a short salt to randomize the results) with the key of the recipient. In that case, all recipients will be able to decrypt something - True or False.
relet
2010-08-03 14:29:57
+3
A:
Even if the data packet is large:
Hash the data in the packet. Encrypt the hash using each user's key and attach the encrypted versions to the message.
Each user hashes the original packet (without the signatures), then validates that the hash matches their decrypted chunk.
This works for both symmetric and public-private algorithms.
Borealid
2010-08-03 14:33:05
would it be possible to have only one signature attached that the 10 users can all use their keys on to know whether they are true or false?
freddy smith
2010-08-03 14:44:59
@freddy smith: Having one signature for two different keys would be a form of plausibly-deniable encryption. That exists. You could, in theory, make it work for more than two keys; but the size of the one signature which works for ten keys would be larger than the combined size of the ten signatures each working for one key.
Borealid
2010-08-03 15:12:38
you can use only one bit for each user, instead of full signature.
ralu
2010-08-04 17:41:07
@ralu: The shorter you make the signature, the easier it is to forge. The problem with your approach below is that a user can, given the real message, easily forge an alternate message with a different value for one of the other user's flags. So you can't know that your value was really "true", because it could be one of the other users spoofing you.
Borealid
2010-08-04 17:59:35
It is not signature. It is just one bit data container for "true/false" value. You should apply signature over all data.t If you have 1 million users, you can publish this true/false table whit 128k (one bit per user)+ 16(random data 128 bits) + 2000 (signature) bytes = 130kB of data
ralu
2010-08-04 18:26:39
@ralu: To quote from the original question, "they cannot determine, using their key, whether or not the other users are true or false." If you publish such a table in unencrypted form, this property does not hold.
Borealid
2010-08-04 19:04:45
A:
You can not send less than n bits over the channel to achieve this where n is number of users.
Every user generates own HMAC(DATA,HIS_KEY)
Since you know all keys you can send only one bit for each user and user has to xor that whit first bit in str in his HMAC.
So here it goes
DATA=random(128)
result = DATA
For each user:
bit= MSB(HMAC(DATA,user["key"]))
bit= bit xor user["true/flase"]
result.append(bit)
ralu
2010-08-03 16:37:46