[OTR-users] single pass deniable authentication

[CLAY SHENTRUP]

While we're on the subject of potential ways to improve OTR in
its next stage, I came across a remarkably simple single pass
deniable authentication scheme here:
http://www.google.com/url?sa=t&ct=res&cd=1&url=http%3A//eprint.i
acr.org/2005/056.pdf&ei=LLH7Qoi-Mcv0YLzNkPMM
The basis for the system is incredibly simple.  We'll call
Alice's public and private keys A and a respectively, and
likewise for Bob; B and b.
Alice wants to send a message to Bob, so she creates a random
value, x, and sends the pair the pair ( Z, x ) to Bob, where Z =
a(B(x)).
Bob can then calculate x from Z as x = b(A(Z)), verifying
Alice's RSA digital signature on x, essentially.  However, Bob
cannot prove to someone else that Alice created this pair,
because he could create a value Z, and calculate x as x =
b(A(Z)).  The rest is just protocol to make the system feasible
and robust.  This system sounds so simple, though I've never
heard of it before.  The fact that it can operate in a single
pass might be helpful for offline messages that you still want
to be secure and authenticated, but repudiable.
Thoughts?  Opinions?
-END-
"Extending the war into Iraq would have incurred incalculable human and political
costs. We would have been forced to occupy Baghdad and, in effect, rule Iraq. The
coalition would instantly have collapsed, the Arabs deserting in anger and other
allies pulling out as well. Exceeding the U.N.'s mandate would have destroyed the
precedent of international response to aggression we hoped to establish. Had we
gone the invasion route, the U.S. could still be an occupying power in a bitterly
hostile land."

-- From "Why We Didn't Remove Saddam"
by George Bush [Sr.] and Brent Scowcroft, Time Magazine, 1998

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20050811/0c1eb17c/attachment.html>