The microblog: 2022.07.20 08:47:15

2022.07.20 08:47:15 (1549647103453851648) from Daniel J. Bernstein, replying to "Ruben Kelevra (@RubenKelevra)" (1549644232859783169):

Yes, that's how a signed-message API works, protecting against the very common failure mode of simply skipping (or ignoring the results of) a "check a signature" call. The more advanced question is how to make it harder for people to look at sm, see where m is, and remove the s.


2022.07.20 08:22:39 (1549640913458040833) from Daniel J. Bernstein:

If signed messages look like message+signature (as opposed to "message recovery") then it's too easy for people to grab the message and skip checking the signature. To fight against this, transform sm to obscure m: xor 1,2,3,...; better, apply any of the AONTs from Rivest et al.

2022.07.20 08:35:50 (1549644232859783169) from "Ruben Kelevra (@RubenKelevra)":

Why not create a signature process which includes the message into the signature, so that the program checking the signature will output the message when it's valid?