That’s definitely not always desirable. Very often I only want the signer to know what (or whether) I wrote, and on top of that I don’t always want them to be able to prove it to a third party. Non-repudiation is often a bug, not a feature!
I believe the concept might be called designated verifier signatures, but I’m not too familiar with it, so I was hoping somebody could shed some light.
Barring quantum entanglement, how is proving to yourself different from proving to a third party?
Of course, if you trust I won't share my private key, you could just encrypt your signature with my public key. That way my neighbor which wifi I'm using won't be able to tell you're sending me messages.
But that hinges on me not sharing my private key with them. I don't see how any non-quantum scheme could prevent something similar.
Alice wants to profess her love to Bob, but isn't certain if the feelings are mutual. If they aren't, Alice is concerned that Bob might show her letter to Carol, Chuck and Chad, effectively publicly ridiculing her. (Carol, Chuck and Chad have a mean side to them, but they're not unreasonable: They'll only laugh if Bob can prove to them that he didn't just forge the love letter himself.)
A bad way of doing this would be for Alice to sign her entire letter using her private RSA key, known to everybody (Bob, Carol, Chuck and Chad): The condition of Bob being able to verify its authenticity is fulfilled, but Alice is not safe from ridicule.
So what Alice can do instead is, for example, to create a random symmetric key, and sign only that. She then encrypts and authenticates (which is different from signing!) her actual message using that key, using both symmetric encryption and a message authentication code. Finally, she encrypts the symmetric key and her signature of it to Bob.
Now Bob can still be certain that he did indeed receive the message from Alice and nobody tampered with it, but he won't be able to prove that fact to anybody else, since he holds all the information required to forge any possible message. In fact, the only thing he can prove to the world is that, at some point, Alice wrote some message to somebody, but neither that that somebody was him, nor what that message might have contained.
> In fact, the only thing he can prove to the world is that, at some point, Alice wrote some message to somebody, but neither that that somebody was him, nor what that message might have contained.
If he can decrypt it he can show the message to the world. And he can then use the approach from the article to show the world Alice signed the MAC key, hence she has communicated with him.
But yeah, I forgot to consider MACs (I blame bedtime). I agree Bob can't prove which message Alice sent if that key is reused, or reuse can't be reliably rejected by third parties.
The MAC key is just a random byte string though, not inherently tied to either Bob or the particular message Alice signed with it!
In particular, Bob can forge any message and authenticate it using the same MAC key, so no third party will accept an authentication tag as proof that Alice was the author of some message. It's not just a matter of reuse.
The only thing Bob could potentially prove to the world about it is that he was somehow the first to obtain this particular Alice-signed MAC (e.g. by immediately publicly timestamping it upon receiving it), which could indeed serve as (weak) evidence that Alice attempted to communicate with him at least once.
Her signature can be tied to her (that's the point of the article after all), and Bob can supply the evidence for that by decrypting it.
If there are no other ways for Bob to have received that signature, then that's sufficient to establish communication.
If Bob could have gotten it from Charlie because Alice did the same dance with him, then indeed Bob can't prove anything. But then Alice can't be sure Charlie isn't forging messages to Bob, and Bob can't trust Alice sent them in the first place.
But as I said I agree which message can't be reliably determined based on your scheme.
I believe the concept might be called designated verifier signatures, but I’m not too familiar with it, so I was hoping somebody could shed some light.