The consortium are interested in implementing signatures into the crypto-system. The goal is to provide an authentication mechanism which allows a recipient to see from whom the message originated. The consortium leader considers several options for how to implement this mechanism. State whether or not each option is secure, and provide a justification. Suppose Aldebaran wishes to send a message to Borealis, and Aldebaran possesses a signing keypair (sk′A, pk′A). (Hint: think about what eavesdroppers can learn about the identities of senders)(Sign-then-Double-Encrypt) Aldebaran computes σ = Sign(sk′ A, m), andcσ = Enc(pkC, Enc(pkB, σ)). Aldebaran sends cσ along with their usual broadcast, (pkC, cdest, cmsg). Chandra performs her usual steps, as well as decrypting to obtain c′σ = Dec(skC, cσ). She sends it along with her usual broadcast, (pkB, c′msg) for Borealis. Lastly, Borealis, who will receives the message m, now also obtains σ =Dec(skB, c′σ). Borealis believes the message should have come from Aldebaran. He runs Verify(pk′A, m, σ) and is satisfied only if the signature accepts.

The Sign-then-Double-Encrypt method seems secure at first glance. Aldebaran signs the message with his private key, then encrypts it twice, first with Borealis's public key, then with Chandra's public key. This ensures that only Borealis can decrypt the signature, and only after Chandra has decrypted the outer layer of encryption.

However, there are potential security issues with this method. The main issue is that an eavesdropper who has access to Chandra's private key can decrypt the outer layer of encryption to obtain the encrypted signature. While they cannot decrypt the signature itself without Borealis's private key, they can learn that the message is from Aldebaran by observing the use of his public key. This could potentially reveal information about the identities of the senders.

Furthermore, if the eavesdropper also has access to Borealis's private key, they can decrypt the signature and verify the message themselves. This would allow them to impersonate Borealis and potentially alter the message before re-encrypting it and sending it on.

Therefore, while the Sign-then-Double-Encrypt method provides some level of security, it is not completely secure against eavesdroppers who have access to the private keys of the intermediaries or the recipient.