Let's assume we have a message $M$ and it's signature $S$ and that $|$ is the concatenation operator.
Should we encrypt $S|M$ or $M|S$?
Does it even matter?
Asked
Active
Viewed 144 times
4
-
2I'd doubt it matters, but the usual setting is to do M|S as this feels more natural and usually provides advantages from the processing flow i.e. you read the message in first and then read the signature and then verify it, just like you'd do with any contract (where you find your signature at the bottom and usually not at the top). – SEJPM Oct 13 '15 at 12:15
-
1Make sure to add in id of recipient before signing. – mikeazo Oct 13 '15 at 12:18
1 Answers
2
Secure encryption does not care about how the data is ordered.
With the typical single use symmetric keys that hybrid encryption uses, I cannot think of a way it could matter one way or the other. With key reuse (if you used symmetric encryption on signed data), there are some cases where having the "randomness" from the signature in the first blocks might help, but that would mostly be papering over security holes.
In practice, having it at the end may be preferable if it allows for a streaming interface where the data gets encrypted and maybe even sent before all data is ready to be signed.
