Bitcoin Forum

If I encode a message with an RSA public key and then transmit it over a completely insecure network, is it possible for an attacker to see that the receiver (known by the public key) received a message?

Is the answer different for ECDSA ECC? Is it different for other public key algorithms?


Next question:
I remember reading something about ECC having a property where one could extract the public key from some other piece of information efficiently and that Satoshi wasn't aware of this property. Could someone remind me of this property?

Thank You!

EDIT: I should have said ECC, not ECDSA.

Yes. That's the whole point of using encryption in the first place: for those situations where you know (or at least suspect) that an eavesdropper will see all your messages, but you want the eavesdropper to be unable to determine the content of the messages that they see. If you need to prevent an attacker from knowing a message was sent at all, encryption won't help; you need to use other techniques to hide your messages, such as steganography.

No, as that's not what encryption does or is supposed to do.

I have no idea what you're talking about. Wait - extract the public key efficiently? How is that even a problem?

Yes, I do understand that. But I'm not asking about the content of the message. Given only the one message, is it possible for an attacker to see that the receiver received a message if the attacker knows the target's public key?

For example, suppose that the NSA runs every single one of Tor's exit nodes but no other nodes. They can see all exit traffic and only exit traffic. Suppose that Alice sends Bob an RSA encrypted message through an exit node. Can the NSA tell that Bob received a message if the NSA knows Bob's public key? The NSA currently has no reason to harass Alice but if she is sending messages to Bob, they will.


It is a problem because it would reveal the public key of the recipient to the public which would reveal that the receiver received a message.

Yes. As a matter of fact it is possible for an attacker to see that the receiver received a message even if the attacker DOESN'T know the target's public key.

As I mentioned, they don't need Bob's public key to know this.

Fortunately, if they are only running exit nodes (and if Alice is careful to not leak her identity), they won't know that the message came from Alice.  They will only know that Bob received a message, but not who it came from.

It is a public key.  it is already "revealed to the public". That's why it is called a "public" key.  Having the public key isn't necessary to know that someone received a message if the message is sent to them.

ECDSA cannot be used to encrypt a message, unlike RSA it is only a digital signature algorithm. Assuming the messaging protocol provides the information of who the message recipient is, then yes they could tell that someone received a message. However, if it is a protocol that makes you check every message to see if it's meant for you, then no, they could not (at least, I don't believe so, but I suppose it is possible that some of the public key encryption schemes could allow you to tell whether or not a message is intended for a certain public key, I am not totally sure on this one).


The public key can be extracted from a signature.


Public key cryptography is not intended to address this.

I forgot about that. Thank you for reminding me. I should have said ECC.


Ultimately this is the heart of my question. Thank you for your answers!