Anonymous Credit: New proposal

Hadmut Danisch hadmut at danisch.de
Sun Sep 2 06:07:04 EDT 2001 

On Sat, Sep 01, 2001 at 11:14:56PM -0500, Frank Tobin wrote:
> 
> Simple.  The original author should use a trusted time-stamping service to
> indicate a trusted 'true' time for the first signature.
> Alternatively,

Sure, but this was not part of the proposal. 
And I don't know of any existing time-stamping service which
is trusted and provides services to anonymous people. It must
be possible to receive the time stamp without revealing your identity
or to get a time stamp which can't be tracked to the message
to be posted.


> the detached signature should be presented ahead of time and distributed
> widely.  When the document comes out, you prove you have the secret key,
> and that your signatures on the document existed in distribution before
> the document itself was in distribution.

Not really. Makes stealing more difficult, but not impossible. 

The attacker now has to prevent the distribution of the detached
signature *and* has to make the author believe it had successfully
been distributed (e.g. fake a mail from a distribution list), then
wait for distribution of the full message.

Problem: A signature is simply the wrong cryptographic tool.
A signature gives non-repudiation, so the owner of the secret
key can't deny to have seen the message (which is useless, as
long as the identity of the key owner is unknown).

But in this case you want to prove that some is the only author,
not that he has seen the message, which is a matter of
authentication, not message signing.




New Proposal:


1. Author generates a public/secret key pair, suitable
   for authentication (maybe zero knowledge, in case
   message could bring author to jail...)


2. Author generates a random number (nonce) and
   calculates Hashsum(concat(random number,message)).

3. Author anonymously publishes the public key from
   step 1 and the hashsum from step 2 ("I will later
   claim authorship of a message...").

4. Some public authorities (as many as possible, whoever
   should be convinced of authorship later, e.g. 
   mailing list admins, notaries, universities,...)
   generate a signature for the public key and the
   hashsum published in step 3.

   This means: "We will accept the person who authenticates
   to this public key as the author of the message with
   this hashsum."

   This signature is publicly distributed (sent to a 
   mailing list, put on a web server,...)

5. If the author receives enough of these signatures,
   he can be sure to claim authorship later by using
   the secret key to authenticate.

   If the author doesn't receive enough signatures
   within a given amount of time, he repeats from
   step 2.


6. Author anonymously publishes the message and the 
   random number. The issuers of the signatures (and
   whoever trusts them) can now link the message to 
   a public key for authentication.


7. Whenever he wants, author can prove authorship
   by authenticating to the public key
   (which might be comfortable if it is a 
   zero-knowledge scheme and the police is waiting...)




Hadmut




Hadmut





---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list