At 1:06 PM -0500 10/31/00, Adam Shostack wrote:
On Tue, Oct 31, 2000 at 09:11:23AM -0800, Tim May wrote: | >>Zero-Knowledge is committed to deploying systems that are | >>transparent and accountable. In keeping with this policy, | >>MPS will incorporate third party verification and split | >>encryption key structures | | Split encryption key. I think that says it all.
Geez. I don't know how we ended up with that wording. Multiple key would have made more sense. The goal is to have a set of keys which are held by different entities. Thus, your data is encrypted such that each of those entities needs to be involved to decrypt it.
By split key encryption, we mean: E_a(E_b(E_c(data))) where E is a strong algorithm (3des, twofish, AES), and the keys (abc) are full strength, properly generated and stored keys for the system.
Let's stipulate that the split keys are as strong as one can imagine. OK, let's set the stage with some players: * Alice, a consumer or customer * Bobco, a giant corporation dealing with Alice, collecting information on her, and all the usual stuff involving corporations dealing online with consumers like Alice. * Chuck and Debby, the holders of the "split encryption key," aka the "trusted third parties." (Extending the set to 3 or 4 or N such trusted third parties does not alter the basic discussion. Nor, by the way, does just having a _single_ trusted third party alter the basics of the legal/GAK structure: if the legal or national security system can force two parties to disclose, forcing one is easier, forcing 3 is slightly easier, and so on. But these are "polynomial" issues, so to speak.) I want to set the state so I can better understand just how and where this new ZKS system might be useful (to Alice, to Bobco, to governments).
Given that we're doing this for businesses that are collecting data now, if you consider those parties 'trusted third parties,' then we're increasing the assurance that surrounds them.
This business is what I called Bobco above. Now, suppose Bobco is using the ZKS system. I can see three regimes for any use of a crypto product: -- storage, at either Alice's or Bobco's site -- transit, between Alice and Bobco -- unlinkability: something to do with the linkage of purchase information with identity; how Bobco collects and disseminates information about customers like Alice The first two are conventional crypto issues, and don't need a new system. Both Alice and Bobco are responsible for securing their own data. Should laws require Bobco to secure Alice's data in some specific way, split key systems are still a poor solution. As near as I can tell, your concern about "privacy laws" has something to with the third main use for crypto: unlinkability. Am I right? Before I proceed further, let's see if this is where we're going.
We consider them 'merchants,' 'shipping companes' and other such businesses who today get data from you. They're not trusted third parties in the Clipper chip sense, but they are parties who store information about you, often in very insecure and unprivate ways, as MCI, CDnow, and others have found out.
This sounds like the unlinkability again. If so, this is a tough, tough nut to crack. If Bobco is shipping products to Alice, Bobco knows her address and what she is buying. Fill in whatever examples one wishes. And if Alice answers a questionnaire about her buying preferences, her income, her age, etc., then Bobco will have this information. Hard to imagine how adding Charles and Debby to the system as trusted third parties helps things. Now, if Alice goes through a complicated procedure of dealing with Charles and Debby to only selectively reveal her preferences, or if Charles or Debby act as "third party shipping agents," so that Bobco doesn't know who he shipped a product to, then some unlinkability has been gotten. Anyway, I could ramble on about whether or not this makes for an interesting and profitable market niche, but it doesn't seem to be the thrust of where ZKS is going with this new product. Fact is, third party secrets are not interesting IF Bobco can aggregate the secret information AT ANY TIME. Unless some kind of unlinkability or blinding (a la Joan Feigenbaum's work on "computing with encrypted instances") is done, the trusted third parties don't serve much purpose that I can see. Maybe I'm missing something. How will Alice's privacy be protected from Bobco by having Charles and Debby (or just Charles, or Charles, Debby, Edward, Fred, and Greta, etc.) hold split keys? Wouldn't a better approach be for Alice to protect her own privacy? --Tim May -- ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, "Cyphernomicon" | black markets, collapse of governments.