Crypto Idea; Multi-Part Sigs
I've been thinking of an idea I've heard kicking around the list somewhat; that of digital pseudonyms and groups of people going by one name; likewise single people going by names that sound like groups. Let's say that three people decide to create a digital identity for themselves, maybe they plan on dealing with Blacknet as a group. So one of the first things they might do after getting together might be to create a pgp keypair with the name of the group on it. But who gets to hold the secret key? Remember they wish to be thought of and treated like a single entity. However they all need to be able to decrypt documents addressed to them, and none of them should be able to sign a document without the consent of the others. Is it possible to produce a set of keys (for example, 3 private 1 public) such that -all three private keys are needed to sign a message from that I.D. and -any of the private keys can decrypt anything encrypted with the single pubkey. The way I see it, three (or more) people could have a joint keyID, and if they wanted to post a message from that ID, the first person would write the message and sign it with his/her segment of the key. She/he would then encrypt with the second member's pubkey and annonymously remail it to #2, who would sign with the second key segment, re-encrypt with #3's pubkey, and send it on to #3, who would sign with the final key segment and anonymously post to the 'Pool'. If a response were posted, all three could read it without depending on the others. Is this possible? In whole or in part? I don't know the math well enough to figure it out myself, sorry if this is an obvious one. Happy Hunting, -Chris <cdodhner@indirect.com> ______________________________________________________________________________ Christian Douglas Odhner | "The NSA can have my secret key when they pry cdodhner@indirect.com | it from my cold, dead, hands... But they shall pgp 2.3 public key by finger | NEVER have the password it's encrypted with!" "If guns are outlawed, only the government will have guns." -E. Abbey My opinions are shareware. For a registered copy, send me 15$ in DigiCash. Key fingerprint = 58 62 A2 84 FD 4F 56 38 82 69 6F 08 E4 F1 79 11 ------------------------------------------------------------------------------
nobody@alumni.cco.caltech.edu wrote:
Is it possible to produce a set of keys (for example, 3 private 1 public) such that -all three private keys are needed to sign a message from that I.D. and -any of the private keys can decrypt anything encrypted with the single pubkey.
An excellent paper (author and title have slipped my mind - the paper describes key-and, key-or, and other operations) describes how to do something related to part 2 of the above. In that scheme, you would have the three key pairs for the individuals, Pa, Sa, Pb, Sb, Pc, Sc, and the "joint" keypair Pj, Sj. A message encrypted with Pj can only be unlocked with Sj, which in turn is encrypted with Pa, Pb, Pc. Thus, the final message looks like E(M, Pj); E(Sj, Pa); E(Sj, Pb); E(Sj, Pc) where the four parts are passed around as one, and E(a,b) means a encrypted with b. Thus, each of the individuals, knowing their own private keys, can extract Sj, and then the message M. Offhand, I'm not sure if the paper describes joint signings in this manner. -- Karl L. Barrus: klbarrus@owlnet.rice.edu keyID: 5AD633 hash: D1 59 9D 48 72 E9 19 D5 3D F3 93 7E 81 B5 CC 32 "One man's mnemonic is another man's cryptography" - my compilers prof discussing file naming in public directories
participants (2)
-
Karl Lui Barrus -
nobody@alumni.cco.caltech.edu