Stefan Brands credentials [1] have an anti-lending feature where you have to know all of the private components in order to make a signature with it. My proposal related to what you said was to put a high value ecash coin as one of the private components. Now they have a direct financial incentive - if they get hacked and their private keys stolen they lose $1m untraceably. Now thats quite reassuring - and encapsulates a smart contract where they get an automatic fine, or good behavior bond. I think you could put a bitcoin in there instead of a high value Brands based ecash coin. Then you could even tell that it wasnt collected by looking in the spend list. Adam [1] http://www.cypherspace.org/credlib/ a library implementing Brands credentials - it has pointers to the uprove spec, Brands thesis in pdf form etc. On Thu, Dec 22, 2011 at 07:17:21AM +0000, John Case wrote:

On Wed, 7 Dec 2011, Jon Callas wrote:

...

Nonrepudiation is a somewhat daft belief. Let me give a gedankenexperiment. Suppose Alice phones up Bob and says, "Hey, Bob, I just noticed that you have a digital nature from me. Well, ummm, I didn't do it. I have no idea how that could have happened, but it wasn't me." Nonrepudiation is the belief that the probability that Alice is telling the truth is less than 2^{-128}, assuming a 3K RSA key or 256-bit ECDSA key either with SHA-256. Moreover, if that signature was made with an ECDSA-521 bit key and SHA-512, then the probability she's telling the truth goes down to 2^{-256}.

I don't know about you, but I think that the chance that Alice was hacked is greater than 1 in 2^128. In fact, I'm willing to believe that the probability that somehow space aliens, or Alice has an unknown evil twin, or some mad scientist has invented a cloning ray is greater than one in 2^128. Ironically, as the key size goes up, then Alice gets even better excuses. If we used a 1k-bit ECDSA key and a 1024-bit hash, then new reasonable excuses for Alice suggest themselves, like that perhaps she *considered* signing but didn't in this universe, but in a nearby universe (under the many-worlds interpretation of quantum mechanics, which all the cool kids believe in this week) she did, and that signature from a nearby universe somehow leaked over.

This is silly - it assumes that there are only two intepretations of her statement:

- a true "collision" (something arbitrary computes to her digital signature, which she did not actually invoke) which is indeed as astronomically unlikely as you propose.

- another unlikely event whose probability happens to be higher than the "collision".

But of course there is a much simpler, far more likely explanation, and that is that she is lying.

However ... this did get me to thinking ...

Can't this problem be solved by forcing Alice to tie her signing key to some other function(s)[1] that she would have a vested interest in protecting AND an attacker would have a vested interest in exploiting ?

I'm thinking along the lines of:

"I know Alice didn't get hacked because I see her bank account didn't get emptied, or I see that her ecommerce site did not disappear".

"I know Alice didn't get hacked because the bitcoin wallet that we protected with her signing key still has X bitcoins in it, where X is the value I perceived our comms/transactions to be worth."

Or whatever.

_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE