Re: Members of Parliament Problem
At 9:32 AM 11/15/1996, Adam Shostack wrote:
To answer the technical end of your question, you could build a DC net where joining required a signed key, or build a mix which will only accept messages signed by a member of the group. If the mixmasters all agree to only accept messages signed by the group, then each mixmaster can be made a member of the group, and sign its outbound messages as being recieved with a signature, allowing anonymous chaining.
I'll have to research this. Thank you for the idea. What I would really like to see is a way in which the "shields" are not required to participate at all, other than by publishing their public key. If terrorists are involved, they may not wish to be on the suspect list. I've been toying with schemes that multiply the Ns from everybody's public key to create a new semi-anonymous public key. The only problem is that in each case either identity is revealed or the person seeking semi-anonymously reveals their secret key. So, I am not quite there. ;-) Peter Hendrickson ph@netcom.com
On Fri, 15 Nov 1996, Peter Hendrickson wrote:
At 9:32 AM 11/15/1996, Adam Shostack wrote: I've been toying with schemes that multiply the Ns from everybody's public key to create a new semi-anonymous public key. The only problem is that in each case either identity is revealed or the person seeking semi-anonymously reveals their secret key. So, I am not quite there. ;-)
I think that Chaum wrote some papers on group signatures. I'll try to dig them out. But it probably won't be before Sunday. --Lucky
I wrote:
[...] There are also systems in which group or subset of a group is necessary to sign the message, the original work was by Yves Desmet in his paper "Social Cryptography" in Crypto 88 or 89 I think.
Correction: That should have been "Society and Group Oriented Cryptography: A new approach" by Yves Desmedt in Crypto '87 [It was sitting next to my desk and I was too lazy to reach over and check...sigh.] This particular paper deals with groups recieving messages and requiring a subset to decrypt, a later paper by Desmedt (or maybe Desmedt and Yao) deals with the signature system I described. jim
Lucky writes:
At 9:32 AM 11/15/1996, Adam Shostack wrote: I've been toying with schemes that multiply the Ns from everybody's public key to create a new semi-anonymous public key. The only problem is that in each case either identity is revealed or the person seeking semi-anonymously reveals their secret key. So, I am not quite there. ;-)
I think that Chaum wrote some papers on group signatures. I'll try to dig them out. But it probably won't be before Sunday.
There are several types of "group signature" schemes out there. The one which Chaum wrote about was signatures which require a group to perform verification of the signature in relation to his undeniable signature system (Lidong Chen advanced this a bit further to make the scheme more general.) There are also systems in which group or subset of a group is necessary to sign the message, the original work was by Yves Desmet in his paper "Social Cryptography" in Crypto 88 or 89 I think. There have been various advancements on these systems, with different threshold schemes applied, the ability to have "super-votes" among the shares or veto schemes, mechanisms using distributed computation to securely perform the signing or encryption, as well other bells and whistles. At one point I was thinking about such systems in the context of the DNSSEC work as a means for creating a pseudonymous top-level domain with the same mechanisms for adjudication and dispute resolution as the current system through group signatures but had to set it aside to work on something a bit more practical. If anyone is really interested I could probably put together a fairly comprehensive listing of the literature in this particular area... jim
Jim McCoy wrote: | Lucky writes: For the record, this was Peter Hendrickson, not me. | >> At 9:32 AM 11/15/1996, Adam Shostack wrote: | >> I've been toying with schemes that multiply the Ns from everybody's | >> public key to create a new semi-anonymous public key. The only | >> problem is that in each case either identity is revealed or the | >> person seeking semi-anonymously reveals their secret key. So, | >> I am not quite there. ;-) | > | >I think that Chaum wrote some papers on group signatures. I'll try to dig | >them out. But it probably won't be before Sunday. -- "It is seldom that liberty of any kind is lost all at once." -Hume
participants (4)
-
Adam Shostack -
Jim McCoy -
Lucky Green -
ph@netcom.com