[cryptography] How are expired code-signing certs revoked? (nonrepudiation)

Adam Back adam at cypherspace.org
Thu Dec 22 00:40:37 PST 2011

Stefan Brands credentials [1] have an anti-lending feature where you have to
know all of the private components in order to make a signature with it.

My proposal related to what you said was to put a high value ecash coin as
one of the private components.  Now they have a direct financial incentive -
if they get hacked and their private keys stolen they lose $1m untraceably.

Now thats quite reassuring - and encapsulates a smart contract where they
get an automatic fine, or good behavior bond.  I think you could put a
bitcoin in there instead of a high value Brands based ecash coin.  Then you
could even tell that it wasnt collected by looking in the spend list.


[1] http://www.cypherspace.org/credlib/ a library implementing Brands
credentials - it has pointers to the uprove spec, Brands thesis in pdf form

On Thu, Dec 22, 2011 at 07:17:21AM +0000, John Case wrote:
> On Wed, 7 Dec 2011, Jon Callas wrote:
>> Nonrepudiation is a somewhat daft belief. Let me give a  
>> gedankenexperiment. Suppose Alice phones up Bob and says, "Hey, Bob, I 
>> just noticed that you have a digital nature from me. Well, ummm, I 
>> didn't do it. I have no idea how that could have happened, but it 
>> wasn't me." Nonrepudiation is the belief that the probability that 
>> Alice is telling the truth is less than 2^{-128}, assuming a 3K RSA 
>> key or 256-bit ECDSA key either with SHA-256. Moreover, if that 
>> signature was made with an ECDSA-521 bit key and SHA-512, then the 
>> probability she's telling the truth goes down to 2^{-256}.
>> I don't know about you, but I think that the chance that Alice was  
>> hacked is greater than 1 in 2^128. In fact, I'm willing to believe  
>> that the probability that somehow space aliens, or Alice has an  
>> unknown evil twin, or some mad scientist has invented a cloning ray  
>> is greater than one in 2^128. Ironically, as the key size goes up,  
>> then Alice gets even better excuses. If we used a 1k-bit ECDSA key  
>> and a 1024-bit hash, then new reasonable excuses for Alice suggest  
>> themselves, like that perhaps she *considered* signing but didn't in 
>> this universe, but in a nearby universe (under the many-worlds  
>> interpretation of quantum mechanics, which all the cool kids believe 
>> in this week) she did, and that signature from a nearby universe 
>> somehow leaked over.
> This is silly - it assumes that there are only two intepretations of  
> her statement:
> - a true "collision" (something arbitrary computes to her digital  
> signature, which she did not actually invoke) which is indeed as  
> astronomically unlikely as you propose.
> - another unlikely event whose probability happens to be higher than  
> the "collision".
> But of course there is a much simpler, far more likely explanation, and 
> that is that she is lying.
> However ... this did get me to thinking ...
> Can't this problem be solved by forcing Alice to tie her signing key to 
> some other function(s)[1] that she would have a vested interest in  
> protecting AND an attacker would have a vested interest in exploiting ?
> I'm thinking along the lines of:
> "I know Alice didn't get hacked because I see her bank account didn't  
> get emptied, or I see that her ecommerce site did not disappear".
> "I know Alice didn't get hacked because the bitcoin wallet that we  
> protected with her signing key still has X bitcoins in it, where X is  
> the value I perceived our comms/transactions to be worth."
> Or whatever.
cryptography mailing list
cryptography at randombit.net

----- End forwarded message -----
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list