VincentYu comments on What are you working on? March / April 2014 - Less Wrong

3 Post author: VincentYu 15 March 2014 03:45AM

You are viewing a comment permalink. View the original post to see all comments and the full post content.

Article Navigation

Comments (25)
Tags: waywo community

Comments (25)

You are viewing a single comment's thread.

Comment author: VincentYu 15 March 2014 04:46:30AM *  14 points [-]

Since December, I have been working on a proposed extension to OpenPGP to add support for some sort of designated verifier signature. Most of this work involved doing a literature review and carefully reading the OpenPGP specification to see what cryptographic schemes can be implemented successfully in OpenPGP. I settled on a ring signature scheme by Abe et al. (2004), and recently posted a proposal to the OpenPGP mailing list. Note that this is a proposal for a draft of a proposed standard, so things remain very flexible. This is the best time for anyone to comment on the proposal, before I write up an I-D.

The following is a snippet of the description of ring signatures that I gave in my overview of the proposal:

Ring signatures allow a signer to specify a set of possible signers without revealing who actually signed the message.

The current OpenPGP specification lacks a straightforward way for Alice to send Bob an authenticated message that can only be verified by Bob. Right now, if such a signature is desired, the best that Alice can do is to send Bob a signed-then-encrypted message. Unfortunately, this means that Bob can show others the decrypted signature to prove to others that Alice signed the message. This ability of Bob to transfer Alice's signature to others is often undesirable from Alice's point of view.

Ring signatures provide an easy way for Alice to authenticate a message to Bob without concomitantly giving Bob the ability to transfer her signature. Alice simply creates a ring signature that specifies Alice and Bob as the possible signers of a message. Upon receipt of the message and ring signature, Bob is assured that the message is signed by Alice, but he cannot prove to others that Alice signed the message because Bob could have created the ring signature himself.

I am interested to hear from the perspective of end users. For instance:

  • Is there anything puzzling in my description of ring signatures?
  • Are there any particular features that you desire?

Of course, I would also like to hear from anyone who has the time to go through the details of the proposal. Sections 3 and 4 contain the bulk of the actual cryptographic scheme, and it closely follows Abe et al.'s scheme with only small modifications to better fit OpenPGP. Some resources:

  • Ring signatures are interesting by themselves, and I think some Less Wrong readers might enjoy reading the following papers. The standard reference for ring signatures is Rivest et al. (2006); I would recommend reading this paper first if you plan on reading Abe et al.'s paper, because it contains a very clear exposition of the ideas behind ring signatures. A third paper that I recommend is Bresson et al. (2002); Sections 1–3 are particularly useful.

  • The current OpenPGP specification is given in RFC 4880. I don't recommend reading it unless you have some burning desire to learn more about OpenPGP; it's not particularly illuminating.

In the best case scenario, ring signatures get deployed on GnuPG within a few years and Alice can create a ring-signed message for Bob simply by running: gpg2 --clearsign --ring-signature --recipient Bob

(In the not-quite-worst case scenario, I write the I-D, everyone agrees it's crap, and I vow never to touch math again.)

Comment author: Alicorn 15 March 2014 06:01:13AM 2 points [-]

What are the use cases of a ring signature? What does Alice hope to accomplish by arranging for only Bob to be able to verify a thing?

Comment author: VincentYu 15 March 2014 06:26:00AM *  11 points [-]

It's intended for situations where Alice and Bob wish to communicate digitally with some degree of privacy and authenticity. At the moment, using software like GnuPG (which is a free and open source implementation of OpenPGP), Alice can encrypt her messages to Bob to provide privacy, and she can also digitally sign her messages to provide authenticity (i.e., a cryptographic proof that she wrote the message).

Unfortunately, using such a system, Alice might worry that Bob could show others her messages and signatures, thus proving to others that she wrote and signed them. Such worries are not unusual if someone goes to the trouble of encrypting and signing their messages. For instance, if Alice is in a price negotiation with Bob, she might not want Bob to be able to prove to competitors that she offered a certain price.

By using a ring signature instead of a standard signature, Alice can alleviate such worries. When she signs a message using a ring signature, Bob can be sure that Alice signed the message, but it only proves to everyone else that either Alice or Bob signed the message. Thus Bob is unable to prove to others what Alice said to him, because he could have forged the ring signature himself!

Of course, Bob can still tell everyone what Alice said—using ring signatures instead of standard signatures only removes his ability to cryptographically prove to everyone what Alice said. This becomes a "he said she said" situation rather than a "she said this and here's the proof" situation. From Alice's point of view, the first situation is better than the second, so she would prefer to use ring signatures.

More generally, I hope for ring signatures to become easy enough to use that a typical user can use it for normal emails. Right now, it is not advisable for the average user to sign their emails simply because it is often a bad idea to give recipients the ability to prove to others what they said.

Comment author: gwern 15 March 2014 04:56:41PM 5 points [-]

Unfortunately, using such a system, Alice might worry that Bob could show others her messages and signatures, thus proving to others that she wrote and signed them. Such worries are not unusual if someone goes to the trouble of encrypting and signing their messages.

Incidentally, this has actually been a practical concern on the black-markets: there have been occasional attempts to break pseudonyms by sending them messages encrypted to other pseudonyms' keys, and the initial proof that Dread Pirate Robert 2 was StExo come from DPR2 accidentally releasing a message signed by StExo's key.

Powered by Reddit Powered by Reddit