Since December, I have been working on a proposed extension to OpenPGP to add support for some sort of designated verifier signature. Most of this work involved doing a literature review and carefully reading the OpenPGP specification to see what cryptographic schemes can be implemented successfully in OpenPGP. I settled on a ring signature scheme by Abe et al. (2004), and recently posted a proposal to the OpenPGP mailing list. Note that this is a proposal for a draft of a proposed standard, so things remain very flexible. This is the best time for anyone to comment on the proposal, before I write up an I-D.
The following is a snippet of the description of ring signatures that I gave in my overview of the proposal:
Ring signatures allow a signer to specify a set of possible signers without revealing who actually signed the message.
The current OpenPGP specification lacks a straightforward way for Alice to send Bob an authenticated message that can only be verified by Bob. Right now, if such a signature is desired, the best that Alice can do is to send Bob a signed-then-encrypted message. Unfortunately, this means that Bob can show others the decrypted signature to prove to others that Alice signed the message. This ability of Bob to transfer Alice's signature to others is often undesirable from Alice's point of view.
Ring signatures provide an easy way for Alice to authenticate a message to Bob without concomitantly giving Bob the ability to transfer her signature. Alice simply creates a ring signature that specifies Alice and Bob as the possible signers of a message. Upon receipt of the message and ring signature, Bob is assured that the message is signed by Alice, but he cannot prove to others that Alice signed the message because Bob could have created the ring signature himself.
I am interested to hear from the perspective of end users. For instance:
Of course, I would also like to hear from anyone who has the time to go through the details of the proposal. Sections 3 and 4 contain the bulk of the actual cryptographic scheme, and it closely follows Abe et al.'s scheme with only small modifications to better fit OpenPGP. Some resources:
Ring signatures are interesting by themselves, and I think some Less Wrong readers might enjoy reading the following papers. The standard reference for ring signatures is Rivest et al. (2006); I would recommend reading this paper first if you plan on reading Abe et al.'s paper, because it contains a very clear exposition of the ideas behind ring signatures. A third paper that I recommend is Bresson et al. (2002); Sections 1–3 are particularly useful.
The current OpenPGP specification is given in RFC 4880. I don't recommend reading it unless you have some burning desire to learn more about OpenPGP; it's not particularly illuminating.
In the best case scenario, ring signatures get deployed on GnuPG within a few years and Alice can create a ring-signed message for Bob simply by running: gpg2 --clearsign --ring-signature --recipient Bob
(In the not-quite-worst case scenario, I write the I-D, everyone agrees it's crap, and I vow never to touch math again.)
What are the use cases of a ring signature? What does Alice hope to accomplish by arranging for only Bob to be able to verify a thing?
This is the supposedly-bimonthly-but-we-keep-skipping 'What are you working On?' thread. Previous threads are here. So here's the question:
What are you working on?
Here are some guidelines: