On Wed, 7 Dec 2011, Jon Callas wrote:
Nonrepudiation is a somewhat daft belief. Let me give a
gedankenexperiment. Suppose Alice phones up Bob and says, "Hey, Bob, I
just noticed that you have a digital nature from me. Well, ummm, I
didn't do it. I have no idea how that could have happened, but it wasn't
me." Nonrepudiation is the belief that the probability that Alice is
telling the truth is less than 2^{-128}, assuming a 3K RSA key or
256-bit ECDSA key either with SHA-256. Moreover, if that signature was
made with an ECDSA-521 bit key and SHA-512, then the probability she's
telling the truth goes down to 2^{-256}.
I don't know about you, but I think that the chance that Alice was
hacked is greater than 1 in 2^128. In fact, I'm willing to believe that
the probability that somehow space aliens, or Alice has an unknown evil
twin, or some mad scientist has invented a cloning ray is greater than
one in 2^128. Ironically, as the key size goes up, then Alice gets even
better excuses. If we used a 1k-bit ECDSA key and a 1024-bit hash, then
new reasonable excuses for Alice suggest themselves, like that perhaps
she *considered* signing but didn't in this universe, but in a nearby
universe (under the many-worlds interpretation of quantum mechanics,
which all the cool kids believe in this week) she did, and that
signature from a nearby universe somehow leaked over.
This is silly - it assumes that there are only two intepretations of her
statement:
- a true "collision" (something arbitrary computes to her digital
signature, which she did not actually invoke) which is indeed as
astronomically unlikely as you propose.
- another unlikely event whose probability happens to be higher than the
"collision".
But of course there is a much simpler, far more likely explanation, and
that is that she is lying.
However ... this did get me to thinking ...
Can't this problem be solved by forcing Alice to tie her signing key to
some other function(s)[1] that she would have a vested interest in
protecting AND an attacker would have a vested interest in exploiting ?
I'm thinking along the lines of:
"I know Alice didn't get hacked because I see her bank account didn't get
emptied, or I see that her ecommerce site did not disappear".
"I know Alice didn't get hacked because the bitcoin wallet that we
protected with her signing key still has X bitcoins in it, where X is the
value I perceived our comms/transactions to be worth."
Or whatever.
[1] I have no implementation details for this. Especially the part about
how Bob can determine that this tie has been made, and that the tie has
sufficient value to assure him, etc.
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography