Stefan Brands credentials [1] have an anti-lending feature where you have to
know all of the private components in order to make a signature with it.
My proposal related to what you said was to put a high value ecash coin as
one of the private components. Now they have a direct financial incentive -
if they get hacked and their private keys stolen they lose $1m untraceably.
Now thats quite reassuring - and encapsulates a smart contract where they
get an automatic fine, or good behavior bond. I think you could put a
bitcoin in there instead of a high value Brands based ecash coin. Then you
could even tell that it wasnt collected by looking in the spend list.
Adam
[1] http://www.cypherspace.org/credlib/ a library implementing Brands
credentials - it has pointers to the uprove spec, Brands thesis in pdf form
etc.
On Thu, Dec 22, 2011 at 07:17:21AM +0000, John Case wrote:
On Wed, 7 Dec 2011, Jon Callas wrote:
Nonrepudiation is a somewhat daft belief. Let me give a
gedankenexperiment. Suppose Alice phones up Bob and says, "Hey,
Bob, I just noticed that you have a digital nature from me. Well,
ummm, I didn't do it. I have no idea how that could have happened,
but it wasn't me." Nonrepudiation is the belief that the
probability that Alice is telling the truth is less than 2^{-128},
assuming a 3K RSA key or 256-bit ECDSA key either with SHA-256.
Moreover, if that signature was made with an ECDSA-521 bit key and
SHA-512, then the probability she's telling the truth goes down to
2^{-256}.
I don't know about you, but I think that the chance that Alice was
hacked is greater than 1 in 2^128. In fact, I'm willing to believe
that the probability that somehow space aliens, or Alice has an
unknown evil twin, or some mad scientist has invented a cloning ray
is greater than one in 2^128. Ironically, as the key size goes up,
then Alice gets even better excuses. If we used a 1k-bit ECDSA key
and a 1024-bit hash, then new reasonable excuses for Alice suggest
themselves, like that perhaps she *considered* signing but didn't
in this universe, but in a nearby universe (under the many-worlds
interpretation of quantum mechanics, which all the cool kids
believe in this week) she did, and that signature from a nearby
universe somehow leaked over.
This is silly - it assumes that there are only two intepretations of
her statement:
- a true "collision" (something arbitrary computes to her digital
signature, which she did not actually invoke) which is indeed as
astronomically unlikely as you propose.
- another unlikely event whose probability happens to be higher than
the "collision".
But of course there is a much simpler, far more likely explanation,
and that is that she is lying.
However ... this did get me to thinking ...
Can't this problem be solved by forcing Alice to tie her signing key
to some other function(s)[1] that she would have a vested interest in
protecting AND an attacker would have a vested interest in exploiting
?
I'm thinking along the lines of:
"I know Alice didn't get hacked because I see her bank account didn't
get emptied, or I see that her ecommerce site did not disappear".
"I know Alice didn't get hacked because the bitcoin wallet that we
protected with her signing key still has X bitcoins in it, where X is
the value I perceived our comms/transactions to be worth."
Or whatever.
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
