Re: A piece of advice??
On Sun, 10 Dec 2000, FRANKY wrote: to cryptography". However I would like to know where could I find more books related to cryptography. amazon.com is one place. see also http://www.cacr.math.uwaterloo.ca/hac/ for an online copy of the Handbook of Applied Cryptography. secure one system I would like to kindly ask for guidance. How do we apply an algorithm to a whole system? I know how to encode a message , but a system? I'm not sure what you mean by "a whole system." Do you mean something like "how do I take a string of letters and represent it as a number so I can encrypt it?" Then you want to look at ASCII or Unicode and random padding like Optimal Asymmetric Encryption Padding (OAEP). I'm not sure what else you mean. -David
Re: Re: Re: Gort in granny-shades (was Re: Al Gore goes cypherpunk?)
On Tue, 24 Oct 2000, petro wrote: If this world *were* a computer generated construct, it would explain a few things. This is why the Gnostics had such a good run of it in the first century, right? At least until they were wiped out... -David
Re: StoN, Diffie-Hellman, other junk..
On Thu, 7 Sep 2000, Asymmetric wrote: Mihailescu's methods for prime generation. (Mihailescu has a paper on the subject aimed at implementors at http://www.inf.ethz.ch/~mihailes/papers/primgen.ps ) Ah.. I have implemented a sieve of eros..whatever his name is.. ;) for Erastothenes, I think. I don't know what a sieve of eros is. I think I'd like to try one sometime. : finding smaller primes.. it runs very fast, the old rules don't apply so much anymore, memory footprint being more a concern then speed I've noticed so far.. moving the found primes into a sparse array as you find them and then reusing the memory is one way around that.. even my quickly written implementation takes negligible time to find all the primes within 16 bits.. Right - I think you may find that this slows down a bit at the 500-bit range. Still, there are supposed to be ways to use sieving in conjunction with random search to speed up prime generation. but I've been looking at rabin-miller and some other methods as well. I'll take a look at that link, thanks.. reason again for the math library.. my stuff (obviously) falls apart 32bits since my library for handling larger numbers is unfinished. Once you have the primitives, Rabin-Miller is straightforward to implement from the Handbook of Applied Cryptograpy. I was surprised at how easy it was... Another nice trick -- compute the product of the first 1000 primes or so. Take the GCD of this product and a candidate number. Eliminates candidates with small prime factors and often faster than trial division. (for reasons that should be obvious) felt that writing the routines myself (with extensive testing) would be preferable, so I could avoid licensing issues as well as bugs/backdoors, but I'll look into this.. Thanks for the Backdoors are your responsibility with GMP, so no worries, right. :). It is GPL'd, though, so be careful. quick response.. the application will of course be available to anyone who wants it once finished.. and once Borland finishes Kylix, should compile nicely on the various x86 *nixes out there.. Looking forward to it. -David
Re: RC4 source as a literate program
On Tue, 5 Sep 2000, Gary Jeffers wrote: then give his opinion as to wheather it was legal or not. If the lawyer said that it was legal and gave his opinion in writing, then the client could proceed without out worry. The lawyer's opinion would stop any criminal prosecution. Does this really work? I can't imagine this working for murder (but on the other hand, that's a bad example since it's unreasonable to imagine murder legal in the USA). Even for something like tax laws or other complicated regulations this sounds dubious. I wonder if this would work with publishing crypt code. I think it might put the lawyer at risk. If we had a lawyer who really thought Well, a lawyer who advised a client that something was legal when in fact it wasn't might have a problem. that publishing crypt code on the Internet was legal and wasn't afraid of sticking his neck out then his published statement on the Internet to this might open the floodgates of crypt code Internet posting for Americans. Such a statement would help, but more because it would be from an expert on the law than because of any legal shield. I am not a lawyer, and so I'd like to have one's opinion before doing anything that could land me in jail. That kind of thing. Donald has stated that the law in this area is quite vague. I would think even if the law prohibited it, then the law would be unconstitu- tional and therefore null and void. Prohibiting what - publishing cryptography code? In any case, even if the law is unconstitutional, you may have to go through several layers of court cases to prove it. c.f. Bernstein. :( -David
Re: I see this list is still dead
On Mon, 26 Jun 2000, Jamie Zawinski wrote: and I'm amazed at the amount of spam now! Actually I'm amazed that anyone is actually *on* this list if that level of spam is normal. There have been some recent discussions on how to get around this problem. If you look back in the archives, you should see announcements for mailing list addresses which do such things as reject mail sent to toad.com. There are of course the standard issues with filtering as censorship. So, I'm not a cryptographer, but I sometimes hack security code, and I'm very interested in the politics of crypto/security/privacy/etc. Back in 94-97 or so, cypherpunks was a great source of news and clueful discussions. Are there any other mailing lists that are more like what it used to be? I miss it... You should not write off cypherpunks just yet. The level of spam is high, but there are still clueful people here. Including a mysterious anonymous poster who seems to know a heck of a lot about cryptology. :) If you post something interesting, people do respond. Most recently we've had a row over the economics of MicroMint which has been quite interesting. What kind of politics do you have in mind? have some test issues to argue over? read any good papers lately? speaking of that -- Has anyone else seen "How to break and repair a practical MIX" from this year's Eurocrypt, btw? I was lucky enough to get a copy of it a few weeks ago and have been looking at it. Has anyone ever implemented this kind of mix-net in which the servers check up on each other? maybe something done as a research prototype at Bell Labs after Jakobsson's Flash Mixing paper? I have a nebulous idea of a mixnet along these lines where mix nodes are java applets which discover each other, form a group of nodes, process a packet, and then disband. Anyone know if Jini would be appropriate for something like this? or know where to find examples of Jini apps? still, other places to go, since you asked : The newsgroup sci.crypt is still active, although it has always had a different "flavor" than cypherpunks. I am not keeping up with it much these days, but it seems that most of the substantive discussion is on better block ciphers. talk.politics.crypto had some good discussion of the export control laws and what they mean last year, but I haven't seen anything much there recently. There are also the [EMAIL PROTECTED] and [EMAIL PROTECTED] lists. Tim May has pointed out that these are moderated lists and therefore possibly objectionable. A practical example of why moderation can be bad popped up recently (at least IMHO), when an interesting thread on electronic voting drifted off-topic and was requested to stop on the list. That's certainly within the rights of the moderator, but I thought it was interesting and would have liked it to continue. Coderpunks has substantive technical discussion on a semi-regular basis. Most recently there is a discussion on practical "passphrase condensing" - taking an arbitrary length passphrase and crunching it into an encryption key. Previous discussions have covered Ben Laurie's Lucre and other fun things to do with digital cash. Not too much politics, though, except as it directly related to crypto (e.g. patents). Cryptography has a little more political content, but tends to be lower volume. So it won't satisfy your radical crypto needs by itself. Sometimes interesting and substantial discussion pops up, such as on electronic voting or key agility. Then there are presumably a bunch of more political mailing lists. I'm not on any of those, but poking around the EFF and such places may get you started. -dmolnar
Re: Musings on the Economics of ZKS
On Tue, 13 Jun 2000, Tim May wrote: net present value (NPV) of buying a better safe. The merchant who has never been robbed and so thinks he never _will_ be robbed is not the guy driving the development of better safes. Analogies with crypto are obvious. This reminds me of something I realized recently -- it's not clear to me how to reason about liability for anonymous systems. Not the normal liability everyone thinks of, in which the service is supposedly "liable" for the actions of an anonymous user, but the liability incurred if the service is not anonymous enough. Hal Finney had a post on the freenet-chat list a few months back in which he pointed out that if Freenet is used by Chinese (or whoever) dissidents, and then is not "anonymous enough," people will die. In the U.S. and Europe, maybe it won't go that far, but if the service fails to be anonymous enough, odds are good that the user is harmed in a direct fashion. Maybe for something which isn't even clearly illegal or immoral -- think of a whistleblower whose cover is blown. Whose fault is that, how do we tell, and what happens afterwards? will that make two bits of difference one way or the other for anonymous systems? I'm **not** eager to see lawsuits against ZKS for "failure to be anonymous." I'm wondering if we will see such lawsuits, and if we do, whether the threat of such suits will encourage the development of better anonymous systems in the same way that real-world threats cause insurance companies to encourage the development of better safes. I am a little worried that trying to build better specifications/definitions of what kind of anonymity a system provides could be used against a provider of anonymity services in a lawsuit. Then again, this hasn't seemed to happen in the crypto world; when was the last time anyone was sued for not using semantically secure crypto? My understanding of product liability law is really fuzzy. I have this impression that some sort of "best practices" exist for each industry, and that manufacturers are supposed to follow them or face consequences. How do these "best practices" come about, and is this model relevant to crypto in general and anonymous systems in particular? or am I hopelessly confused and should seek a law school course? -dmolnar
Re: MIT?
I can reach the theory.lcs.mit.edu web page and the CIS group page just fine. Are you referring to the remailer? On Fri, 2 Jun 2000, Anonymous wrote: Anyone know what's wrong with *.lcs.mit.edu?
indeterministic cryptosystems and mix-nets
Hi, I came across the term "indeterministic cryptosystem" while reading the paper "MIXes in Mobile Communications Systems : Location Management with Privacy" by Federrath, Jerichow, and A. Pfitzmann. http://www.semper.org/sirene/lit/abstr96.html#FeJP1_96 An "indeterministic cryptosystem" is defined there as one in which "equal plaintext blocks are encrypted to different ciphertext blocks." I didn't see a formal definition of the term in this paper, but they use the property to prevent the attack where an adversary encrypts known plaintext with a public key and compares it to outgoing messages. I think they may also mean such a cryptosystem prevents the marking attacks detailed in "How to Break the Direct-RSA Implementation of MIXes" by B. Pfitzmann and A. Pfitzmann http://www.semper.org/sirene/lit/abstr90.html#PfPf_90 Anyway : 1) is the term "indeterministic cryptosystem" formally defined anywhere? 2) has anyone followed up on "How to Break..." with a characterization of what properties of a cryptosystem are desirable for a mix-net? Off the top of my head, the notion of "non-malleability" seems sufficient to prevent the attacks mentioned in that paper. You might also want a cryptosystem to be what I call "recipient-hiding" -- a ciphertext gives up no information about to whom it has been encrypted. I am looking through the SIRENE collection of papers now, but I'm slightly handicapped by the fact I don't know German. :-\ Any pointers appreciated. Thanks much, -David Molnar
Frog remailer down and up again ?
Hi, A post on alt.privacy.anon-server dated Thursday claims that the "Frog" anonymous remailer has been seized by French police. For the last few months, "Frog" had been running a statistics service similar to the one Raph Levien used to have at UC-Berkeley. The admin has also had a fairly high-profile role in the a.p.a-s newsgroup, announcing new remailers and suspected closures of old ones. Along with the Electronic Frontiers Georgia stats list, the "Frog" stats were the source I used to keep track of which remailers were reliable. The "Frog" name is because he's supposedly French. (yes, maybe remailer operating isn't a safe hobby for French citizens). A post dated today (Saturday may 6) at 13:45 claims that the remailer has been compromised by French police and will be placed back online. Anyone have any hard information on this? Want to speculate on whether this happened as claimed or not? speculate on ways to ways to defend remailer stats providers/reputation services against this kind of reputation attack? speculate on ways to protect users from seized remailer nodes (splitting a private key among computers in several jurisdictions and sending an intermediate message to all of 'em before forwarding to the next logical "remailer" ?) ? Thanks, -David Molnar
Re: beginning cryptography
The sci.crypt FAQ is a decent place to start. http://www.faqs.org/faqs/cryptography-faq/part01/ Then take a look at the _Handbook of Applied Cryptography_ for an excellent and precise technical overview. http://cacr.math.uwaterloo.ca/hac/ Supplement with _Applied Cryptography_ to see what the intuition for using some of these primitives and protocols happens to be. Probably the friendliest book you're likely to find, although it leaves out a little too much in parts. (sorry, you have to buy this one) (be aware that some of it is out of date now, especially with the AES process underway) From there it depends on what kind of cryptography you want to do. For instance, if you decide you want to see the proofs which show why RSA works, you might look at Neal Koblitz' book _A Course in Number Theory and Cryptography_. That same book also has a neat introduction to factoring methods circa 1993-94. Other places to look include link farms like the ones due to Helger Lipmaa http://www.moomin.ee/~helger/crypto/ or Ron Rivest http://theory.lcs.mit.edu/~rivest/crypto-security.html which have pointers to lecture notes, courses on cryptography, and suchlike. Thanks, -David On Mon, 17 Apr 2000, Hans wrote: Does anyone out there know of any good resources for getting a good (decent? marginaly acceptable?) beginning in cryptography? Books or
Re: RSA fasion trends.
On Mon, 17 Apr 2000 [EMAIL PROTECTED] wrote: Some of these, such as template-less biometrics, are so new they are little more than a theoretical sparkle in designers' imaginations, but they are moving fast. Any idea what is meant by a "template-less biometric?" In order to verify a person's identity, the live scan data must be compared with something, i.e., a template. Maybe this refers to using a hash of a template instead of a full template itself as the standard for comparison? I'm just guessing; my guess is based on the existence of a paper by Ari Juels (from RSA Labs) a co-author whose name I don't recall now on "Fuzzy Commitment Schemes" at this year's ACM Conference on Computer and Communications Security. The idea is that current hash functions are inadequate for biometric identification. You can't just hash a template and then hash incoming readings and expect them to match; there's too much variation between various readings for this to work. A "fuzzy commitment scheme" or a "fuzzy hash" is a hash function such that you can determine whether hash inputs are "sufficiently close" to a hash output. At the same time, you want to preserve the same kind of one-way and collision resistance properties which make hash functions worth using in the first place -- i.e. accept almost no false incoming data and prevent an adversary from learning the template from its hash. As I recall, the scheme was based on some kind of hashing to an error correcting code. Template hashes would be specific codewords, and then incoming data would be matched to see if it was "close enough" to that codeword. Probably better to do a web search for the paper at this point.. Thanks, -David
Re: RSA fasion trends.
On Mon, 17 Apr 2000 [EMAIL PROTECTED] wrote: Any idea what is meant by a "template-less biometric?" In order to verify a person's identity, the live scan data must be compared with something, i.e., a template. On actually reading the article, it seems clear (to me) that what is meant is indeed this paper : "A Fuzzy Commitment Scheme" Ari Juels and Marty Wattenberg Proceedings of 6th ACM Conference on Computer and Communications Security (ACM CCS) His homepage doesn't seem to be responding, but ACM Digital Library subscribers can obtain a copy from here : www.acm.org/pubs/contents/proceedings/commsec/319709/ Thanks, -David
Sander Franklin presentation @ CFP
Hi, The recent article reminds me -- did anyone see Tomas Sander and Matt Franklin's presentation at CFP on "Deniable Payments and Electronic Campaign Finance"? What did you think? http://www.cfp2000.org/papers/franklin.pdf Their idea is to take the "mandated donor anonymity" proposed by Ian Ayres Jeremy Bulow http://www.yale.edu/lawweb/faculty/bulow.pdf and build a protocol which allows everyone to ensure that donations are going to the correct candidate, without revealing anything about who donated to whom. Thanks, -David
Re: The Death of the Cypherpunks
On Wed, 12 Apr 2000, Declan McCullagh wrote: Simson is a smart fellow, and a friend. But he does believe in aggressive federal regulation of private sector data collection practices. Indeed. That is why I mentioned him in response to your note that data collection is an area which seems to currently lack a strong "cypherpunk"-ish response to his point of view. I'm also interested in your comment that contract law may be sufficient to combat this problem. Garfinkle raises and then dismisses the idea of considering personal information as "property", and then developing the notion of rights and contract which we have for other property for personal information. Who has treated this from the other side, the libertarian/anarchist/whatever you want to call it viewpoint? is there a good introduction to "contract law and personal data" lying around someplace? I fear (and I should write this if I ever get around to reviewing his book) that he focuses too much on that area, and not enough on governmental intrusions into privacy. I think I agree with you. I just turned in my (short) census form today. There was an article in the school paper about how privacy concerns over the census are "obviously baseless" because "there are many disclaimers on the form." The attitude is not confined to the paper; sometimes I end up arguing with some of my friends who honestly seem to believe that the exclusionary rule is "enough" to prevent abuse of wiretap power... Even so, simply stating that private practices are not as much of a problem as State action does not make the private practice go away. There do exist some means of combatting private data collections, such as refusing to use credit cards, check clearing services, etc. At the same time, these seem to result in consequences which I am not sure I'm willing to put up with. Is the only response to this to tell me to just "deal with it" ? Thanks, -David
Re: curfew laws
On Tue, 7 Mar 2000, Michael Motyka wrote: you? Or have you always been a mindless, obedient twit? Is that what Harvard is accepting for admission these days? If so, we're doomed. I sure as hell won't send my kids there. Would you believe I was being sarcastic? or would that simply reinforce your opinion? Thanks, -David
Re: curfew laws
One law my group is interested in is curfews. I would like to hear about your opinions, and if you have any information on this subject. I found curfews to be an effective technique for reminding me that I was under the supervision and control of the institution imposing the curfew. Better yet, strict and highly public punishments for even relatively minor curfew violations have the salutary effect of causing those subject to the curfew to internalize it. Why, I can speak from personal experience - one day I stayed up talking to a friend in a separate dorm fifteen minutes past curfew, and when I returned, guiltily sneaking into my own dorm, I was covered with sweat from head to toe. All I could think about was the utter horror of having almost violated curfew (and then being found out). The dorm faculty did not even need to punish me; the agony of expecting punishment was enough. I can highly recommend curfew as a means of keeping kids in line. Thanks, -David
Re: A new PKC, and some conjectures
On Sat, 4 Mar 2000, bram wrote: I've written up a public key encryption algorithm I came up with and some thoughts on it at http://www.gawth.com/bram/essays/simple_public_key.html Here's an idea I just had towards an attack on the system. I'm not sure it goes all the way through. It depends on the assumption that there is no way for the decryption routine to tell whether a ciphertext was correctly formed or not (since that would require solving a knapsack problem). It requires that we have access to an oracle which will decrypt any ciphertext we like (not necessarily well-formed), but it does not require that we have any sort of "target" ciphertext. Technically it's "CCA_1" or a "lunch-time attack." Denote "decryption of string s" by D(s). 1) Create our 'base ciphertext' b by picking k numbers from the public key and summing them. We know that this is congruent to something less than p/2 mod p. So we know if we ask for D(b), we get 0. 2) Now we are going to add powers of 2 to b and then ask for the decryptions of each intermediate value u_i. The idea is that we are looking for the point at which D(u_i) switches from 0 to 1. Then we are going to subtract powers of 2 from b and then ask for the decryptions of each intermediate value v_i. The idea is that we are looking for the point at which D(v_i) switches from 0 to 1. We know that p and therefore p/2 are less than any number in k. So we should only need to add powers of 2 for log (the least number in k) times at most before seeing a switch. 3) When we see a switch in D(u_i) from 0 to 1, we know an upper bound on (p/2 - b) mod p. When we see a switch in D(v_i) from 0 to 1, this means we "wrapped around below". So now we have an upper bound on the size of b mod p. If you can figure out exactly what b mod p and (p/2 - b) mod p are, you add them together and get p/2 . Once you have p/2, you have p and that's the private key. That's the part I'm not sure about just yet. I think once you see a switch bewteen D(u_k) and D(u_k+1), you should do something like ask for the decryption of the average, and then see whether you need to go higher or lower based on that. Since you will be halving the distance to the "real" value of b or (p/2 - b) each time, this seems like it will be efficient, but I haven't worked it out. Does this work? Thanks, -David Molnar
Re: Purpose of anti-laundering laws?
On Sun, 5 Mar 2000, reject wrote: Obviously, assorted FedGoons(tm) dislike untraceable money. Nasty terrorists, child pornographers, drug dealers, and other horsemen could hide their "profits" then... But is there a *legitimate* reason to have anti-money-laundering laws? I can't think of any, but perhaps I'm being naive. Could you clarify what kind of reason would satisfy you as legitimate? Thanks, -David
Re: Re: Payment mixes for anonymity
On Sat, 4 Mar 2000, Jim Choate wrote: Anonymous mailer operaters can most definitely be considered to be 'doing anything' if it is found they're in the loop of a criminal investigation. Yes. This is why I think it is important that even the senders of anonymous mail not be able to prove after message delivery that a particular message went through a particular remailer. Preferably not be able to prove, ever, but you can always seize the entire remailer chain and follow the message step by step. Why would any of the payment mix operators be 'doing anything' other than the entry and exit points? All the data would be encrypted and unreadable to all the intermediary machines. In an ideal world even the entry and exit points should only receive encrypted (and therefor anonymous) traffic. I was under the impression that payment mixes were to be built on top of existing, non-anonymous payment schemes. That is, if we have a chain of payments mix servers Alice-Bob-Carol --- Yeltsin-Zelda, each of them has an account whose activity is tracked by some bank. The payments made between Alice and Bob, or Bob and Carol, and so on, can be audited by the bank. Now, the bank may not have access to the instructions which tell Bob to send $X to Carol (this is the encrypted data you're writing about) -- but he will see that Bob receives lots of money and then forwards lots of that money onwards. This will raise suspicion for Bob; I don't know money laundering laws well enough to say if it is actually illegal. Does anyone know of a good survey/introduction of money laundering laws? Paper is fine. Thanks much, -David Molnar
Re: Looking for info on web anonymizers
First place to look might be www.zks.net -- a commercial anonymous TCP/IP service. Then be sure to look at www.onion-router.net for comparison. You may also want to check out the links at http://www.cypherspace.org/links and the mix anonymity project at http://www.inf.tu-dresden.de/~hf2/anon/ has some links as well. You might also want to read the newsgroup alt.privacy.anon-server and do web searches for the programs "ProxyMate" and "Proxomitron". Thanks, -David Molnar On Fri, 3 Mar 2000, Christian Goetze wrote: Working on an article on anonymous web browsing and looking for info on anonymizers. I already know about two: anonymizer.com, rewebber.com. Are there any others out there? Thanks in advance... -- cg
Workshop on Anonymous Systems
Hey, I noticed this a few days ago : Workshop on Design Issues in Anonymity and Unobservability July 25-26, 2000 International Computer Science Institute (ICSI), Berkeley, California http://www.icsi.berkeley.edu/~hannes/ws.html Looks like a lot of fun. Also at the same site is an announcement of a project to develop a security model for mix-nets. http://www.icsi.berkeley.edu/~hannes/rp.html Was wondering if anyone else had seen this and wanted to comment? Thanks, -David Molnar
Re: Payment mixes for anonymity
On 3 Mar 2000, Secret Squirrel wrote: If all payments are for different amounts, then this would no longer work, as a chain of $123.45 payments would be easy to track. It would therefore be necessary for the system to use a single standard payment size. If people wanted to pay more, they would send multiple messages. If these can be spread out over a period of time, it should be possible to hide who has paid whom. Note that cash payments can have a property which encrypted messages usually do not : you can have the mix break up the payment into random-sized chunks, or aggregate several payments into a single transaction between servers. For example, say I send a payment for $123.45 -- the remailer might split this into a payment of $100 and a payment of $23.45. That $23.45 could then be combined with some other payments to create an aggregate payment of $100 which is sent to the next remailer in the chain. That remailer unpacks the aggregate, breaks up the $23.45 into $20 or so and change, and so on. That example may not be so great, but I wonder if we can get anything from this kind of dynamic recombination. It seems that doing this requires some kind of trust in each server. More specifically, we would trust each server to combine payments correctly and split them correctly. We would have to enforce this trust via some kind of audit protocol, such as public posting of encrypted receipts. Maybe this overhead would eat up any possible gain; it's not yet clear to me one way or the other. Current remailer networks are not very reliable. That's an understatement. :-( A system like this would obviously increase the temptation for remailer operators to receive payment for some messages but not pass them on. fair exchange problem or something weaker? can we build a protocol which commits to a payment when the remailer operator gets a message, then follows through when the message is passed on? Remailers could profit by cheating. Chaum proposed making remailers publish logs of the messages they had handled, such that it would be possible to see that each remailer sent all the messages it received, and the next remailer in the chain received all the messages it was sent. This would reveal the source of any problems, narrowing it down to the interface between two remailers, which should allow for a fix. It might also allow for a payment to be provably traced to a given remailer if the payer turns evil at a later date. The payer produces the (signed) logs of the remailers and shows that his message went through such and such a remailer at such and such a date. This may be suboptimal if there are such things as "bad payments" by which I mean payments made as part of a money laundering or fraud scheme -- payments which could be cause for action against a remailer operator. Plus now you have to sign the logs, which adds overhead. At least three ideas I have connected with this : 1) Weaken the logs such that everyone can see that a remailer sent all received messages, but not even the sending party can pick out his message from the logs. From my understanding of Chaum's 1981 paper, his suggestion of signed batches would allow a sending party to prove that his message actually was in the batch, since all the encryption is done by the sending party. You might get around this by having the remailer "add randomness" of its own to outgoing messages. For instance, it could pick the random value r used for OAEP. Then you still have to show that everything in the output batch corresponds to something in the input batch... 2) Send receipts to the sending party which are "designated verifier" such that only a) the sending party and b) possibly some other arbitrating party / reputation service / third party trusted not to be evil in court would find these receipts credible. I can go into detail on this in case anyone cares...the basic idea is to use the "designated verifier" proofs of Jakobsson, Impagliazzo, and Sako http://www.bell-labs.com/user/markusj/dvp.ps but extend them just slightly to deal in a nice way with multiple verifiers -- without the verifiers needing to share a secret key or collaborate in any way. The advantage of this method is that now we can give all kinds of receipts and be sure that they won't be used "against us" in court. These receipts can be very convincing to the sending party. The disadvantage is that if the server does wrong, and the sending party can't prove it to anyone else, that's bad. Therefore the extension to multiple verifiers, one of which is a trusted arbitrating party. 3) Abandon signed output batches in favor of random "tag numbers" or "payment magic numbers" embedded in the payment. The numbers work like this : 1) the sending
Re: Brands on privacy
On Mon, 28 Feb 2000, David Honig wrote: Yeah right, PGP infringed on all kinds of things... See http://www.cypherspace.org/~adam/timeline/ I am not sure that PGP is comparable. PGP works as long as my correspondents have a copy as well. Digital cash seems to require more widespread acceptance before it is useful. In particular, the merchant I want to buy things from needs to be outfitted with means of accepting the cash. Merchants are generally not anonymous and can be sued for patent infringement. Is this a problem? or did you have some other model of use in mind? Thanks, -David
e-gold as anon e-cash mint
On 28 Feb 2000, lcs Mixmaster Remailer wrote: Run an anonymous ecash server which does withdrawals and deposits into the mint account, from behind Freedom.net. The only problem is that Freedom does not yet support anonymous servers. What we need is a way of supporting this. Tell me about it. Anonymous servers via Freedom would make my life much easier. One idea is to use IRC. The ecash server connects to an IRC server via Freedom, and runs as a bot. Client software would then also use IRC to extract and deposit coins. You'd probably need to customize the IRC client in order to know how to do the blinding and such. Don't some IRC clients support plugins for encryption? is that extensive enough to do what's needed? Alternatively, use Ben Laurie's Lucre package (no relation to the earlier "dash-lucre" which was a workalike for the DigiCash client). This uses a blinding system devised by David Wagner which is thought to be unpatented. To what is this an alternative? In both cases - patented or unpatented algorithms - it seems desirable that the mint be pseudonymous. Who would be willing to give real money to an anonymous ecash server? Depends on what I can buy with the ecash. I would like to buy Stefan Brands' thesis, but I don't have a credit card, and have been too lazy so far to arrange for interbank transfer. I would give real money to an anonymous e-cash server to buy Brands' thesis. How much would you be willing to entrust? About as much as I carry in my wallet - less than $100, usually less than $50 at any one time. Barring large purchases which could not be made easily any other way. And are you willing to accept the consequences if you forget the password that unlocks your coin file? That is one of the reasons why I would not keep my life savings in the account. Thanks, -David
Re: ZKS hires Brands, licenses patents
On Thu, 24 Feb 2000, Luke Kenneth Casson Leighton wrote: or do you mean "we must grant you a license to this other patent we used to implement something covered by a GPL patent" ? What if the person implementing the GPL patent doesn't have the ability to license that patent? then in a similar, analogous way to GPL libraries and proprietary source code, if you can't get the ability to license or use that patent, you can't use that patent to produce your product. It seems like you need the ability to license the patent to others. Merely having the ability to use it will not allow you to comply with this requirement -- since then you can't give others the ability to use your software / patent / whatever. obviously, if you can buy a component (equivalent to a library) and use it in a product, you shouldn't have to research and fully disclose all patents on the individual component. requires a lot of thinking through, doesn't it? :) Yup. more that... anyone can implicitly license the patent (i.e you have _already_ given permission) if they are prepared to make a "full disclosure" of all intellectual property used in an implementation of a product atht uses the patent. Can I offer a general license of this type now, if I hold a patent? That is, can I take a patent and make some kind of legally binding declaration which makes it available under these conditions? What I'm trying to determine is why a new law is needed to provide for this kind of license. It would be better if no new law is required; then patent holders could be persuaded to offer such licenses right now. or did you mean that _every_ patent would be under GPL by default? Thanks, -David Molnar
Re: ZKS hires Brands, licenses patents
On Thu, 24 Feb 2000, Luke Kenneth Casson Leighton wrote: A new law that requires that any implementation instance of something that is covered in full or in part by a GPL Patent requires FULL disclosure of all Intellectual Property used in the implementation. Design documents, other patents, other processes, etc. Sufficient such that another person, ^^^ Do you mean "we document that some other patent was used in implementing this source code, which itself implements something covered by a GPL patent, but don't do anything about licensing this other patent" ? or do you mean "we must grant you a license to this other patent we used to implement something covered by a GPL patent" ? What if the person implementing the GPL patent doesn't have the ability to license that patent? organisation, corporation etc. can, if they so desire, implement it themselves. If I am the holder of a patent, can I make this "full disclosure" a necessary condition for licensing the patent? Thanks, -David
Tales of banking perfidy and malice?
I am looking for (true) horror stories about banking corruption. Specific examples of money laundering, private information improperly divulged, young clerks blackmailed by means of their sexuality, dark family secrets, addicted boards of directors, and other methods of subversion. (why?) Basically, I'm writing a paper and I want a cite for the sentence "Unfortunately, even large banking institutions with more than $100 million in assets have been known to collaborate with wealthy organizations or individuals in avoiding the law." I'm looking on my own of course, but figured it was worth asking here. U.S. banks preferred, but anything graphic will do. Thanks! -David Molnar
