Re: Signing as one member of a set of keys
Very nice. Nice plausible set of candidate authors also: pub 1022/5AC7B865 1992/12/01 [EMAIL PROTECTED] pub 1024/2B48F6F5 1996/04/10 Ian Goldberg <[EMAIL PROTECTED]> pub 1024/97558A1D 1994/01/10 Pr0duct Cypher pub 1024/2719AF35 1995/05/13 Ben Laurie <[EMAIL PROTECTED]> pub 1024/58214C37 1992/09/08 Hal Finney <[EMAIL PROTECTED]> pub 1024/C8002BD1 1997/03/04 Eric Young <[EMAIL PROTECTED]> pub 1024/FBBB8AB1 1994/05/07 Colin Plumb <[EMAIL PROTECTED]> Wonder if we can figure out who is most likely author based on coding style from such a small set. It has (8 char) TABs but other wise BSD indentation style (BSD normally 4 spaces). Also someone who likes triply indirected pointers ***blah in there. Has local variables inside even *if code blocks* eg, inside main() (most people avoid that, preferring to declare variables at the top of a function, and historically I think some older gcc / gdb couldn't debug those variables if I recall). Very funky use of goto in getpgppkt, hmmm. Somewhat concise coding and variable names. Off the cuff guess based on coding without looking at samples of code to remind, probably Colin or Ian. Of course (Lance Cottrell/Ian Goldberg/Pr0duct Cypher/Ben Laurie/Hal Finney/Eric Young/Colin Plumb) possibly deviated or mimicked one of their coding styles. Kind of interesting to see a true nym in there also. Also the Cc -- Coderpunks lives? I think the Cc coderpunks might be a clue also, I think some of these people would know it died. I think that points more at Colin. Other potential avenue might be implementation mistake leading to failure of the scheme to robustly make undecidable which of the set is the true author, given alpha code. Adam On Fri, Aug 09, 2002 at 03:52:56AM +, Anonymous User wrote: > This program can be used by anonymous contributors to release partial > information about their identity - they can show that they are someone > from a list of PGP key holders, without revealing which member of the > list they are. Maybe it can help in the recent controvery over the > identity of anonymous posters. It's a fairly low-level program that > should be wrapped in a nicer UI. I'll send a couple of perl scripts > later that make it easier to use.
Re: Signing as one member of a set of keys
On Fri, 9 Aug 2002, Anonymous User wrote: > This program can be used by anonymous contributors to release partial > information about their identity - they can show that they are someone > from a list of PGP key holders, without revealing which member of the > list they are. Maybe it can help in the recent controvery over the > identity of anonymous posters. It's a fairly low-level program that > should be wrapped in a nicer UI. I'll send a couple of perl scripts > later that make it easier to use. > > === Most delightful. Thank you for reminding us that Cypherpunks do indeed write code. More comments in a bit. [MW SNIP] > ++multisig v1.0 > pEsBwalpBRxWyJR8tkYm6qR27UW9IT6Vg8SlOHIsEkk04RJvoSy0cy4ISFCq6vDX > 5ub6c+MYi/UoyR6tI7oqpMu1abcXWm2DkfDiCsD6jQddVkiiYdG7Bih8JWdWmp5l > AgzqUoz14671/ezmWSrPNsTNKV96+ZLEanZsqfkpQcnZpLkWVpJzQFe0VgDQ64b2 > +e2efrbknLFq0FTdX7Sh3qzAfzNYYgADmeOxDoTm9sb6T0fULf1P7mjiN2LZXuEW > m/8QvksaQi9KGa/0xN2m0heNtS1cfsTa+NJz8XYyG/tnMy7+mvI3c3lrnz+6Dpyp > pbNwaX+12VcqtfNec9faoq8RJgFxmSO/ZfMOGM8cFBQ75ZOaoBJP5ObHZ/63FFh5 > Wh5GzwJjQs0vLwpM3iF6G+IixEqAQYisUdCopP1wXCLgltDM6l7jRlXxNDj0AXQ1 > eQJolo32vemcy8Z8GAn5tpQHmJwpdzZpboWRQY53pD4mVnEMN4GBC1mhbbI2z+Oh > lPglqmmy3p4D+psNU1rlNv6yH/L0PgcuW7taVpbopjl4HLuJdWcKHJlXish3D/jb > eoQ856fYFZ/omGiO9x1D0BsnGFLZVWob4OIZRzO/Pc49VIhFy5NsV2zuozStId89 > [...] > */ That [...] you see is an artifact of the anonymous remailer you were using. Mixmaster, I believe, gives the option to truncate messages which appear to include binary encoded data. PGP messages are explicitly allowed to be sent. Immediate problem: we can't verify your signature. Short term solution: find a remailer that allows binary posting. Long term solution: perhaps contact the Mixmaster authors and ask them to explicitly allow "multisig" data? -MW-
RE: Signing as one member of a set of keys
Anonymous wrote: > > Here is the signature block from the "ring signature" program > which got truncated. I'll try sending it through a few > different anon remailers until it gets through. Replace the > lines from the earlier posting starting with the "END PGP > PUBLIC KEY BLOCK" line. I seem to still have problems with the signature block. If somebody on this list has a good copy, could you please place it on a web page and publish the URL? If nobody has a good copy, could perhaps Anonymous try a different method of posting, such as uuencoding? Thanks, --Lucky
Re: Signing as one member of a set of keys
Interesting. Unless some clever at jobs were involved, this was likely not written by Ian or Ben. I can vouch that Ian was not near a computer at the time the second message (with the complete signature) was posted, and Ben was somewhere over the Atlantic in an airplane, unlikely to be reading his mail. Lance has probably been too busy with Anonymizer 2.0 to be a good choice, and I also suspect that Pr0duct Cypher is the same as one of the people in that list. I'll put my money on the author being one of the last three people in that list. Adam Back .org>cc: [EMAIL PROTECTED], [EMAIL PROTECTED], Adam Back <[EMAIL PROTECTED]> Sent by: Subject: Re: Signing as one member of a set of keys owner-cypherpunks @lne.com 08/09/2002 12:11 PM Very nice. Nice plausible set of candidate authors also: pub 1022/5AC7B865 1992/12/01 [EMAIL PROTECTED] pub 1024/2B48F6F5 1996/04/10 Ian Goldberg <[EMAIL PROTECTED]> pub 1024/97558A1D 1994/01/10 Pr0duct Cypher pub 1024/2719AF35 1995/05/13 Ben Laurie <[EMAIL PROTECTED]> pub 1024/58214C37 1992/09/08 Hal Finney <[EMAIL PROTECTED]> pub 1024/C8002BD1 1997/03/04 Eric Young <[EMAIL PROTECTED]> pub 1024/FBBB8AB1 1994/05/07 Colin Plumb <[EMAIL PROTECTED]> Wonder if we can figure out who is most likely author based on coding style from such a small set. It has (8 char) TABs but other wise BSD indentation style (BSD normally 4 spaces). Also someone who likes triply indirected pointers ***blah in there. Has local variables inside even *if code blocks* eg, inside main() (most people avoid that, preferring to declare variables at the top of a function, and historically I think some older gcc / gdb couldn't debug those variables if I recall). Very funky use of goto in getpgppkt, hmmm. Somewhat concise coding and variable names. Off the cuff guess based on coding without looking at samples of code to remind, probably Colin or Ian. Of course (Lance Cottrell/Ian Goldberg/Pr0duct Cypher/Ben Laurie/Hal Finney/Eric Young/Colin Plumb) possibly deviated or mimicked one of their coding styles. Kind of interesting to see a true nym in there also. Also the Cc -- Coderpunks lives? I think the Cc coderpunks might be a clue also, I think some of these people would know it died. I think that points more at Colin. Other potential avenue might be implementation mistake leading to failure of the scheme to robustly make undecidable which of the set is the true author, given alpha code. Adam On Fri, Aug 09, 2002 at 03:52:56AM +, Anonymous User wrote: > This program can be used by anonymous contributors to release partial > information about their identity - they can show that they are someone > from a list of PGP key holders, without revealing which member of the > list they are. Maybe it can help in the recent controvery over the > identity of anonymous posters. It's a fairly low-level program that > should be wrapped in a nicer UI. I'll send a couple of perl scripts > later that make it easier to use.
Re: Signing as one member of a set of keys
Steps to verify the "ring signature" file (note: you must have the openssl library installed): 1. Save http://www.inet-one.com/cypherpunks/dir.2002.08.05-2002.08.11/msg00221.html, as text, to the file ringsig.c. Delete the paragraph of explanation, and/or any HTML junk, so the file starts with: /* Implementation of ring signatures from * http://theory.lcs.mit.edu/~rivest/RivestShamirTauman-HowToLeakASecret.pdf * by Rivest, Shamir and Tauman and it ends with: lPglqmmy3p4D+psNU1rlNv6yH/L0PgcuW7taVpbopjl4HLuJdWcKHJlXish3D/jb eoQ856fYFZ/omGiO9x1D0BsnGFLZVWob4OIZRzO/Pc49VIhFy5NsV2zuozStId89 [...] */ 2. The "[...]" above is where a remailer caused some of the signature to be stripped out. Replace the last few lines of ringsig.c with the text from http://www.inet-one.com/cypherpunks/dir.2002.08.05-2002.08.11/msg00306.html. This has the lines from the END PGP PUBLIC KEY BLOCK line onward. The last lines of the ringsig.c file should be: BjHTDH0VZeu3IxUFh37w2fIEehL8WrXvCoCMFnd1/bnn/qI/STXgg6as579/yBIJ nJra7Ceru4q4wUssK79T6SdOM6wcvVg96ub4UOTaPO4wYhhadCbLFpl3tPfTLceb */ 3. Compile ringsig.c using the openssl library, to form an executable file "ringsig". Try running ringsig and you will get a usage message. 4. Get the two perl scripts from http://www.inet-one.com/cypherpunks/dir.2002.08.05-2002.08.11/msg00313.html and save them as "ringver" and "ringsign". 5. Run the ringsig.c file through the "pgp" program to create a PGP key ring file from the PGP PUBLIC KEY BLOCK data. With the command line version of PGP 2.6.2 the command is: pgp -ka ringsig.c sigring.pgp This will also show you the set of keys, one of which made the signature. *** COULD SOMEONE PLEASE FOLLOW THE STEPS ABOVE AND PUT THE ringsig.c, ringsign, ringver, AND sigring.pgp FILES ON A WEB PAGE SO THAT PEOPLE CAN DOWNLOAD THEM WITHOUT HAVING TO GO THROUGH ALL THESE STEPS? *** 6. Finally, the verification step: run the ringver perl script, giving the PGP key file created in step 5 as an argument, and giving it the ringsig.c file as standard input: ./ringver sigring.pgp < ringsig.c This should print the message "Good signature". 7. How do you know what this means? For that you have to read the paper referenced in the program to become convinced of the theory, and then to study the program to be convinced that it implements the algorithm in the paper. 8. To create your own signatures, create a PGP keyring file which holds your own key as well as the keys of other people that you want people to think might have issued the signature. They must all be RSA public keys. Create a PGP secring.pgp file which holds just your secret key, and change your passphrase on that key to be blank. (This is temporary, you can change it back or delete the secring.pgp when you are done.) Then use the ringsign perl script: "./ringsign filetosign pubkeyfile privkeyfile > outfile" This will append a signature to the file you are signing. You also need to make sure the recipient knows the pubkeyfile, so you may want to send that separately, or include it in the file being signed as was done in this case. 9. Please report whether you were able to succeed, and if not, which step failed for you. BTW there are a couple of papers on ring signatures to be presented at Crypto 02 so there might be some new improvements coming to the code if the ideas look good. One possibility is extending them to work with DSS keys in addition to the current RSA keys.
Re: Signing as one member of a set of keys
Anonymous wrote: > Steps to verify the "ring signature" file (note: you must have the openssl > library installed): > > > 1. Save http://www.inet-one.com/cypherpunks/dir.2002.08.05-2002.08.11/msg00221.html, > as text, to the file ringsig.c. Delete the paragraph of explanation, and/or any > HTML junk, so the file starts with: > > /* Implementation of ring signatures from > * http://theory.lcs.mit.edu/~rivest/RivestShamirTauman-HowToLeakASecret.pdf > * by Rivest, Shamir and Tauman > > and it ends with: > > lPglqmmy3p4D+psNU1rlNv6yH/L0PgcuW7taVpbopjl4HLuJdWcKHJlXish3D/jb > eoQ856fYFZ/omGiO9x1D0BsnGFLZVWob4OIZRzO/Pc49VIhFy5NsV2zuozStId89 > [...] > */ > > > 2. The "[...]" above is where a remailer caused some of the signature > to be stripped out. Replace the last few lines of ringsig.c with the > text from > http://www.inet-one.com/cypherpunks/dir.2002.08.05-2002.08.11/msg00306.html. > This has the lines from the END PGP PUBLIC KEY BLOCK line onward. > The last lines of the ringsig.c file should be: > > BjHTDH0VZeu3IxUFh37w2fIEehL8WrXvCoCMFnd1/bnn/qI/STXgg6as579/yBIJ > nJra7Ceru4q4wUssK79T6SdOM6wcvVg96ub4UOTaPO4wYhhadCbLFpl3tPfTLceb > */ > > > 3. Compile ringsig.c using the openssl library, to form an executable file > "ringsig". Try running ringsig and you will get a usage message. > > > 4. Get the two perl scripts from > http://www.inet-one.com/cypherpunks/dir.2002.08.05-2002.08.11/msg00313.html > and save them as "ringver" and "ringsign". > > > 5. Run the ringsig.c file through the "pgp" program to create a PGP key > ring file from the PGP PUBLIC KEY BLOCK data. With the command line > version of PGP 2.6.2 the command is: > > pgp -ka ringsig.c sigring.pgp > > This will also show you the set of keys, one of which made the signature. > > *** COULD SOMEONE PLEASE FOLLOW THE STEPS ABOVE AND PUT THE ringsig.c, > ringsign, ringver, AND sigring.pgp FILES ON A WEB PAGE SO THAT PEOPLE > CAN DOWNLOAD THEM WITHOUT HAVING TO GO THROUGH ALL THESE STEPS? *** Once it works, I'll happily do that, but... > 6. Finally, the verification step: run the ringver perl script, giving the > PGP key file created in step 5 as an argument, and giving it the ringsig.c > file as standard input: > > ./ringver sigring.pgp < ringsig.c > > This should print the message "Good signature". ben@scuzzy:~/tmp/multisign$ ./ringver pubring.pkr < testwhole ERROR: Bad signature (Incidentally, this was the procedure I followed in the first place, except I manually broke the file into parts, rather than using ringver). I still suggest sending the relevant file as an attachment, so it doesn't get mangled in transit. I wonder how many people are now convinced I didn't write this code? ;-) Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ Available for contract work. "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
Re: Signing as one member of a set of keys
> > *** COULD SOMEONE PLEASE FOLLOW THE STEPS ABOVE AND PUT THE ringsig.c, > > ringsign, ringver, AND sigring.pgp FILES ON A WEB PAGE SO THAT PEOPLE > > CAN DOWNLOAD THEM WITHOUT HAVING TO GO THROUGH ALL THESE STEPS? *** > > Once it works, I'll happily do that, but... > > > 6. Finally, the verification step: run the ringver perl script, giving the > > PGP key file created in step 5 as an argument, and giving it the ringsig.c > > file as standard input: > > > > ./ringver sigring.pgp < ringsig.c > > > > This should print the message "Good signature". > > ben@scuzzy:~/tmp/multisign$ ./ringver pubring.pkr < testwhole > ERROR: Bad signature Could you post the files anyway on a web page, then the author can check them against his copies and see which are corrupted?
Re: Signing as one member of a set of keys
Anonymous wrote: >>>*** COULD SOMEONE PLEASE FOLLOW THE STEPS ABOVE AND PUT THE ringsig.c, >>>ringsign, ringver, AND sigring.pgp FILES ON A WEB PAGE SO THAT PEOPLE >>>CAN DOWNLOAD THEM WITHOUT HAVING TO GO THROUGH ALL THESE STEPS? *** >> >>Once it works, I'll happily do that, but... >> >> >>>6. Finally, the verification step: run the ringver perl script, giving the >>>PGP key file created in step 5 as an argument, and giving it the ringsig.c >>>file as standard input: >>> >>>./ringver sigring.pgp < ringsig.c >>> >>>This should print the message "Good signature". >> >>ben@scuzzy:~/tmp/multisign$ ./ringver pubring.pkr < testwhole >>ERROR: Bad signature > > > Could you post the files anyway on a web page, then the author can check > them against his copies and see which are corrupted? OK. Coming soon. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ Available for contract work. "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
Re: Signing as one member of a set of keys
On Sat, 17 Aug 2002, Anonymous wrote: > *** COULD SOMEONE PLEASE FOLLOW THE STEPS ABOVE AND PUT THE ringsig.c, > ringsign, ringver, AND sigring.pgp FILES ON A WEB PAGE SO THAT PEOPLE > CAN DOWNLOAD THEM WITHOUT HAVING TO GO THROUGH ALL THESE STEPS? *** The files are available at: http://www.abditum.com/~rabbi/ringsig/ Also, if you'd like to send me a more detailed blurb for the webpage, I'd be happy to put it up. Otherwise, this will have to do. > 9. Please report whether you were able to succeed, and if not, which step > failed for you. I just ran into a bunch of errors when trying to compile with OpenSSL 0.9.7beta3. I'm debugging now... --Len.
Re: Signing as one member of a set of keys
On Thu, 22 Aug 2002, Anonymous wrote: > Len Sassaman has put the ringsig program up at > > http://www.abditum.com/~rabbi/ringsig/ [...] > Second, unfortunately all of the tabs have been converted to spaces. > This will prevent the sig from verifying. [...] I've put a corrected version in its place. If this still has problems, could you send me the md5sum of the correctly formatted file so that I can be sure I get it right? --Len.
Re: Signing as one member of a set of keys
Len Sassaman wrote: > On Sat, 17 Aug 2002, Anonymous wrote: > > >>*** COULD SOMEONE PLEASE FOLLOW THE STEPS ABOVE AND PUT THE ringsig.c, >>ringsign, ringver, AND sigring.pgp FILES ON A WEB PAGE SO THAT PEOPLE >>CAN DOWNLOAD THEM WITHOUT HAVING TO GO THROUGH ALL THESE STEPS? *** > > > The files are available at: > > http://www.abditum.com/~rabbi/ringsig/ > > Also, if you'd like to send me a more detailed blurb for the webpage, I'd > be happy to put it up. Otherwise, this will have to do. > > >>9. Please report whether you were able to succeed, and if not, which step >>failed for you. > > > I just ran into a bunch of errors when trying to compile with OpenSSL > 0.9.7beta3. I'm debugging now... There's a fixed verion on the page I just posted (admittedly against a current 0.9.7 snapshot, not beta3). http://www.alcrypto.co.uk/ringsign/ Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ Available for contract work. "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
Re: Signing as one member of a set of keys
Anonymous wrote: >>>*** COULD SOMEONE PLEASE FOLLOW THE STEPS ABOVE AND PUT THE ringsig.c, >>>ringsign, ringver, AND sigring.pgp FILES ON A WEB PAGE SO THAT PEOPLE >>>CAN DOWNLOAD THEM WITHOUT HAVING TO GO THROUGH ALL THESE STEPS? *** >> >>Once it works, I'll happily do that, but... >> >> >>>6. Finally, the verification step: run the ringver perl script, giving the >>>PGP key file created in step 5 as an argument, and giving it the ringsig.c >>>file as standard input: >>> >>>./ringver sigring.pgp < ringsig.c >>> >>>This should print the message "Good signature". >> >>ben@scuzzy:~/tmp/multisign$ ./ringver pubring.pkr < testwhole >>ERROR: Bad signature > > > Could you post the files anyway on a web page, then the author can check > them against his copies and see which are corrupted? http://www.alcrypto.co.uk/ringsign/ Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ Available for contract work. "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
Re: Signing as one member of a set of keys
Anonymous wrote: > Len Sassaman has put the ringsig program up at > >>http://www.abditum.com/~rabbi/ringsig/ > > > First, the ring signature portion has successfully been repaired from > the truncation imposed by the anon remailer in the original post. > > Second, unfortunately all of the tabs have been converted to spaces. > This will prevent the sig from verifying. > > Third, a number of the lines have been wrapped. This will also prevent > the verification from going through. The version I posted does not appear to suffer from either of these problems (but also does not verify). Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ Available for contract work. "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
