back to article Crypto boffins propose replacing certification authorities with ... Bitcoin?

Whatever your opinion of Bitcoin, it does stand as a high-quality intellectual achievement. Now, a group of researchers from Johns Hopkins are suggesting its cryptographic implementation could help solve the “certificate problem” for ordinary users. Apart from whether or not they might be universally compromised by the spooks, a …

COMMENTS

This topic is closed for new posts.
Silver badge
Coffee/keyboard

'Nuff Said

"to make assertions about identity in a fully anonymous fashion"

0
2
Silver badge

Re: 'Nuff Said

You scoff, but it'd be an excellent way to verify that the 'Agent X' that you're communicating with is the real Agent X, without compromising his/her identity.

5
0
Bronze badge

Re: 'Nuff Said

"to make assertions about identity in a fully anonymous fashion"

No, please do say more. You do realise how zero-knowledge proofs work? Or algorithms like Dining Cryptographers? Just because people hide behind masks it doesn't mean they can't make true statements (statements about identity included).

7
0
Silver badge
Boffin

Re: 'Nuff Said

Okay, I will say more.

In order to be useful, a statement about identity must narrow down the list of possible individuals that may make the statement truthfully, usually significantly.

Let's take one of the examples from the paper: "I am eligible to vote." Let's say this is In the UK.

The UK's total population is approximately 63 million people (as of 2012). But only about 50 million are eligible (and roughly 46 million registered.) So simply by making that statement truthfully, you would be eliminating approximately 1/5 of potential identities.

While you can hide behind a mask and make true statements about your identity, any such statements will decrease your level of anonymity.

Note that this is identity, which the paper authors repeatedly conflate with authority. For example, if you could anonymously register a domain with the example system they describe, and then issue a statement that you are authorized to maintain said domain, that would not decrease your anonymity because the statement is not linked to an identity.

Had the authors had the sense to understand the difference between identity and authority, they would not likely have made the absurd proposition that statements about identity could be made "in a fully anonymous fashion."

Is that enough for you?

1
4
Bronze badge

Re: 'Nuff Said

Is that enough for you?

Let's not confuse anonymity with pseudonimity. The paper describes a method for building the latter upon a network that assume the former as a building block.

There are two routes to proving "identity" (ie, ownership of a particular pseudonym) as outlined/mentioned in the paper. The first is through ZK proofs. Using this, you come up with a secret and then convince some other party (the ZK proof part) that you know the secret or some property of it. When the paper talks about "identity", it's talking about a pseudonym, and when it talks about an "authority" it's talking about something that's acting as your delegate in proving that you own that nym (via a credential that you issue). ZK proofs mean that you can prove that you know the secret key, but never reveal any knowledge that could be used to reconstruct it.

The second kind of identity is group identity. You can prove that you're a member of a group by using one-way accumulators. A CA will generate an accumulator (like a hash table, but more compact and opaque) for each member of the group. Then each member can use that to identify themselves as being part of the group without revealing the other group members. This preserves the essential anonymity of the group (even to other members, though the CA knows the signing keys), while still allowing nym-to-nym self-recognition (and even proving membership to non-members).

It's pretty amazing the things that can be done these days with the crypto primitives we have. It's totally possible to set up an identity (read: pseudonym) system that is totally (well, computationally, to any degree you want) anonymous. That's why I called you out on your initial comment.

7
0
Gold badge
Go

Re: 'Nuff Said

"It's pretty amazing the things that can be done these days with the crypto primitives we have. It's totally possible to set up an identity (read: pseudonym) system that is totally (well, computationally, to any degree you want) anonymous. That's why I called you out on your initial comment."

So (IIUC) with this system in place we could prove that all messages supposedly coming from "Frumious Bandersnatch" do come from you, but not who you are?

Authentication with anonymity?

Ingenious, if it works.

1
0
Bronze badge

Re: 'Nuff Said

So (IIUC) with this system in place we could prove that all messages supposedly coming from "Frumious Bandersnatch" do come from you, but not who you are?

In a nutshell, yes. The big difference in the paper is that the network provides a decentralised identity system, unlike here, where the "Frumious Bandersnatch" nym is controlled totally by the Register (well, and me).

0
0
Silver badge

Re: 'Nuff Said

When the paper talks about "identity", it's talking about a pseudonym

You needn't even introduce the pseudonimity qualification, depending on how you define identity. And that question is largely a metaphysical one - with aspects of ontology and epistemology, but at any rate still philosophical.

A standard ZKP, for example, is after all a demonstration that the prover holds the secret; if the prover and tester agree that there's a high probability that only one entity holds the secret, then the prover has established (with high probability) that it is that unique entity. There's no a priori reason for declaring that the attribute "unique holder of secret X" is not sufficient to define an "identity".

Knox's objections in this thread are grounded in conflating cultural, informal notions of "identity" with both cryptographic ones and formally precise ones. They're based on a category error.

And all that said, there's no a priori reason why you can't have protocols for anonymous attestations of cultural identity, either. An example: Alice walks into a room full of people who know one another but are strangers to her. She asks for Bob. Bob raises his hand, but so does Chris, an inveterate jokester. Alice asks the rest of the room who the real Bob is, and the remaining occupants point to Bob. Alice has no information about the identities of any of these other people, but it would still be reasonable to accept their consensus as evidence of Bob's identity. They could all be colluding (and more-sophisticated protocols can help protect against that), but if Alice judges it to be relatively improbable (and we make thousands of such judgements about social behavior every day), then she has good probabilistic grounds for her decision.

3
0

I'll bet...

Verisign ain't happy!

7
0
Silver badge

Re: I'll bet...

And that was me you just heard cheering.

2
0
Silver badge

Re: I'll bet...

Verisign ain't happy!

It's a long road from proposal to commercial success. PGP and compatible systems have offered an alternative to hierarchical PKI with the "Web of Trust" for over 20 years. It's easy to understand, quite simple to use, and free. It's made essentially no inroads against the commercial CAs and their X.509 PKI hierarchy.

I'd love to see a widely-deployed PKI that was better in any of a number of ways than the current vile mess. (I'd even be pretty happy if, say, browser manufacturers stopped included hundreds of suspect root certs.) But I'm not holding my breath.

2
0
Bronze badge

analogy fail?

The sole reason that Bitcoin works is that peers have a vested interest (money) in doing one of two things: minting new coins, and proving that the ledger is correct. There's a delicate balance struck between regular users and those with vastly more computational power available to them. Bitcoin is structured in such a way that it's more likely that the latter can gain more virtual currency by playing by the same rules as the regular users rather than trying to subvert the system. This leads to the question of how a distributed identity system like this one is going to convince users that it's in their own interest to be "provers" in this system. For Bitcoin (and similar) the answer is obviously monetary, but the paper makes no mention of compensating peers at all.

The paper describes all the machinery, but completely misses out on the reason why anyone would want to devote their resources (CPU, network, electricity) to implementing it.

4
0

Re: analogy fail?

"The paper describes all the machinery, but completely misses out on the reason why anyone would want to devote their resources (CPU, network, electricity) to implementing it."

And yet they do this kind of thing in droves, world-wide, 24x7; because they see the worth of it.

https://en.wikipedia.org/wiki/List_of_distributed_computing_projects

3
0
Silver badge

Re: analogy fail? (@ Frumious Bandersnatch)

" This leads to the question of how a distributed identity system like this one is going to convince users that it's in their own interest to be "provers" in this system"

By allowing them to use the other "provers" in the system to check their own certificates. In short: you are not a "prover", you can't use/check the certificates.

2
0
Bronze badge

Re: analogy fail? (@ Frumious Bandersnatch)

But that's just chicken and egg reasoning. It doesn't demonstrate any intrinsic value proposition for non-members. It's like saying, "if you have a fax machine, you can fax other people who have fax machines". If the network isn't there (or is shrinking, as I assume is the case for fax users) then there's no point in joining it. At least Bitcoin does have a clear value proposition (you might convert electricity into cash).

2
1
Silver badge

Analogy fail indeed

...except with fax machines, the system is of use to you only if you can use it to send a fax to someone you wanted to contact; whereas with this system you have no particular interest in who you're contacting, as long as the network is capable to authenticate what you neeeded to authenticate in a trustworthy manner - something you just can't get otherwise without needing to trust a CA.

1
0
Silver badge

Re: analogy fail? (@ Frumious Bandersnatch)

Surely people also have a strong financial interest in keeping thir systems secure? Loss of confidential information to third parties, destruction of information by hostile third parties, both have costs associated. Possibly high costs. Possibly fatally high costs for a business.

I don't know enough about the technology to judge the practicalities, but the concept is surely not a fail on motivational grounds.

2
0

So could a botnet hearder subvert this system, and how many bots would it take?

0
0

Going on how bitcoins work, you would have to have a large majority (you have to have more yes's then no's)

So if the botnet had control of 80% of the chain then they could subvert it,

with bitcoin it works (simply)

you send money to me

I accept money

the rest of the chain then confirm that the money (bitcoins) has moved from you to me. to subvert that you would have to have a large percentage under your control to say you have sent me the money vs me and the other percentage saying I haven't recieved the money

0
0
Silver badge

If they do this

I hope the system supports multiple certificate types used as a single collective certificate. That way if the NSA compromises one type of encryption, they couldn't masquerade as someone else, they'd have to break them all.

Sure, it requires more computational power, but we seem to mostly have a excess of that these days, at least on an individual basis.

0
0
This topic is closed for new posts.

Forums