Crypto boffins propose replacing certification authorities with ... Bitcoin? Whatever your opinion of Bitcoin, it does stand as a high-quality intellectual achievement. Now, a group of researchers from Johns Hopkins are suggesting its cryptographic implementation could help solve the “certificate problem” for ordinary users. Apart from whether or not they might be universally compromised by the spooks …
"to make assertions about identity in a fully anonymous fashion"
No, please do say more. You do realise how zero-knowledge proofs work? Or algorithms like Dining Cryptographers? Just because people hide behind masks it doesn't mean they can't make true statements (statements about identity included).
Okay, I will say more.
In order to be useful, a statement about identity must narrow down the list of possible individuals that may make the statement truthfully, usually significantly.
Let's take one of the examples from the paper: "I am eligible to vote." Let's say this is In the UK.
The UK's total population is approximately 63 million people (as of 2012). But only about 50 million are eligible (and roughly 46 million registered.) So simply by making that statement truthfully, you would be eliminating approximately 1/5 of potential identities.
While you can hide behind a mask and make true statements about your identity, any such statements will decrease your level of anonymity.
Note that this is identity, which the paper authors repeatedly conflate with authority. For example, if you could anonymously register a domain with the example system they describe, and then issue a statement that you are authorized to maintain said domain, that would not decrease your anonymity because the statement is not linked to an identity.
Had the authors had the sense to understand the difference between identity and authority, they would not likely have made the absurd proposition that statements about identity could be made "in a fully anonymous fashion."
Is that enough for you?
Is that enough for you?
Let's not confuse anonymity with pseudonimity. The paper describes a method for building the latter upon a network that assume the former as a building block.
There are two routes to proving "identity" (ie, ownership of a particular pseudonym) as outlined/mentioned in the paper. The first is through ZK proofs. Using this, you come up with a secret and then convince some other party (the ZK proof part) that you know the secret or some property of it. When the paper talks about "identity", it's talking about a pseudonym, and when it talks about an "authority" it's talking about something that's acting as your delegate in proving that you own that nym (via a credential that you issue). ZK proofs mean that you can prove that you know the secret key, but never reveal any knowledge that could be used to reconstruct it.
The second kind of identity is group identity. You can prove that you're a member of a group by using one-way accumulators. A CA will generate an accumulator (like a hash table, but more compact and opaque) for each member of the group. Then each member can use that to identify themselves as being part of the group without revealing the other group members. This preserves the essential anonymity of the group (even to other members, though the CA knows the signing keys), while still allowing nym-to-nym self-recognition (and even proving membership to non-members).
It's pretty amazing the things that can be done these days with the crypto primitives we have. It's totally possible to set up an identity (read: pseudonym) system that is totally (well, computationally, to any degree you want) anonymous. That's why I called you out on your initial comment.
"It's pretty amazing the things that can be done these days with the crypto primitives we have. It's totally possible to set up an identity (read: pseudonym) system that is totally (well, computationally, to any degree you want) anonymous. That's why I called you out on your initial comment."
So (IIUC) with this system in place we could prove that all messages supposedly coming from "Frumious Bandersnatch" do come from you, but not who you are?
Authentication with anonymity?
Ingenious, if it works.
So (IIUC) with this system in place we could prove that all messages supposedly coming from "Frumious Bandersnatch" do come from you, but not who you are?
In a nutshell, yes. The big difference in the paper is that the network provides a decentralised identity system, unlike here, where the "Frumious Bandersnatch" nym is controlled totally by the Register (well, and me).
When the paper talks about "identity", it's talking about a pseudonym
You needn't even introduce the pseudonimity qualification, depending on how you define identity. And that question is largely a metaphysical one - with aspects of ontology and epistemology, but at any rate still philosophical.
A standard ZKP, for example, is after all a demonstration that the prover holds the secret; if the prover and tester agree that there's a high probability that only one entity holds the secret, then the prover has established (with high probability) that it is that unique entity. There's no a priori reason for declaring that the attribute "unique holder of secret X" is not sufficient to define an "identity".
Knox's objections in this thread are grounded in conflating cultural, informal notions of "identity" with both cryptographic ones and formally precise ones. They're based on a category error.
And all that said, there's no a priori reason why you can't have protocols for anonymous attestations of cultural identity, either. An example: Alice walks into a room full of people who know one another but are strangers to her. She asks for Bob. Bob raises his hand, but so does Chris, an inveterate jokester. Alice asks the rest of the room who the real Bob is, and the remaining occupants point to Bob. Alice has no information about the identities of any of these other people, but it would still be reasonable to accept their consensus as evidence of Bob's identity. They could all be colluding (and more-sophisticated protocols can help protect against that), but if Alice judges it to be relatively improbable (and we make thousands of such judgements about social behavior every day), then she has good probabilistic grounds for her decision.
Verisign ain't happy!
It's a long road from proposal to commercial success. PGP and compatible systems have offered an alternative to hierarchical PKI with the "Web of Trust" for over 20 years. It's easy to understand, quite simple to use, and free. It's made essentially no inroads against the commercial CAs and their X.509 PKI hierarchy.
I'd love to see a widely-deployed PKI that was better in any of a number of ways than the current vile mess. (I'd even be pretty happy if, say, browser manufacturers stopped included hundreds of suspect root certs.) But I'm not holding my breath.
The sole reason that Bitcoin works is that peers have a vested interest (money) in doing one of two things: minting new coins, and proving that the ledger is correct. There's a delicate balance struck between regular users and those with vastly more computational power available to them. Bitcoin is structured in such a way that it's more likely that the latter can gain more virtual currency by playing by the same rules as the regular users rather than trying to subvert the system. This leads to the question of how a distributed identity system like this one is going to convince users that it's in their own interest to be "provers" in this system. For Bitcoin (and similar) the answer is obviously monetary, but the paper makes no mention of compensating peers at all.
The paper describes all the machinery, but completely misses out on the reason why anyone would want to devote their resources (CPU, network, electricity) to implementing it.
"The paper describes all the machinery, but completely misses out on the reason why anyone would want to devote their resources (CPU, network, electricity) to implementing it."
And yet they do this kind of thing in droves, world-wide, 24x7; because they see the worth of it.
https://en.wikipedia.org/wiki/List_of_distributed_computing_projects
" This leads to the question of how a distributed identity system like this one is going to convince users that it's in their own interest to be "provers" in this system"
By allowing them to use the other "provers" in the system to check their own certificates. In short: you are not a "prover", you can't use/check the certificates.
But that's just chicken and egg reasoning. It doesn't demonstrate any intrinsic value proposition for non-members. It's like saying, "if you have a fax machine, you can fax other people who have fax machines". If the network isn't there (or is shrinking, as I assume is the case for fax users) then there's no point in joining it. At least Bitcoin does have a clear value proposition (you might convert electricity into cash).
...except with fax machines, the system is of use to you only if you can use it to send a fax to someone you wanted to contact; whereas with this system you have no particular interest in who you're contacting, as long as the network is capable to authenticate what you neeeded to authenticate in a trustworthy manner - something you just can't get otherwise without needing to trust a CA.
Surely people also have a strong financial interest in keeping thir systems secure? Loss of confidential information to third parties, destruction of information by hostile third parties, both have costs associated. Possibly high costs. Possibly fatally high costs for a business.
I don't know enough about the technology to judge the practicalities, but the concept is surely not a fail on motivational grounds.
Going on how bitcoins work, you would have to have a large majority (you have to have more yes's then no's)
So if the botnet had control of 80% of the chain then they could subvert it,
with bitcoin it works (simply)
you send money to me
I accept money
the rest of the chain then confirm that the money (bitcoins) has moved from you to me. to subvert that you would have to have a large percentage under your control to say you have sent me the money vs me and the other percentage saying I haven't recieved the money
I hope the system supports multiple certificate types used as a single collective certificate. That way if the NSA compromises one type of encryption, they couldn't masquerade as someone else, they'd have to break them all.
Sure, it requires more computational power, but we seem to mostly have a excess of that these days, at least on an individual basis.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
