From: mccoy@communities.com (Jim McCoy)
Date: Sat, 18 May 1996 21:31:31 +0800
To: bryce@digicash.com
Subject: Re: found nym-differentiation! Still need perpetual motion, FTL travel, cold fusion
Message-ID: <v02140b01adc2c1d47286@[205.162.51.35]>
MIME-Version: 1.0
Content-Type: text/plain


Bryce wrote:
>
>  "Perry Metzger" <perry@piermont.com> is alleged to have written:
> (> Bryce wrote:)
>
> > > Simple as pie, because of some of the properties of DC-Nets.
> > > If someone sends out the wrong number of pubkeys, then
> > > everyone will know, right?  So when that happens everyone
> > > just reveals their shared-secret data from the DC-Net
> > > session.
> >
> > And if several people lie about their shared secrets?

This is what secure bit-commitment is for.  The refinements to the DC-net
protocol since Chaum's original paper make this a non-issue if you are
willing to spend the CPU cycles to do all of the necessary work.

> If some of your N participants are going to collude to share
> their nyms then it is manifestly impossible to stop them.
> But that doesn't bother me.  The purpose of this scheme is
> to create N nyms for N people and be sure that each of then
> N people who wanted a nym got one.  If you are sure that
> each of the N people wanted a nym, then you can be sure you
> have a one-to-one mapping between people and nyms, but
> unconditional untraceability from nyms to people.

Or, to rephrase the question in a manner which my lead you to the solutions
which already exists for this problem:  You have an anonymous access channel
in which you need to do frame reservation such that each member can reserve
one and only one frame for the transmission phase which follows frame
reservation. You are both talking about disrupter detection in an anonymous
channel and it has already been solved...

> But perhaps what you were talking about was a
> denial-of-service attack on the DC-Net's network layer.
> That has been addressed extensively in Chaum's original
> "Dining Cryptographers" paper.  Chaum's method for dealing
> with denial-of-service attacks is typically brilliant, but
> even so it is an unwieldly and expensive (in terms of
> computation and bandwidth) proposition.  I recommend "Dining
> Cryptographers" to everyone, and I hope that someone who
> reads it will come up with a better solution.

They already have.  Actually, the trap method in Chaum's original paper
is both expensive and flawed.   Get a copy of EuroCrypt 89 and read
the DC nets papers in there by B. den Bos and by Michael Waidner.  If
you are in the Bay Area I have a copy of Pfitzmann and Waidner's "Dining
Cryptographers in the Disco: Unconditional Sender and Recipient Anonymity
with Computational Serviceability" which I would be happy to make copies of.
This is probably the most comprehensively secure DC-net scheme I am aware of;
although, like most Crypto papers, it is way more complicated and
computationally expensive than necessary for real life.

jim