From: Adam Back <aba@dcs.ex.ac.uk>
Date: Thu, 15 Oct 1998 09:46:52 +0800
To: minow@pobox.com
Subject: Re: ATTN: BlackNet, sog's keys 4 sale
In-Reply-To: <v03102816b24a724036ee@[17.219.105.162]>
Message-ID: <199810150105.CAA02529@server.eternity.org>
MIME-Version: 1.0
Content-Type: text/plain




Martin Minow <minow@pobox.com> writes:
> Adam Back <aba@dcs.ex.ac.uk> notes that the "Toto death thread"
> posting was signed using the "son of Gomer" Blacknet key that
> was broken by Paul Leyland (read through the past few days of the
> archives to get the context).

Note the `son of gomez' key was _encrypted with_ the Blacknet key.
Toto/anonymous was submitting his information for sale to Blacknet, so
he used a `digital dead drop' -- encrypted with Blacknet's key and
posted in a public place (cypherpunks), however he (it appears
intentionally) used the weak 384 bit Blacknet key which Paul Leyland's
announce claims was created by Larry Detweiler.

Also note that Paul Leyland (and Alec Muffett, Arjen Lenstra, Jim
Gillogly) factored that key a _long_ time ago, Jun 1995 (see the Date
on the attachment of the announce to one of my earlier posts.)

Perhaps you understood that, but what you wrote (son of Gomer Blacknet
key?) was confusing.

> Adam notes: "Implications?  Others had CJs keys?  Toto is someone
> other than CJ?"
> 
> One other implication to consider: you might be able to attain
> semi-deniability by siging a message with a key that is breakable
> by an adversity with govermental resources (to use an euphamism)
> but not by an ordinary, presumably less motivated, cracker.

This is similar to the time-delay crypto proposals made by Tim May and
more lately David Wagner, (and some other authors who I forget, I
think Schneier).  One of the time-delay crypto protocols is to encrypt
the information one wants to a time-delayed release of with weak
encryption requiring the approximate amount of time you wish to delay
to break.

'Course it doesn't work in general because it depends entirely on the
resources of the attacker.  Really you need a third party to publish
private keys at delayed intervals.

But for your suggested applicatoin -- plausible deniability for
`speaking truth to kings' -- it works fine, because that's the point,
plausible deniability against well resourced attackers (you are in
trouble if well resourced attackers are interested in you anyway), but
some value to the signature for low resourced attackers.

Other ways to provide plausible deniability is to not sign public
posts, and to use non-transferable signatures for private email.

Adam