1993-10-27 - True Names and nyms

Header Data

From: hfinney@shell.portal.com
To: cypherpunks@toad.com
Message Hash: a1ec0a3124b11bc368ffeda12a6d761a1ba2420ea65fc2bbdca26c1397c67230
Message ID: <9310270537.AA00202@jobe.shell.portal.com>
Reply To: N/A
UTC Datetime: 1993-10-27 05:42:36 UTC
Raw Date: Tue, 26 Oct 93 22:42:36 PDT

Raw message

From: hfinney@shell.portal.com
Date: Tue, 26 Oct 93 22:42:36 PDT
To: cypherpunks@toad.com
Subject: True Names and nyms
Message-ID: <9310270537.AA00202@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


Some people have argued that there is no way to prevent the use of
multiple pseudonyms on the net, that it is possible today and that the
new crypto technologies will provide even easier techniques tomorrow.

This is an oversimplification, as Tim pointed out.  "Is-a-person" credentials
can be used to determine whether someone is a "True Name" or not,
which is really what Larry wanted to know.  Here is one way they might

(To make this clearer, it is best to think in terms of the equation,
pseudonym == public key.  A pseudonym is a public key.  We think of
pseudonyms as being names, like "wonderer" or "sam hill", or perhaps
as email addresses, like "hacker@univ.edu".  But from the point of view
of cryptography, these are just frills.  The important thing is the key.
With a public key, a pseudonym can sign his messages, so that nobody
else can successfully pretend to be him.  He can read messages sent to
him, messages which no one else can read.  If he has to switch email
addresses he can do so and still maintain his identity by continuing
to use the same key.  It is his key which is his real identity on the
net.  OK, back to the is-a-person credential:)

An is-a-person credential could be structured identically to the digital
coins used in Chaum's simple digital cash proposal.  You would go to the
credentialling agency and provide some unique form of identification,
something that no one else could forge.  Today this might be a thumbprint,
or in the future it could perhaps be a DNA scan.  However, you do not have
to identify yourself by name.  They don't need to know who you are; they only
know that you are a living, breathing human being, one whom they have not
seen before.  (There could be more than one credentialling agency, but they
would all share a database of thumbprints or whatever.)

You choose a special public key which you will use for all of your True
Name activities on the net.  This public key will be used to sign messages
which you want to prove are from a real person.  Any message sent with
that signature is known to be from a True Name and not from a nym.  Only
one True Name exists per person.

Note that this True Name doesn't have to be your real name.  If you want
to always post under John Q. Public and use this special key for that
purposes, you can do so.  But you won't be able to post under any other
name, including your own, as a True Name, not unless you use that same
key.  And of course if you do, people will be able to know that you are
the same as John Q. Public since you are using the same signature key.

The way this is established is that you take your True Name key, which
we'll call TN, and do as was done for Chaum's cash: pass it through
a one-way function f, and blind with a random number r^3: f(TN)*r^3.
You give this to the credentiallying agency when you come in with your
thumbprint, and they sign it by taking the cube root.  This is
f(TN)^(1/3) * r.  Back home, you divide by r, getting f(TN)^(1/3).

This is your True Name certificate.  You can submit it to a public key
registry along with TN; anyone can calculate f(TN) and verify the
credentialling agency's signature.  People will therefore know that this
key is the only one belonging to some real person which is signed in
this way.  Only one such key can exist for each person.

So, if people claim to be posting under True Names, they can prove it
very easily, by using their True Name key, signed by a credentialling
agency.  People can still post under as many nyms as they want, but only
one gets to call itself True.

Note that this solution doesn't reveal very much about the person.
Because the certificates are blinded by r^3 when they are signed, even
the credentialling agency has no way of knowing which thumbprints are
associated with which True Name.  (So, actually, it wouldn't be a problem
if the agency got your name and address when you came in - this still
couldn't be linked with your postings if you didn't want it to be.)
Nobody is forced to even use a True Name when they post; they could use
nothing but nyms.  On the other hand, if people want to reserve certain
conferences for True Names only, they can.  There is tremendous flexibility
to have as much or as little use of nyms as people want.

So, people should not be so quick to claim that crypto can only be used
to increase anonymity.  It is a powerful technology that can be used to
increase our control over information in many ways.  Chaum's papers
continue to amaze me with what is possible.

Hal Finney

Version: 2.3a