1994-04-07 - Pseudonyms and Reputations

Header Data

From: hfinney@shell.portal.com
To: cypherpunks@toad.com
Message Hash: cfeb0cb66eb2788fbbd2d653516bd3b0a3b889350733185ddf792ba0bb4ad412
Message ID: <199404070236.TAA05451@jobe.shell.portal.com>
Reply To: N/A
UTC Datetime: 1994-04-07 02:35:29 UTC
Raw Date: Wed, 6 Apr 94 19:35:29 PDT

Raw message

From: hfinney@shell.portal.com
Date: Wed, 6 Apr 94 19:35:29 PDT
To: cypherpunks@toad.com
Subject: Pseudonyms and Reputations
Message-ID: <199404070236.TAA05451@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


New members of the list may not be aware of the background of some of
the technologies we discuss here, such as the remailers.  The purpose
of these systems is not really to help people mailbomb newsgroups or
send harassing letters to their fantasy girlfriends without fear of
repercussions.

One goal of remailer-type technology (which present systems don't
meet very well) is to allow people to use pseudonyms for their
electronic activities.  By using a "nym" a person is able to
engage in communications of various types without fear that some
aspect of what they say or do will impact them negatively in "real
life".  There are a lot of potential forms of harm which could arise
now and in the future from databases recording the various
interactions a person has had in cyberspace.  By preventing the
linkage between his online activities and his real identity he can
protect himself and his privacy.

At the same time, nyms allow for continuity of identity to be
maintained over a period of time.  A person posting under a nym
can develop an image and a reputation just like any other online
personality.  Most people we interact with online are just a name and
an email address, plus whatever impression we have formed of them by
what they say.  The same thing can be true of nyms.

Cryptography plays an important part in making effective use of
nyms possible.  The first thing it can do is to allow users to send
and receive messages under the name of their nyms without anyone
discovering the True Name (capitalization from Vinge's short story
"True Names") behind the nym.  Cryptographer David Chaum has proposed
two technologies for this; the network of "Mixes", on which our own
remailers are modeled; and the so-called "Dining Cryptographers'
Network" (DC-Net), which allows a cooperating group to send messages in
such a way that it is not possible to tell which member of the group
originated each message.

Cryptography can also help maintain the continuity of the nym,
by allowing the user to digitally sign messages under the name of the
nym.  The digital signature cannot be forged, nor can it be
linked to the True Name of the user.  But it makes sure that nobody
can send a message pretending to be another person's nym.

These techniques are already in use or under development, in some
form or another.  But there is much more that could be done to provide
privacy protection and flexibility in the use of nyms.

One possibility is a digital reputation system.  Presently people and
nyms develop informal reputations in the minds of their readers.  This
could be formalized by allowing readers to create endorsements of
various types for those who have worthwhile things to say.  An
endorsement could take the form of a digital signature by the
endorser.  In the simplest form, the endorser would digitally sign a
message which said, in encoded form, "In my opinion, person (or nym)
XXX produces high-quality messages".  This endorsement would be kept
by the person it was given to and shown when he enters a new
cyberspatial forum to help establish an initial reputation.

People who are able to bring a variety of endorsements from respected
individuals or organizations will be able to have their words carry
weight from the beginning.  Without these, a new poster may find that
not many people can even be bothered to read his messages amongst the
flood of others.  The endorsements can break through the barriers, the
filters which people use to decide what information to receive.  They
represent a digital reputation which can be carried to distant regions
of cyberspace.

One could imagine more elaborate forms of endorsements, as well.
Chaum describes a technique by which a numerical rating could be
given, say on a scale from 1 to 100.  Because of the mathematical
structure of Chaum's approach, a person who carries such an
endorsement can optionally downgrade it when he shows it.  Suppose
some paragon of wisdom has dozens of "100" endorsements from respected
individuals.  Entering a new group, he may not want to intimidate
people, so he displays his endorsements as a respectable "70+".  This
lets him be heard without overwhelming other participants.

Pseudonyms can prevent messages from being linked to True Names, but
there is still a privacy problem as information accumulates about the
nym itself.  As more and more activities take place online, if one
uses the same nym all the time, the buildup of information about that
nym, his preferences, his favorite places to go in cyberspace, his
political views, etc., may become burdensome.  All that baggage
accumulates and is easily available to others.  It may become as much
of a barrier to a nym's online activities as it would have been to the
True Name's real-life activities.

One solution is to use a nym for some purposes and the True Name for
others.  Then the information about the two is separate and nobody can
link them up.  This helps, but after a while again there is an
accumulation of information about both names, which is what we wanted
to avoid.

A better solution is to use multiple nyms, perhaps with different nyms
in different online fora.  Even the True Name could be used
occasionally where warranted (such as in an online relationship where
physical contact occurs as well).  Nyms could be changed periodically
as well, preventing the buildup of information about any given nym.

One problem is that the simple reputation system above does not work
with multiple nyms.  If you get a digital endorsement of one nym in the
form described before, you will not be able to use that endorsement on
your other nyms without giving away the connection between them.  And
when you retire that nym and replace it with a new one, the endorsement
is lost.

This is the problem which Chaum solves in his paper, "Showing
Credentials without Identification; Transferring Signatures between
Unconditionally Unlinkable Pseudonyms," from AusCrypt 90.  (A newer
version of this paper may be available from Chaum.)  He provides a
method by which various forms of "credentials", which would include
the endorsements described here, can be transferred among the
nyms used by an individual, without giving away information about
which nyms are related.

Chaum's system is complicated and requires a centralized agency which
gives out all endorsement certificates, as well as an agency which
validates pseudonyms.  His system does allow for optional restrictions
on nyms which, for example, would allow only one nym to be used in any
given online forum.  A user would not be able to control two different
nyms in that place, although he could have different nyms in other
parts of cyberspace.  There might be some situations in which this
duplication could be harmful (such as certain kinds of online voting
systems) and Chaum's method does allow this restriction.

A simpler system, though, can be created with technology very similar
to the "Magic Money" digital cash system created by the nym "Pr0duct
Cypher."  This system does not require any centralized control and
allows individuals to make endorsements without help.  It is somewhat
less efficient than Chaum's approach but could be put into place
more easily.

The basic idea uses what Chaum calls a "blind signature".  Above, the
endorsement certificate was described as a digital signature on a
coded message which named the nym or person being endorsed, as well as
some information about the type of endorsement.  With a blind
signature, the signer does not see the message he is signing.  It is
supplied to him in a "blinded" form, he signs it, and then the person
who supplied the message unblinds it.  What is left is a signed
message whose contents are not known by the person who signed it.

This technology can be used directly to create blind endorsements.
Suppose nym 123, who sometimes also uses the nym 456, gets an offer to
receive a "good writing" endorsement from user U.  He can supply U with
a blinded message which says, in effect, "nym 456 has good writing".  U
does not see the contents of the message when he signs it, so he does
not know that nym 456 is another name for nym 123.  But when 123 gets
the message back from U, he unblinds it to create an endorsement from U
on nym 456.

In order to control the type of endorsement ("good writing", etc.),
that information is not put in the text of the message, but is
determined by the exponent used in the digital signature.  Each user
would need to publish a table mapping exponents to types of
endorsements (or perhaps such a table would be standardized over all
users).  And since nym 123 may actually have many pseudonyms in use,
he would actually need to collect a large number of blind endorsements
from U.  In practice he would supply U with a large block of blinded
endorsements, U would sign them knowing that they were all different
pseudonyms of 123's, and 123 would keep them for use as needed.

123 could even include his True Name to receive a blind endorsement,
as well as other pseudonyms he hadn't used yet.  All of these would be
capable of being shown with U's endorsement.  Even when the original
nym 123 was retired, other nyms which had received that endorsement
could be put into use and they would carry the same stamp of approval.

This system would allow very flexible use of pseudonyms while allowing
the user to show endorsements and other forms of credentials without
compromising his privacy.  And the technology to do this is very close
to systems already in use today, at least in its cryptographic
aspects.

The social problems of determining when writers should receive
endorsements, how much credence to give to endorsements from unknown
endorsers, how to appropriately display endorsements, and how to easily
validate and verify endorsements proffered by others, are harder to
solve.  Despite these issues, a modification to Magic Money to support
this application would allow for some initial experiments with the
concept, which might help show where the significant problems lie.

Hal Finney
hfinney@shell.portal.com





Thread