From: shields@tembel.org (Michael Shields)
To: cypherpunks@toad.com
Message Hash: 91d21789dc62ab7f149b0cd564e21ea5ad1b9e6cd8c37e3c0a4b99baacc32ff2
Message ID: <47ncgr$ji6@yage.tembel.org>
Reply To: <acc4182012021004674b@[205.199.118.202]>
UTC Datetime: 1995-11-07 10:42:27 UTC
Raw Date: Tue, 7 Nov 1995 18:42:27 +0800
From: shields@tembel.org (Michael Shields)
Date: Tue, 7 Nov 1995 18:42:27 +0800
To: cypherpunks@toad.com
Subject: Re: Timed-release crypto and information economics
In-Reply-To: <acc4182012021004674b@[205.199.118.202]>
Message-ID: <47ncgr$ji6@yage.tembel.org>
MIME-Version: 1.0
Content-Type: text/plain
-----BEGIN PGP SIGNED MESSAGE-----
In article <acc4182012021004674b@[205.199.118.202]>,
Timothy C. May <tcmay@got.net> wrote:
> This seems to be saying the same thing. In both cases, "Alice" is either
> distributing a message to"Bob," "Charles," "Donna," etc., with instructions
> not to return the pieces until Date X, or is holding onto a sealed message
> but asking that the decryption keys not be returned until Date X. I don't
> see the real difference, modulo some minor factors. In neither case can the
> original message be reconstructed unless n out of m of the escrow agents
> provide the pieces.
Here are some attacks where my scheme is more resistant. I'll suppose
that Alice is writing a bond, i.e., time-delayed cash, to Bob.
1. Alice does not really write a bond
In my plan, Alice gives Bob the message along with a certificate saying
that it is a bond. If the message is actually not a bond, Bob can
demonstrate fraud upon the maturity date without revealing his identity,
by posting the now-readable message along with the contradictory signed
statement from Alice.
In your plan, Alice cannot provide the actual message to Bob, nor
prove that she even sent anything through the blind remailer network.
Bob would have to ask her to sign a certificate saying that she wrote
a bond to Bob for $n to mature on date X; she may not be willing to
admit that in a publicly demonstrable way. And if she defrauded Bob,
he cannot prove he did not receive a bond.
2. The crypto houses lose keys/messages
In my plan, the crypto house's signature on the public key it issues
guarantees that the secret key will be available upon the maturity date.
If the house loses the secret key, then anyone can prove this, again
anonymously, by publishing the signed public key and asking anyone to
try to purchase the corresponding secret key. The house cannot say it
is a false claim. The unreliable house hemorrhages reputation, and Bob
still has his money as long as n houses were reliable.
In fact, even if Bob ca'n't trust n houses, he can still hedge. He would
just buy a futures coupon saying that the house in question will lose
a key. This is a classic use of hedging, and it allows him to recover
his money, anonymously.
In your plan, you just have to hope the remailers don't lose more than
m-n parts. You rely on reputation-raters to judge reliability in a
probabilistic manner. This works ok currently, with amateur remailers,
but not in a future world held to the 100% standards of financial
reliability. (And those standards are very high. Consider the public
reaction if you saw proof that a bank had "lost" someone's checking
account, one among a million.)
3. The crypto houses leak keys/messages
In my plan, this is ok. You need both the keys *and the message*
to decrypt. Only Bob holds the message. (It's axiomatic that you can
keep a secret out of self-interest; your personal private key is such
a secret.) In fact, at the maturity date, the secret keys will become
available to anyone, and Bob still won't be hurt.
Meanwhile, crackers have incentive to steal keys even without breaking
messages, because they can use them to make a profit on "Megahouse leaks
keys" futures, by posting the secret key matching a signed public key.
This can be anonymous, or they can use it to raise their nym's reputation
among crackers. Because Megahouse knows it will be caught *every time*
it leaks, it must keep 100% financial-quality security. This is an
excellent failure mode because all failures will be public.
In your plan, you just have to hope fewer than n pieces are made available
to the cracking ring. And when you get a bond consisting of double-spent
bills, you ca'n't tell who broke security. This is intractable for a
reputation-rater to determine to the necessary standards of accuracy.
4. Alice leaks the message
This is "fraud through negligence" and is treated as in case 1. If Bob
thinks it's likely, he can hedge by buying a "Alice shown untrustworthy"
futures coupon. (Those will be *so* useful.)
Because of the two-part design of a delayed message, it takes collusion
by those in possession of ciphertext *and* keys to unseal a message.
Before the maturity date, only Alice and Bob have the message, and only
the banks have the keys. The message is of value only in that it will
be valuable in the future along with the then-available secret keys.
(Or, I suppose, possibly to prove fraud; that's of even more value.)
All collusion can be righted, everything is anonymous unless reputations
are involved, and all fraud is publicly exposed.
These are interesting properties.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMJ81SeyjYMb1RsVfAQG5GQP/RP5IkcQUFo++aBWHUmoTGuIBphykQxp/
HR40yt4GzIJQUIpEbM7iiD6Dk9hDLoF4GY9MQrPnxmhfGu4uITxYeDMfsPHJLv01
xCu9//xYJ9Usb3eWJFSURhBkSQg05T4upZX2KTj5NlTB4dbMJumReDeUix236FaU
W2eRxdiw0Us=
=zCpp
-----END PGP SIGNATURE-----
--
Shields.
Return to November 1995
Return to “tcmay@got.net (Timothy C. May)”