From: Jim McCoy <mccoy@communities.com>
Date: Fri, 15 Nov 1996 15:03:06 -0800 (PST)
To: cypherpunks@toad.com
Subject: Re: Members of Parliament Problem
In-Reply-To: <v02140b02aeb235099c35@[192.0.2.1]>
Message-ID: <v03007804aeb2a16c7fc4@[205.162.51.35]>
MIME-Version: 1.0
Content-Type: text/plain


Lucky writes:
>
>> At 9:32 AM 11/15/1996, Adam Shostack wrote:
>> I've been toying with schemes that multiply the Ns from everybody's
>> public key to create a new semi-anonymous public key.  The only
>> problem is that in each case either identity is revealed or the
>> person seeking semi-anonymously reveals their secret key.  So,
>> I am not quite there.  ;-)
>
>I think that Chaum wrote some papers on group signatures. I'll try to dig
>them out. But it probably won't be before Sunday.

There are several types of "group signature" schemes out there.  The one
which Chaum wrote about was signatures which require a group to perform
verification of the signature in relation to his undeniable signature
system (Lidong Chen advanced this a bit further to make the scheme more
general.)  There are also systems in which group or subset of a group is
necessary to sign the message, the original work was by Yves Desmet in his
paper "Social Cryptography" in Crypto 88 or 89 I think.  There have been
various advancements on these systems, with different threshold schemes
applied, the ability to have "super-votes" among the shares or veto schemes,
mechanisms using distributed computation to securely perform the signing
or encryption, as well other bells and whistles.  At one point I was thinking
about such systems in the context of the DNSSEC work as a means for creating
a pseudonymous top-level domain with the same mechanisms for adjudication and
dispute resolution as the current system through group signatures but had to
set it aside to work on something a bit more practical.  If anyone is really
interested I could probably put together a fairly comprehensive listing of
the literature in this particular area...

jim