IETF Logo Mail Archive

Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys

Vincent Yu <v@v-yu.com> Sun, 16 March 2014 02:28 UTC

Return-Path: <v@v-yu.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E4471A024E for <openpgp@ietfa.amsl.com>; Sat, 15 Mar 2014 19:28:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9HsGcp-puMGv for <openpgp@ietfa.amsl.com>; Sat, 15 Mar 2014 19:28:26 -0700 (PDT)
Received: from smtp10.hushmail.com (smtp10.hushmail.com [65.39.178.143]) by ietfa.amsl.com (Postfix) with ESMTP id F34F31A022D for <openpgp@ietf.org>; Sat, 15 Mar 2014 19:28:25 -0700 (PDT)
Received: from smtp10.hushmail.com (localhost [127.0.0.1]) by smtp10.hushmail.com (Postfix) with SMTP id 7DA5EC016A for <openpgp@ietf.org>; Sun, 16 Mar 2014 02:28:18 +0000 (UTC)
Received: from smtp.hushmail.com (w9.hushmail.com [65.39.178.29]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp10.hushmail.com (Postfix) with ESMTPS; Sun, 16 Mar 2014 02:28:17 +0000 (UTC)
Message-ID: <78443bf532834a1dfdd4e0c80af2bea3@smtp.hushmail.com>
Date: Sat, 15 Mar 2014 22:28:14 -0400
From: Vincent Yu <v@v-yu.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Nicholas Cole <nicholas.cole@gmail.com>, openpgp@ietf.org
References: <80674820640dbeb5ae81f81c67d87541@smtp.hushmail.com> <8761nh1549.fsf@vigenere.g10code.de> <a6d56e791a2c878f34369abc6f09b71d@smtp.hushmail.com> <5323146D.4050006@fifthhorseman.net> <a9cf1a7b7e08e0d601fa5c7c5cf50e71@smtp.hushmail.com> <5323DF28.5070809@fifthhorseman.net> <F4D2857E-0D33-4B6E-8829-9026CE9398DF@callas.org> <CAAu18hczJb9C2qv-HYJ0kwP7npEgy4f-D0VOMReBSi==XqT9Eg@mail.gmail.com> <CAAu18hc2BPd3u2OnvxMGattGrdEXZgpxTGsR05GU7D-7L10Usw@mail.gmail.com> <029427f6d271b61840ad3f919796c18c@smtp.hushmail.com> <CAAu18hdh+muvDG=SkBs_Y2gDKtMzMPgx8kv6KUNEzODE1j36qQ@mail.gmail.com>
In-Reply-To: <CAAu18hdh+muvDG=SkBs_Y2gDKtMzMPgx8kv6KUNEzODE1j36qQ@mail.gmail.com>
X-Enigmail-Version: 1.6
OpenPGP: id=d28d7c4078b3742a; url=https://v-yu.com/pubkeys/openpgp.asc
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="afe0e6bA62nffC633nt70CRj59SrggkQ7"
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/tBkLIdG3p1foDRoZzcVIAnpL6r8
Subject: Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Mar 2014 02:28:28 -0000

On 03/15/2014 06:02 PM, Nicholas Cole wrote:
>
>
> On Saturday, 15 March 2014, Vincent Yu <v@v-yu.com <mailto:v@v-yu.com>>
> wrote:
>     This reminds me that I used the name "signer-ambiguous signature" in
>     some of the early drafts of my proposal. This name concisely
>     describes the most important property of ring signatures. Now that I
>     think about it, that is a much better name than "ring signature" for
>     implementations to present to their end users.
>
>     "Signer-ambiguity" was coined by Rivest et al. to describe ring
>     signatures in their seminal paper in 2001, so it's well-connected to
>     the concept of ring signatures in the literature.
>
>     Unless there are severe objections, I will modify the proposal to
>     use the phrase "signer-ambiguous signature" to refer generally to
>     the signatures produced by the scheme, and use "ring signature" only
>     as technical term for the specific scheme that was chosen to provide
>     signer-ambiguity.
>
>
> I think that is a better name.  It gets away from the idea that there is
> a 'ring' of people who have authorized each other to make signatures.
>   But still, I think that this proposal will bring more problems than
> benefits.  Signatures will appear that 'might' have been made by all
> kinds of people on all kinds of documents.  User interfaces will
> struggle to help users to make good decisions as a result.  I can't help
> feeling that this kind of signature belongs in very specific
> applications, and not in general purpose tools. But I could be wrong.

I share your concerns, but on the whole, I think it is a net positive to 
offer signers the option to create signer-ambiguous signatures. Let me 
go into more detail.

Within benign use cases, there are two sides to signer-ambiguous 
signatures: the recipient's side and the signer's side.

The recipient would generally prefer to receive standard signatures 
rather than signer-ambiguous signatures because standard signatures 
offer stronger guarantees and grant them the power to prove to others 
what they received. However, recipients would prefer to receive 
signer-ambiguous signatures rather than no signature. So from the 
recipient's perspective, signer-ambiguous signatures can be bad or good, 
depending on whether the alternative is a standard signature or no 
signature.

However, signer-ambiguous signatures are designed with the signer in 
mind. The signer would find signer-ambiguous signatures useful in 
situations where they wish to ensure authenticity without granting 
recipients the power to transfer their signatures (here, I am 
considering only two-party communications; there are potentially other 
applications of signer-ambiguous signatures). Signer-ambiguous 
signatures are always good from the signer's perspective, because they 
provide an extra option that they may choose to use.

Within malicious use cases, there is the attacker's side. At the end of 
the day, a new signature type will indeed create a potential attack 
vector, and it is hard to predict exactly what types of attack will 
become possible because the details will depend on the interactions 
between users and implementations.

It seems to me that your worries fall mainly within scenarios with an 
attacker. Without an attacker, there is little reason to worry about 
verifier confusion because the goals of signers coincide with those of 
recipients: signatures are a way for signers to provide a guarantee to 
recipients. If it turns out that recipients get excessively confused 
over signer-ambiguous signatures, then signers will simply decide not to 
use them. In the long run, signers will adapt and use signer-ambiguous 
signatures only when they judge that the benefits outweigh the potential 
confusion.

So we need only worry about the potential for verifier confusion in 
scenarios with an attacker. Here, I think implementations have a good 
response available if attacks grow rampant: they simply refuse to verify 
signer-ambiguous signatures. Without the cooperation of implementations, 
attackers can do no harm.

That is the worst case scenario. However, I consider it unlikely that 
attacks using signer-ambiguous signatures will ever become common enough 
to outweigh the benefits to signers. Perhaps our intuitions differ here.

The main point I wish to reemphasize is that signers are free not to 
create signer-ambiguous signatures if they think that the potential for 
confusion outweighs the benefits. Their goals are aligned with those of 
recipients.

Vincent

v2.23.0 | Report a Bug | By Email