[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [freehaven-dev] PK_doc


Thanks for catching this. This seems to be a mistake in the paper. 

SK_doc is destroyed after the shares are created -- the idea is to
provide a kind of "forward author/publisher anonymity" by getting rid of
anything which could tie a person directly to the document. As such, it is
impossible for anyone to sign anything with SK_doc, including the buddies.
This has the added benefit of making it impractical for an adversary to
introduce corrupted shares into the system, because it would have to 
forge signatures; this means we don't have to use a verifiable
secret sharing scheme. Unfortunately, it also means that the idea of
buddies signing with the document's key is total bunk. 

I can think of a few ramifications :

 	* This may mean that we can store documents with hash(PK_doc)
	instead of PK_doc. This would give us a form of connected-server
	document anonymity similar to Freenet's (it's a key hashed key).

	* Buddy messages are then not authenticated by anything "in"
	the buddy itself. Messages from one buddy to another might be
	signed by the nodes which hold the buddies. 

	Now that I think about it, I'm not sure what the difference
	between the situation of a "Buddy message signed by SK_doc" 
	and "Buddy message signed by node holding buddy" really is.
	In fact, since an adversary may not have access to a node's
	secret key, signing with that key seems at least marginally
	I'll have to think about this a little.

In the meantime, it is too late to put this change in the pre-proceedings
version of the paper. I will place a note in the HTML that this is a
mistake, however.


On Sun, 9 Jul 2000, Wei Dai wrote:

> I'm confused about this section of the Free Haven paper:
> [quote from http://freehaven.net/paper/node18.html]
> When a share moves, it notifies its buddy. These notifications are signed
> by the public key of the document, which is inside each share; it is for
> this reason that we include PKdoc in each share and not simply a hash of
> the public key. [end quote]
> How can the notifications be signed by PK_doc, unless the signer knows the
> corresponding SK_doc? Do you mean that SK_doc is included in each share?