[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [freehaven-dev] PK_doc
Thanks for catching this. This seems to be a mistake in the paper.
SK_doc is destroyed after the shares are created -- the idea is to
provide a kind of "forward author/publisher anonymity" by getting rid of
anything which could tie a person directly to the document. As such, it is
impossible for anyone to sign anything with SK_doc, including the buddies.
This has the added benefit of making it impractical for an adversary to
introduce corrupted shares into the system, because it would have to
forge signatures; this means we don't have to use a verifiable
secret sharing scheme. Unfortunately, it also means that the idea of
buddies signing with the document's key is total bunk.
I can think of a few ramifications :
* This may mean that we can store documents with hash(PK_doc)
instead of PK_doc. This would give us a form of connected-server
document anonymity similar to Freenet's (it's a key hashed key).
* Buddy messages are then not authenticated by anything "in"
the buddy itself. Messages from one buddy to another might be
signed by the nodes which hold the buddies.
Now that I think about it, I'm not sure what the difference
between the situation of a "Buddy message signed by SK_doc"
and "Buddy message signed by node holding buddy" really is.
In fact, since an adversary may not have access to a node's
secret key, signing with that key seems at least marginally
I'll have to think about this a little.
In the meantime, it is too late to put this change in the pre-proceedings
version of the paper. I will place a note in the HTML that this is a
On Sun, 9 Jul 2000, Wei Dai wrote:
> I'm confused about this section of the Free Haven paper:
> [quote from http://freehaven.net/paper/node18.html]
> When a share moves, it notifies its buddy. These notifications are signed
> by the public key of the document, which is inside each share; it is for
> this reason that we include PKdoc in each share and not simply a hash of
> the public key. [end quote]
> How can the notifications be signed by PK_doc, unless the signer knows the
> corresponding SK_doc? Do you mean that SK_doc is included in each share?