[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [freehaven-dev] Deletion of documents
Let's see :
* Before an "unpublishing event", the value of x must be kept by someone.
This person can then be linked to the document. Once he is linked to
the document, he may be forced to unpublish the document.
This is a significant concern.
* "During" an unpublishing event, if an adversary can trace a message
announcing x to its original sender, then this associates the sender
and the document. This means that we're trusting the anonymous
* After an unpublishing event, the value of x can be destroyed, removing
the link between the holder of x and the document. So if the event
itself is carried out in an anonymous fashion, no adversary can
later link the unpublished document to anyone.
* It gives share creator the option whether or not to include the
ability to unpublish. That is, instead of picking a known x and
setting y = SHA1(x), the share creator could set y to a random
bit string (or hash a random x and immediately destroy x). Now
unpublishing requires finding a target collision in SHA1.
There doesn't seem to be any nice way to show that a share really
is "unpublishable" -- since even if you require a proof of the
pre-image of y (Hal Finney has done some *implementation* of this),
nothing stops the share creator from forgetting x after providing the
So far, it seems we could have acheived the same functionality by allowing
unpublish requests signed by the private key used to sign shares.
Immediately after sending the command to unpublish, the key holder
eradicates the share private key - which is the same thing as destroying x
in this scheme.
Notice that in both cases, once the secret is destroyed, the unpublisher
and the document can't be linked.
This scheme seems different from the "unpublish signed by same private key
as signed shares" in these respects :
* Efficiency --
Hashing is much more efficient than most signature
verification. well, unless we're using merkle's hash tree sigs or
something. (hey, would that be a possible optimization, since we already
have expire times? the signature is only good one million times or so,
then the share and sig expire?)
* Divorce unpublishing from publishing --
Whoever enters the shares into the servnet and signs them with whatever
key does not need to know x. She just needs to know y = SHA1(x). So she
does not necessarily have the ability to unpublish - someone else may.
That someone else who knows x, in turn, doesn't necessarily have any
knowledge or control over which shares can be unpublished by revealing
the value of x.
So this means I can "delegate" or "escrow" the ability to unpublish
data by including y values generated by somebody else. You might be
able to do this in the "unpublish signed by private key" model, but
it seems to require key escrow and will be messier.
For example, suppose Alice wants to publish a dissident tract in
China. She might want to unpublish or edit it later. So she could use a
y-value provided by Amnesty International, or some other third party she
trusts not to act in the interests of the Chinese State.
It's probably important that Alice choose a y value from a party
which she cannot control or command to release x. Otherwise in the
above example, the Chinese state tortures Alice until she tells
Amnesty International to reveal x.
A much less appealing example is the case in which an agency of the
State publishes lists of y values. Shares residing on freehaven
servers under that state's jurisdiction are then legally required to
incorporate one of these y values as their self destruct code. Failure
to do so is made grounds for seizing the server (you think I'm
exaggerating - look at money laundering laws in the U.S.).
There may be more on the "separation of publishing and unpublishing"
point, but I think this shows some applications. It seems to be a
partial way around the "forced unpublishing by coercion" problem, but
also has the potential for nastiness (mandated escrowed unpublishing).
I can't think of other distinctions between this and "unpublish requests
signed by key" right now. Please let me know if I missed anything.
On Sat, 11 Mar 2000, Ron Rivest wrote:
> Why not just publish a value y=SHA1(x) with a document. y could exist
> with each share. When x is revealed, anyone holding a share with
> "self-destruct code" y should delete their share...