It doesn't really matter. Backdoored "security" is useless, no matter how much noise you make who gets the keys. It's always only a matter of time until everyone has the keys. Always.
Q. How does the performance scale?
A. Linearly. We can do one anonymity set globally every second.
Q. When an APT exfiltrates permutation data, what is the privacy failure mode?
A. It would be very difficult for an APT to penetrate all sites simultaneously to violate privacy. It is also not clear that a single server would have access to the full permutation, as it can be MPC separated.
There are people that help, and those that don't, and I've got Chaum in the latter category. He has consistently tried to patent the crap out of anything he does and demand extortionate rates to license those patents. As a result nothing he does has any impact for 20 years except to show people what will eventually be possible.
If he had been Satoshi Nakamoto BitCoin would be another 10 years away from being available.
To make matters worse, their are people who write about Chaum's techno-utopia that mention his patent fetish and those that don't. I really do not understand how the author of the Wired article failed to mention any of the patent backstory. I do not care if it is ignorance, pandering, or something else, Wired should be embarrassed that an article titled "The Father of Online Anonymity Has a Plan to End the Crypto War" failed to mention the history of and/or possibility of future patent problems.
Hey, I didn't realize until just now that you weren't a founder of NetApp. I suddenly like you even better than before, because previously I thought you were complicit in their patent abuse. How do you feel about the GPL these days?
> As a result nothing he does has any impact for 20 years except to show people what will eventually be possible.7
20 years is not an exaggeration. For anyone curious, you can read a good overview of Chaums, and other related, work on anonymous cryptocurrency systems in a report[0] released by the NSA in 1996. When you actually grok what we've known has been possible for 25 years, Bitcoin looks like a naive toy made 'successful' only by virtue of its lack of dependence on the banking system... which is its only real strength.
If you wanted to have a system where data can be decrypted if there is a consensus, why not use proof-of-stake for managing that? That way the integrity of your data is dependent on who you invite into the system. The idea of arbitrarily requiring consensus among nine people doesn't make much sense to me.
PoS has a fatal flaw: a person who wants to fork a PoS network simply needs to pay other people in the network for the private keys to their older, spent, transactions. Alternatively, any kind of security breach giving access to used private keys would work. After you have enough keys that had coins in them at a certain point in time, you can "grind" the history forward, and create an alternative chain with your chosen transaction history.
For those who don't follow these things, Chaum is known as being both brilliant and... well, not so brilliant. A famous example of this: https://cryptome.org/jya/digicrash.htm
I will give it him it is an idea, I would need MUCH more proof of this being operable before calling it a good idea. Hopefully it will generate more discussion about golden keys/backdoors so that gov will understand the difference.
>When PrivaTegrity’s setup is complete, nine server administrators in nine different countries would all need to cooperate to trace criminals within the network and decrypt their communications.
So I need to hire thugs in 9 countries to rubber hose the keys. Hardly impossible task. And lets not even think about the really scary guys in intelligence agencies. Lets say you don't want to meet them in adversarial setting and leave it there.
So, which 9 countries? Which 9 admins? If the US wants info on a user, would 9 of its allies that generally do what the US wants be enough? Would the servers / admins all be government controlled? If so, I fail to see how this wouldn't just be another rubber stamp.
Yeah, and given the amount of cooperation the various Western intelligence agencies have demonstrated, distributing "control" over N governments is just about as dangerous as one.
The world does not need more sophisticated tools to pursue criminals, it needs more sophisticated tools to advance freedom which is ultimately the best deterrent of crime to exist.
I'm curious as to what happens if one of those nine servers suffers a catastrophic failure, like a server room getting flooded, or a weird hardware failure, or a team of people with machine guns rapidly installing lead-based hardware.
Would all previously sent messages be completely irretrievable?
From the limited information, it's rather impossible to tell for sure. But considering you need 9 different admins in different countries, I'm presuming they are basically using a kind of DHT with a bit of extra brains controlling where the various bits and pieces are hashed. So, that said, I would presume it's at least somewhat fault tolerant.
However, it's Chaum we're talking about, so we likely won't know until the patent is filed.
So, anyone else concerned that with all the various agencies clamering for crypto they can access, and the staunch refusal for researchers to provide it (and they say it's impossible), political leaders are going to point to something like this and say "see! here it is! let's use this."
The darkest possible outcome is something like this becomes mandated, and traffic is filtered to permit that crypto.
Two points make this solution unlikely to meet the goals the author is attempting to meet:
Those who are performing whatever evil acts of information sharing are disallowed by the counsel will use tools that do not have a counsel who can backdoor the system.
Attempting to solve the single point-of-failure backdoor by increasing the number of points by a modest amount still falls prey to making those individuals immediately attractive targets to those who wish to get at the plaintext. Bear in mind it needn't be a technical hack once someone holds keys. It could be a social mechanism that exposes one or more of the counsel member's keys via law of an oppressive government, or other coercion (blackmail, etc).
> Those who are performing whatever evil acts of information sharing are disallowed by the counsel will use tools that do not have a counsel who can backdoor the system.
And if everyone else is using the tools that the council can backdoor if it decides to, then anyone who uses different tools will immediately stand out. I think that's a key reason why Chaum expects that governments and law enforcement agencies are more likely to accept this type of system.
Why 9? It's spookily reminiscent of the "Nine Eyes" organisation who're the Orwellian bad guys in the latest Bond film, but I see no technical reason the keys cannot be split between 8 or 10 parties. And how much more security do multiple identical servers provide? If one can be hacked — which is frankly a given — so can all the rest.
There is nothing in this article that makes me think a system of split keys is any more desirable than when FBI Director Comey proposed the same thing last year. It's just a bit more terrifying coming from the so-called "Father of Online Anonymity".
A half brain dead criminal would just do what the Paris guys did - use SMS. Finding a relevant SMS among all other, it's worse than the needle and haystack problem. Also, have you seen those messages? They might as well been some guys going to a barbecue.
David is a very bright person, but what will most likely happen is that he'll do six re-runs just when they are about to go into production or sign some major deal. If you wonder why I believe this you should read up on DigiCash and how David managed to squander a decade lead.
Any effort that has David Chaum involved with it is going to go nowhere so don't worry too much.
It sounds like you worked with David Chaum as he is very good at theory but horrible at practice. He loves to tinker, but he hates to commit. The article you reference is an understatement when it comes to his lack of ethics, fairness, and huge ego. He totally has no respect for his partners or employees, and he is not a man of his word. I would not trust him with any system that has a backdoor.
So I watched his talk and I'm pretty confused -- it felt like a rehash of a lot of well-understood stuff (mix nets, which IMO are awesome and underutilized, MPC, etc.), but it was an odd mix of very high level and very low level details. I haven't read either the cMix or PrivaTegrity papers yet.
However, even if this is a fatally flawed system as a whole, it's entirely possible there is some interesting research, maybe even useful tools here.
It is an interesting idea, being able to protocol-level enforcement of various types of surveillance. Of course, if the level you choose is "none", then you don't need the complexity of the enforcement mechanism.
Can you summarize how is it different from Herbivore, Dissent, Riposte and Vuvuzela? Well, especially Riposte, as it is a system where users post their messages via N servers out of which K servers should be trusted. It seems like Riposte can be easily adopted for this use case. Operators can decide to de-anonymize messages and consensus of any K operators is enough.
I was discussing with someone (nim?) about wanting to set up all of these systems, analyze, and write a survey paper about their properties (Desired, achieved) and about the blank spots needed.
I don't really have time for this, though, although it would be fun.
approach to backdooring cryptography. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) You have to trust a government entity not to reveal the backdoor key
(x) The backdoor key holders are susceptible to a good beating with a rubber hose
(x) The backdoor key holders are susceptible to blackmail
Specifically, your plan fails to account for
(x) Clones that refuse to honor the backdoor
(x) Jurisdictional problems
(x) Lack of incentives for consumers to adopt a crippled product
(x) Actual incentives for the terrorists not to adopt a backdoored product
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
(x) Any scheme based on opt-in is unworkable
( ) Why should we have to trust you and your servers?
(x) Incompatiblity with open source or open source licenses
(x) I don't want the government reading my email
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
With thanks to http://craphound.com/spamsolutions.txt. Please feel free to help me improve this list. Similar to spam prevention, I think we'll see a lot of broken proposals to this problem over the next few years.
64 comments
[ 2.9 ms ] story [ 135 ms ] threadCan we go home now?
Q. When an APT exfiltrates permutation data, what is the privacy failure mode? A. It would be very difficult for an APT to penetrate all sites simultaneously to violate privacy. It is also not clear that a single server would have access to the full permutation, as it can be MPC separated.
If he had been Satoshi Nakamoto BitCoin would be another 10 years away from being available.
20 years is not an exaggeration. For anyone curious, you can read a good overview of Chaums, and other related, work on anonymous cryptocurrency systems in a report[0] released by the NSA in 1996. When you actually grok what we've known has been possible for 25 years, Bitcoin looks like a naive toy made 'successful' only by virtue of its lack of dependence on the banking system... which is its only real strength.
[0] http://groups.csail.mit.edu/mac/classes/6.805/articles/money...
9 council members with a backdoor is too juicy of a target for large intelligence agencies to be actually effective I feel.
No. That would be proof of work.
As long as there's a choice in systems (and there is, and will always be), these types of systems only hurt the good guys.
No thanks.
He just wants to make money and sees an opportunity to sell a new blackbox engine.
So I need to hire thugs in 9 countries to rubber hose the keys. Hardly impossible task. And lets not even think about the really scary guys in intelligence agencies. Lets say you don't want to meet them in adversarial setting and leave it there.
Those are exactly the guys who would be holding the keys.
The world does not need more sophisticated tools to pursue criminals, it needs more sophisticated tools to advance freedom which is ultimately the best deterrent of crime to exist.
Would all previously sent messages be completely irretrievable?
However, it's Chaum we're talking about, so we likely won't know until the patent is filed.
And we know the hearts of men are weak, easily swayed by power.
The darkest possible outcome is something like this becomes mandated, and traffic is filtered to permit that crypto.
So it's currently vaporware.
Those who are performing whatever evil acts of information sharing are disallowed by the counsel will use tools that do not have a counsel who can backdoor the system.
Attempting to solve the single point-of-failure backdoor by increasing the number of points by a modest amount still falls prey to making those individuals immediately attractive targets to those who wish to get at the plaintext. Bear in mind it needn't be a technical hack once someone holds keys. It could be a social mechanism that exposes one or more of the counsel member's keys via law of an oppressive government, or other coercion (blackmail, etc).
And if everyone else is using the tools that the council can backdoor if it decides to, then anyone who uses different tools will immediately stand out. I think that's a key reason why Chaum expects that governments and law enforcement agencies are more likely to accept this type of system.
There is nothing in this article that makes me think a system of split keys is any more desirable than when FBI Director Comey proposed the same thing last year. It's just a bit more terrifying coming from the so-called "Father of Online Anonymity".
It does not make it any harder to remove the hinges. Sigh. Classified in file 13.
http://eprint.iacr.org/2016/008
Any effort that has David Chaum involved with it is going to go nowhere so don't worry too much.
However, even if this is a fatally flawed system as a whole, it's entirely possible there is some interesting research, maybe even useful tools here.
It is an interesting idea, being able to protocol-level enforcement of various types of surveillance. Of course, if the level you choose is "none", then you don't need the complexity of the enforcement mechanism.
I don't really have time for this, though, although it would be fun.
(x) technical ( ) legislative (x) market-based ( ) vigilante
approach to backdooring cryptography. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) You have to trust a government entity not to reveal the backdoor key
(x) The backdoor key holders are susceptible to a good beating with a rubber hose
(x) The backdoor key holders are susceptible to blackmail
Specifically, your plan fails to account for
(x) Clones that refuse to honor the backdoor
(x) Jurisdictional problems
(x) Lack of incentives for consumers to adopt a crippled product
(x) Actual incentives for the terrorists not to adopt a backdoored product
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
(x) Any scheme based on opt-in is unworkable
( ) Why should we have to trust you and your servers?
(x) Incompatiblity with open source or open source licenses
(x) I don't want the government reading my email
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
With thanks to http://craphound.com/spamsolutions.txt. Please feel free to help me improve this list. Similar to spam prevention, I think we'll see a lot of broken proposals to this problem over the next few years.