Re: [Barker, Elaine B.] NIST Publication Announcements
On Oct 1, 2009, at 16:46, Perry E. Metzger wrote: It is also completely impossible to prove you've deleted a record. Someone who can read the record can always make a copy of it. Cryptography can't fix the DRM problem. Sorry, I should have clarified that. We don't want to verify that Bob has in fact deleted the patient record, we just want to verify whether Bob *claims* to have deleted the patient record *within the time span given*. If Alice later finds out that Bob has lied, she will have this signed claim, with which she can take him to court. Best, Stephan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: [Barker, Elaine B.] NIST Publication Announcements
It is also completely impossible to prove you've deleted a record. Someone who can read the record can always make a copy of it. Cryptography can't fix the DRM problem. If, and only if, the document lives solely within an airtight surveillance system, then it is possible to prove deletion. Put differently, only within airtight surveillance will the absence of evidence be the evidence of absence. In factually, if not politically, correct terms, the Electronic Health Record is the surest path to a surveillance state, but I digress. --dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: [Barker, Elaine B.] NIST Publication Announcements
Stephan Neuhaus neuh...@st.cs.uni-sb.de writes: On Oct 1, 2009, at 16:46, Perry E. Metzger wrote: It is also completely impossible to prove you've deleted a record. Someone who can read the record can always make a copy of it. Cryptography can't fix the DRM problem. Sorry, I should have clarified that. We don't want to verify that Bob has in fact deleted the patient record, we just want to verify whether Bob *claims* to have deleted the patient record *within the time span given*. If Alice later finds out that Bob has lied, she will have this signed claim, with which she can take him to court. If you have that more limited need, the Haber Stornetta protocol will likely do what you want, provided you can set something up to publish the widely witnessed events. (They had a company for a while to do timestamping that published the hashes in the New York Times classifieds. I think when they wrote their paper, the idea that newspapers might soon cease to exist was not anticipated -- a more modern system will need some sort of more durable model.) Perry -- Perry E. Metzgerpe...@piermont.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: [Barker, Elaine B.] NIST Publication Announcements
On Sep 30, 2009, at 06:25, Peter Gutmann wrote: Stephan Neuhaus neuh...@st.cs.uni-sb.de writes: Is there something that could be done that would *not* require a TTA? (I have almost given up on this, but it doesn't hurt to ask.) I think you've abstracted away too much information to provide a definite answer, but if all you want is a proof of something being done at time X that'll stand up in court then what's wrong with going to a notary? This has worked just fine for... centuries? without requiring the pile of Rube-Goldberg cryptoplumbing that people seem to want to attach to it. In this case, it's because Alice and Bob are not people, but services in an SOA, dynamically negotiating a variation of an SLA. If that SLA specifies, for example, that patient records must be deleted within three days of checking the patient out of the hospital, then it will be somewhat impractical to go to a notary public every time they delete a patient's record. I completely agree with your sentiment that cryptoplumbing should not be used when there are other working solutions, but in this case, I think it will be unavoidable. Fun, Stephan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: [Barker, Elaine B.] NIST Publication Announcements
Stephan Neuhaus neuh...@st.cs.uni-sb.de writes: I think you've abstracted away too much information to provide a definite answer, but if all you want is a proof of something being done at time X that'll stand up in court then what's wrong with going to a notary? This has worked just fine for... centuries? without requiring the pile of Rube-Goldberg cryptoplumbing that people seem to want to attach to it. In this case, it's because Alice and Bob are not people, but services in an SOA, dynamically negotiating a variation of an SLA. If that SLA specifies, for example, that patient records must be deleted within three days of checking the patient out of the hospital, then it will be somewhat impractical to go to a notary public every time they delete a patient's record. It is also completely impossible to prove you've deleted a record. Someone who can read the record can always make a copy of it. Cryptography can't fix the DRM problem. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: [Barker, Elaine B.] NIST Publication Announcements
On Sep 29, 2009, at 10:31 AM, Perry E. Metzger wrote: Stephan Neuhaus neuh...@st.cs.uni-sb.de writes: For business reasons, Alice can't force Bob to use a particular TTA, and it's also impossible to stipulate a particular TTA as part of the job description (the reason is that Alice and the Bobsgreat band name BTW---won't agree to trust any particular TTA and also don't want to operate their own). You don't need such a complicated description -- you're just asking can I do secure timestamping without requiring significant trust in the timestamping authority. The Haber Stornetta scheme provides a timestamping service that doesn't require terribly much trust, since hard to forge widely witnessed events delimit particular sets of timestamps. The only issue is getting sufficient granularity. I don't know if their scheme was patented in Germany. It was in the U.S., though I think that at least some of the patents expire within the year. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: [Barker, Elaine B.] NIST Publication Announcements
The Haber Stornetta scheme provides a timestamping service that doesn't require terribly much trust, since hard to forge widely witnessed events delimit particular sets of timestamps. The only issue is getting sufficient granularity. I don't know if their scheme was patented in Germany. It was in the U.S., though I think that at least some of the patents expire within the year. In looking this up, I have noticed a pile of patents that patent something equivalent or near equivalent to a patricia hash tree, or elaborately disguised patricia trees, or something suspiciously similar to a patricia hash tree, and various special cases of it, and applications of it, without using the name patricia hash tree Since they seem reluctant to use the name patricia hash tree I suspect that there is already a pile of prior art, but I could not find any, though I am fairly sure the method is widely known. Also, wherever there is a pile of patents, there is usually a pile of prior art. Lest even more patents of the patricia hash tree be published, I would like to describe the method here, though it surely must be described somewhere else, probably long ago. Suppose we have a lot of records, each with a key that makes collision improbable or impossible, We assemble them in a patricia tree, with each node of the patricia tree containing a hash of its child nodes. The root of the patricia tree then, like a tiger hash, uniquely identifies the complete data set. If we have multiple copies of the data set, this data structure allows us to not only ensure that both copies are identical, but if there are small differences between them, such as recently added records, it allows us to efficiently find the differences, and thus efficiently bring the two data sets into agreement. It also allows us to prove that a given record was part of a particular data set at a particular time. Suppose the high order part of the key identifies the high order part of the time, followed by the id of the particular organization holding those records. The upper parts of the patricia hash tree are partially shared, peer to peer, similarly to file sharing with a tiger hash. Each participating organization keeps the nodes that relate to it. The lower parts are not shared except as needed. In this case, there will be a small set of top nodes of the tree that cease to change, because they only rely on keys earlier than a certain date, and this small and very slowly growing set of top nodes proves the complete state of the tree at all earlier dates. Then each organization can prove to all or any of the others that it had a particular record, or particular set of records, at a particular time, to the granularity of the time that is the high order part of the key. Where some or all of the data needs to be shared by some or all of the organizations, organizations can rapidly and efficiently identify any disagreements, and when they are in agreement, rapidly and efficiently prove to themselves, and to everyone else, and record for all time, that they are in agreement, since a small number of the topmost nodes of the tree proves the state of the tree at each and all times that contributed to those nodes. The structure serves for attestation and sharing, and since attestation usually involves sharing, and sharing attestation, the scope for patenting this structure over and over again in one disguise or another to be applied to one task or another that involves sharing and or attestation is limited only by the boundless imagination of patent lawyers. One can also add horizontal and backwards hash relationships between nodes that serve little practical purpose other than allowing one to have a single rapidly changing node node attesting instead of a small set of nodes, and allowing it to be nominally something other than a patricia hash tree. Thus, for example, instead of using forty or so nodes to attest for the state of million organizations over a billion time periods, one can use a hash of those forty nodes, and there are no end of different ways one can hash those forty or so nodes together. But under that hash, it is still a patricia hash tree doing the actual work of gluing the data together. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: [Barker, Elaine B.] NIST Publication Announcements
James A. Donald jam...@echeque.com writes: The Haber Stornetta scheme provides a timestamping service that doesn't require terribly much trust, since hard to forge widely witnessed events delimit particular sets of timestamps. The only issue is getting sufficient granularity. I don't know if their scheme was patented in Germany. It was in the U.S., though I think that at least some of the patents expire within the year. In looking this up, I have noticed a pile of patents that patent something equivalent or near equivalent to a patricia hash tree, or elaborately disguised patricia trees, or something suspiciously similar to a patricia hash tree, and various special cases of it, and applications of it, without using the name patricia hash tree Perhaps that's because this is a Merkle tree, not a patricia tree. Patricia trees are radix trees -- they're used for optimizing routing tables, not in cryptography. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: [Barker, Elaine B.] NIST Publication Announcements
On Sep 26, 2009, at 18:31, Perry E. Metzger wrote: SP 800-102 is intended to address the timeliness of the digital signatures generated using the techniques specified in Federal Information Processing Standard (FIPS) 186-3. [...] SP 800-102 provides methods of obtaining assurance of the time of digital signature generation using a trusted timestamp authority that is trusted by both the signatory and the verifier. In the project in which I am involved we have just this problem, but we also have the problem that we can't require the participating parties to use a TTA. I have been attacking this problem from several angles but have not come to a solution. The setup is this: Alice advertises that she wants a job done. One of the constraints is that she wants it done by tomorrow, 10am. A number of Bobs apply for the job. Alice trusts none of the Bobs and the Bobs do not trust Alice. Alice doesn't even know the Bobs beforehand. Based on some criterion, Alice chooses a particular Bob. For business reasons, Alice can't force Bob to use a particular TTA, and it's also impossible to stipulate a particular TTA as part of the job description (the reason is that Alice and the Bobsgreat band name BTW---won't agree to trust any particular TTA and also don't want to operate their own). Is there something that could be done that would *not* require a TTA? (I have almost given up on this, but it doesn't hurt to ask.) Fun, Stephan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: [Barker, Elaine B.] NIST Publication Announcements
Stephan Neuhaus neuh...@st.cs.uni-sb.de writes: For business reasons, Alice can't force Bob to use a particular TTA, and it's also impossible to stipulate a particular TTA as part of the job description (the reason is that Alice and the Bobsgreat band name BTW---won't agree to trust any particular TTA and also don't want to operate their own). You don't need such a complicated description -- you're just asking can I do secure timestamping without requiring significant trust in the timestamping authority. The Haber Stornetta scheme provides a timestamping service that doesn't require terribly much trust, since hard to forge widely witnessed events delimit particular sets of timestamps. The only issue is getting sufficient granularity. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
