On Thu, Oct 10, 2013 at 5:14 PM, carlo von lynX <l...@time.to.get.psyced.org> wrote: > On 10/10/2013 11:08 PM, Gregory Maxwell wrote: >> I'm surprised to see this list has missed the thing that bugs me most >> about PGP: It conflates non-repudiation and authentication. >> >> I send Bob an encrypted message that we should meet to discuss the >> suppression of free speech in our country. Bob obviously wants to be >> sure that the message is coming from me, but maybe Bob is a spy ... >> and with PGP the only way the message can easily be authenticated as >> being from me is if I cryptographically sign the message, creating >> persistent evidence of my words not just to Bob but to Everyone! > > I kind-of lumped it mentally together with forward secrecy, because > for both problems the answer is Diffie-Hellman. But you are right, it > is the eleventh reason.
For a non-interactive system classical diffie-hellman only works for the two party case. Three-party non-interactive key agreement requires the gap-diffie-hellman problem (pairing cryptography), and then it's probably easier to implement ring signatures at that point. Forward secrecy can also be done (again in the context of pairing cryptography) without interaction or diffie-hellman and constant size (in the number of time windows) public keys. The general idea is that you use identity based encryption with the quantized good-until-date as the "identity" and a public key the receiver has generated as the master public key. The reciever uses their master private key to precompute all their future good-until-date keys and then destroys their master private key so that they can no longer rederive expired keys. As time passes they destroy their expired good-until-date keys. (There are also schemes which lower the storage and key generation requirements. For more information, see http://link.springer.com/chapter/10.1007/3-540-39200-9_16) Though there are simple libraries that implement the hard parts of the required cryptographic for things like ring signatures or ID-based-forward secrecy... I've never seen a production application for people that use them. Maybe there is an argument that PGP's pretty-goodness is just good enough to inhibit the existence of better tools? -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
