Encrypted MLs (Was: api for gpg?)

Wed Apr 29 06:49:14 CEST 1998

On Mon, 27 Apr 1998, Werner Koch wrote:

> Hi Anand,
> 
> Anand Kumria <wildfire at progsoc.uts.edu.au> writes:
> 
> > When you communicate there are four different modes you can communicate
> > in.  Single Sender, Single Receiver (SS); Single Sender, Multiple
> > Receivers (SM); Multiple Senders, Single Receiver (MS) and Multiple
> > Senders, Multiple Receivers (MM). 
> 
> Examples:
> SS = private email
> SM = anouncement MLs
> MS = bug reports
> MM = MLs

Actually I wouldn't categorise Mailling lists as MM, it is normally SM. I
think most cases of MM degrade into SM. 

> > I can see some immediate uses for Single Sender/Mltiple Receiver crypto;
> > one would be in the Debian group. new-maintainer at debian.org actually goes
> > to a number of people, in order to send a crypted message to them I need
> > to know who those people are, what their current correct public keys are
> 
> We came up with a simple solution for a multiple receivers system:
> 

[snip]

Ahh yes, you've basically degraded the SM cases into many SS transactions.

> > I can see some initial problems: key generation, secret sharing, secret
> > recombination/splitting, manipulating group membership, etc. No doubt
> 
> I guess that a secret sharing scheme could heavily increase the
> performance but key distribution would be quite complex.  Perhaps 
> we should think about a n-party DH scheme which has some security
> advantages.

Yes a secret sharing scheme would give us some advantages (and make key
dist. more `interesting'). What we really want is the ability to generate
a public/private key pair.

Each subscriber to the mailing list would simply get a private key. We
want to have a single public key and _different_ private keys _per_
_user_.

That would solve (some) of the problems for encrypted mailling lists. 
Each message is encrypted to the mailling lists's public key, and only
people with the private key share can decrypt. If you need authenticated,
encrypted mailling lists, I guess you could also sign the message
prior/post encryption. 

There is a paper which discusses some of these issues: "Multi-receiver /
multi-sender network security: efficent authenticated multicast /
feedback" by Yvo Desmedt, Yair Frankel and Moti Yung. It was published in
IEEE Infocom '92, pages 2045 - 2054. They present two multi-receiver
schemes: one using polynominal interpolation and the other using geometric
interpolation.

Oh, btw, I wouldn't worry too much about OpenPGP; they are only trying to
define the format for PGP 5.x things. I think you will find that most of
the 180K+ public keys that the keyservers have on file are PGP2.x 
- basically, if you have to do your own thing, do it.

Anand.

-- 
 `When any government, or any church for that matter, undertakes to say to
  its subjects, "This you may not read, this you must not see, this you are
  forbidden to know," the end result is tyranny and oppression no matter how
  holy the motives' -- Robert A Heinlein, "If this goes on --"