Gnupg-users digest, Vol 1 #1117 - 3 msgs

Brent R. Waters bwaters@CS.Princeton.EDU
Fri Mar 7 19:05:02 2003


> Message: 3
> Date: Wed,  5 Mar 2003 14:45:28 -0800
> To: gnupg-users@gnupg.org
> Cc:
> Subject: Re: New crypto idea implemented in gpg
> From: vedaal@hush.com
>
>
>
> >Message: 7
> >Date: Tue, 4 Mar 2003 10:12:20 -0500 (EST)
> >From: "Brent R. Waters" <bwaters@CS.Princeton.EDU>
> >To: gnupg-users@gnupg.org
> >Subject: New crypto idea implemented in gpg
> ..
> > I
> >recently worked on a new type of cryptography scheme that I call
> >an
> >Incomparable Public Key scheme and implemented the idea in gpg.
> >
> >The basic idea is that some private decryption keys there can be
> >several
> >equivalent, but incomparable public keys. This means that data encrypted
> >with any one of the equivalent public keys can be decrypted by the
> >one
> >private key, but holders of public keys will not be able to tell
> >if they
> >are equivalent (thus the incomparable part).
> ..
> >Anyway, I implemented this idea into gpg to allow people to try
> >this out
> >in the real world. The code and a paper describing the idea in more
> >detail
> >is available at http://www.cs.princeton.edu/~bwaters/research/ .
> >I would
> >like to hear questions or comments from anyone who gets the chance
> >to try
> >this out.
>
> sounds interesting
>
> could you put up a sample test private key, and several of the
> 'Incomparable' public keys, and post the url?
>
> it would be interesting to see if pgpdump or gpg --list-packets
> can detect commonalities that would link the 'incomparables'
>
> a possible problem with this setup is if you ever sign with the private key,
>
> then, if it verifies with each of the 'incomparables', they can be seen
> to be from the same private key, and traced to you anyway.
>
> tia,
>
> vedaal
>

I put up a page with a couple of keys at
http://www.cs.princeton.edu/~bwaters/research/incomparable_extra/index.html
You can also generate you own with the code. If you can find any leakage
of the key's source I would be interested to hear about it.

If all of the Incomparable Public Keys that were equivalent were signed
with one private key this could be a problem. For this reason the scheme
implemented only has an encryption part and no signatures. This goes a
little against the grain of gpg, which normally expects keys to be signed.

Let me know if you come up with anything.

Regards,
Brent