Re: Anonymous cash via blinded authentication

Anonymous (nobody@replay.com)
Thu, 1 Apr 1999 10:00:29 +0200 (CEST)

• Next message: Bruce Schneier: "Re: Tristrata - worth another look?"
• Previous message: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"

David Wagner writes:
> Anonymous <nobody@replay.com> wrote:
> > David Wagner writes:
> >
> > > Does this argument imply that every symmetrically-keyed MAC is a "public
> > > key digital signature"? After all, thanks to the theory of zero-knowledge
> > > proofs, every MAC scheme has an "efficient" confirmation protocol.
> > > (Many of them may actually be efficient in real life, too, as witnessed
> > > by Hal Finney's work on SHA-1.)
> >
> > What would be the public key, though?
>
> Any other known-valid (plaintext, MAC) pair, I suppose...

So the ZK proof would show that the key in the MAC in the given pair
was the same as the key in the MAC in the pair to be verified, without
revealing the key.

With this interpretation, you appear to be correct that a symmetric-key
"signature" (i.e. a MAC) is not so different from a public-key signature.
In either case a third party can verify accuracy, albeit with some help
from the signer in the symmetric case.

Perhaps a similar linkage could be found between symmetric-key encryption
and public-key encryption. For this case, instead of a ZK proof we
would use a multiparty secure computation protocol to calculate the
symmetric-key encryption. One party inputs the plaintext, and the other
party the secret key. The output of the protocol is the ciphertext.

(Of course this would be a pretty roundabout way to do things if the
output is simply going to be provided to the key holder. Not to mention
that implementing MPC is probably going to require using public-key
encryption or something like it as an internal subprotocol. Still, there
might be some circumstances where this kind of thing would be useful.)

It may be that these interpretations stretch the definitions to the
breaking point. If the point of public-key is that encryption and
verification is done without any help from the key holder (that's what
makes it "public") then these symmetric-key analogs don't deserve the
same name. But if the point is that the verification can be done without
having to know secret information (and _that_'s what makes it "public")
then the symmetric techniques could appropriately use some of the same
terminology.

• Next message: Bruce Schneier: "Re: Tristrata - worth another look?"
• Previous message: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"