
David Chaum Has a Plan to End the Crypto War - rdl
http://www.wired.com/2016/01/david-chaum-father-of-online-anonymity-plan-to-end-the-crypto-wars/
======
ChuckMcM
There are people that help, and those that don't, and I've got Chaum in the
latter category. He has consistently tried to patent the crap out of anything
he does and demand extortionate rates to license those patents. As a result
nothing he does has any impact for 20 years except to show people what will
eventually be possible.

If he had been Satoshi Nakamoto BitCoin would be another 10 years away from
being available.

~~~
dfc
To make matters worse, their are people who write about Chaum's techno-utopia
that mention his patent fetish and those that don't. I really do not
understand how the author of the Wired article failed to mention any of the
patent backstory. I do not care if it is ignorance, pandering, or something
else, Wired should be embarrassed that an article titled "The Father of Online
Anonymity Has a Plan to End the Crypto War" failed to mention the history of
and/or possibility of future patent problems.

------
etherealmachine
Your post advocates a

(x) technical ( ) legislative (x) market-based ( ) vigilante

approach to backdooring cryptography. Your idea will not work. Here is why it
won't work. (One or more of the following may apply to your particular idea,
and it may have other flaws which used to vary from state to state before a
bad federal law was passed.)

( ) You have to trust a government entity not to reveal the backdoor key

(x) The backdoor key holders are susceptible to a good beating with a rubber
hose

(x) The backdoor key holders are susceptible to blackmail

Specifically, your plan fails to account for

(x) Clones that refuse to honor the backdoor

(x) Jurisdictional problems

(x) Lack of incentives for consumers to adopt a crippled product

(x) Actual incentives for the terrorists not to adopt a backdoored product

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever been
shown practical

(x) Any scheme based on opt-in is unworkable

( ) Why should we have to trust you and your servers?

(x) Incompatiblity with open source or open source licenses

(x) I don't want the government reading my email

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.

( ) This is a stupid idea, and you're a stupid person for suggesting it.

( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

With thanks to
[http://craphound.com/spamsolutions.txt](http://craphound.com/spamsolutions.txt).
Please feel free to help me improve this list. Similar to spam prevention, I
think we'll see a lot of broken proposals to this problem over the next few
years.

~~~
cmurf
(x) This seems transparently unworkable, but worse you seem to think we're all
stupid enough to fall for it.

------
zeveb
Assuming that the protocol is cryptographically secure against eight of nine
members colluding, it's not actually the worst idea ever. 'Backdoors always
get cracked' doesn't apply when there's an actual cryptographic proof; what
_does_ apply is the trustworthiness of the keyholders and the guarantees of
the protocol.

My concern is first that it's limited to Western democracies. I'd actually
feel a lot more certain that something really is bad if the governments of the
United States, the United Kingdom, Russia, Iran, Cuba, Chad & Togo all agreed
that it's actually bad. After all, Western democracies are liable to agree
that some things are bad or good that actually aren't.

But then, those all have a common thread: they are all governments, and so
they are all liable to suspect anything which puts a government in general at
risk, even if it's perfectly harmless (say, free speech…). Why not add other
organisations to the mix, perhaps religions and notable non-profits? If the
governments above, the Catholic Church, the Ecumenical Patriarchate, the Grand
Mufti of Saudi Arabia, the Chief Rabbi of Jerusalem, the Electronic Frontier
Foundation, the Business Software Alliance, Greenpeace and the National Rifle
Association can all agree that something is bad, then it really probably is.

As opposed to nine subdivisions of one company run by a smart guy, which seem
likely to all fall sway to whatever that one smart guy thinks is bad.

Another issue I see with the protocol is how far back can the council reach? A
day? A year? The beginning of the protocol? I'd want to see some sort of key
rotation to know that a dedicated bad actor could spend years working on each
of the nine members.

All-in-all, it's probably a neat piece of crypto which can — in twenty years —
be put to use solving some interesting problems, but it probably won't solve
_this_ problem.

~~~
cjbprime
You're discounting (or at least not mentioning) the probability that one of
the eight colluding members will be able to hack the ninth's key.

------
TheCraiggers
So, which 9 countries? Which 9 admins? If the US wants info on a user, would 9
of its allies that generally do what the US wants be enough? Would the servers
/ admins all be government controlled? If so, I fail to see how this wouldn't
just be another rubber stamp.

~~~
pavel_lishin
I'm curious as to what happens if one of those nine servers suffers a
catastrophic failure, like a server room getting flooded, or a weird hardware
failure, or a team of people with machine guns rapidly installing lead-based
hardware.

Would all previously sent messages be completely irretrievable?

~~~
TheCraiggers
From the limited information, it's rather impossible to tell for sure. But
considering you need 9 different admins in different countries, I'm presuming
they are basically using a kind of DHT with a bit of extra brains controlling
where the various bits and pieces are hashed. So, that said, I would presume
it's at least somewhat fault tolerant.

However, it's Chaum we're talking about, so we likely won't know until the
patent is filed.

------
dawnbreez
And to the Men, he gave nine rings of power...

~~~
clarkmoody
Precisely.

And we know the hearts of men are weak, easily swayed by power.

------
strictnein
> "Chaum wouldn’t comment on whether the project, which has yet to be fully
> coded and tested"

So it's currently vaporware.

------
tga_d
For those who don't follow these things, Chaum is known as being both
brilliant and... well, not so brilliant. A famous example of this:
[https://cryptome.org/jya/digicrash.htm](https://cryptome.org/jya/digicrash.htm)

------
joshbuddy
So, anyone else concerned that with all the various agencies clamering for
crypto they can access, and the staunch refusal for researchers to provide it
(and they say it's impossible), political leaders are going to point to
something like this and say "see! here it is! let's use this."

The darkest possible outcome is something like this becomes mandated, and
traffic is filtered to permit that crypto.

------
ck2
So we are back to allowing governments to decide which crypto is allowed and
which crypto is illegal.

No thanks.

He just wants to make money and sees an opportunity to sell a new blackbox
engine.

------
mahyarm
If this will be open source or similar, what prevents people from making a
fork that is (PrivaTegrity - council backdoor).

9 council members with a backdoor is too juicy of a target for large
intelligence agencies to be actually effective I feel.

------
mdip
Two points make this solution unlikely to meet the goals the author is
attempting to meet:

Those who are performing whatever _evil_ acts of _information sharing_ are
disallowed by the counsel will use tools that do not have a counsel who can
backdoor the system.

Attempting to solve the single point-of-failure backdoor by increasing the
number of points by a modest amount still falls prey to making those
individuals immediately attractive targets to those who wish to get at the
plaintext. Bear in mind it needn't be a technical hack once someone holds
keys. It could be a social mechanism that exposes one or more of the counsel
member's keys via law of an oppressive government, or other coercion
(blackmail, etc).

~~~
pdonis
_> Those who are performing whatever evil acts of information sharing are
disallowed by the counsel will use tools that do not have a counsel who can
backdoor the system._

And if everyone else is using the tools that the council can backdoor if it
decides to, then anyone who uses different tools will immediately stand out. I
think that's a key reason why Chaum expects that governments and law
enforcement agencies are more likely to accept this type of system.

------
yc1010
So his plan by ending the crypto war is.... ...simply capitulating? anyone
else clicked on article expecting some new crypto coommunication idea

~~~
mirimir
Yes, basically :(

------
mordocai
Yeah, I for one will never use this if it has a backdoor.

~~~
lallysingh
Actually plenty of regular people would be OK with it, but the bad guys would
just use another system.

As long as there's a choice in systems (and there is, and will always be),
these types of systems only hurt the good guys.

------
__kds
I don't see why everyone is so surprised Chaum took this side. He was already
writing about this in 1982, quote

"the new electronic payments system may have a substantial impact on personal
privacy as well as on the nature and extent of criminal use of payments.
Ideally a new payments system should address both of these seemingly
conflicting sets of concerns."

"an anonymous payments system like bank notes and coins suffers from lack of
controls and security."

"Ability... to determine the identity of the payee under exceptional
circumstances."

[http://www.hit.bme.hu/~buttyan/courses/BMEVIHIM219/2009/Chau...](http://www.hit.bme.hu/~buttyan/courses/BMEVIHIM219/2009/Chaum.BlindSigForPayment.1982.PDF)

Chaum had the same priorities for decades, so his position should be no
surprise.

The only thing that got worse is that unlike in DigiCash, where an
organization could not unmask individuals alone, in PT, organizations can
unmask individuals without their consent or participation in the process.
Also, in DigiCash, the cryptographic protocol was separate from the receipts,
so individuals could opt out of tracking altogether and still use the
cryptography.

In that system, to unmask a payee, an individual payer needed to collude with
a bank and still be in possession of an optional receipt voluntarily provided
by the payee. This is an adequate level of protection because it requires the
consent of both individuals - the payee has to provide a receipt to the payer,
and the payer has to provide that receipt to the bank.

Anyway, Chaum has always been interested in deanonymization "under exceptional
circumstances."

------
jacquesm
David is a very bright person, but what will most likely happen is that he'll
do six re-runs _just_ when they are about to go into production or sign some
major deal. If you wonder why I believe this you should read up on DigiCash
and how David managed to squander a decade lead.

Any effort that has David Chaum involved with it is going to go nowhere so
don't worry too much.

------
rdl
This is being presented at Real World Crypto at Stanford in about 4h.

~~~
stonogo
It doesn't really matter. Backdoored "security" is useless, no matter how much
noise you make who gets the keys. It's _always_ only a matter of time until
_everyone_ has the keys. _Always._

~~~
rdl
Yeah, I meant mostly for the purpose of clarifying and eviscerating it in
person, which is always more fun.

------
rdl
So I watched his talk and I'm pretty confused -- it felt like a rehash of a
lot of well-understood stuff (mix nets, which IMO are awesome and
underutilized, MPC, etc.), but it was an odd mix of very high level and very
low level details. I haven't read either the cMix or PrivaTegrity papers yet.

However, even if this is a fatally flawed system as a whole, it's entirely
possible there is some interesting research, maybe even useful tools here.

It is an interesting idea, being able to protocol-level enforcement of various
types of surveillance. Of course, if the level you choose is "none", then you
don't need the complexity of the enforcement mechanism.

~~~
ycmbntrthrwaway
Can you summarize how is it different from Herbivore, Dissent, Riposte and
Vuvuzela? Well, especially Riposte, as it is a system where users post their
messages via N servers out of which K servers should be trusted. It seems like
Riposte can be easily adopted for this use case. Operators can decide to de-
anonymize messages and consensus of any K operators is enough.

~~~
rdl
I was discussing with someone (nim?) about wanting to set up all of these
systems, analyze, and write a survey paper about their properties (Desired,
achieved) and about the blank spots needed.

I don't really have time for this, though, although it would be fun.

------
venomsnake
>When PrivaTegrity’s setup is complete, nine server administrators in nine
different countries would all need to cooperate to trace criminals within the
network and decrypt their communications.

So I need to hire thugs in 9 countries to rubber hose the keys. Hardly
impossible task. And lets not even think about the really scary guys in
intelligence agencies. Lets say you don't want to meet them in adversarial
setting and leave it there.

~~~
pavel_lishin
> _And lets not even think about the really scary guys in intelligence
> agencies._

Those are exactly the guys who would be holding the keys.

------
notliketherest
Why on earth would a criminal use a service where they can be exposed?

~~~
timonovici
A half brain dead criminal would just do what the Paris guys did - use SMS.
Finding a relevant SMS among all other, it's worse than the needle and
haystack problem. Also, have you seen those messages? They might as well been
some guys going to a barbecue.

------
Alex3917
If you wanted to have a system where data can be decrypted if there is a
consensus, why not use proof-of-stake for managing that? That way the
integrity of your data is dependent on who you invite into the system. The
idea of arbitrarily requiring consensus among nine people doesn't make much
sense to me.

~~~
maaku
Stake in ... what?

~~~
Alex3917
A blockchain created for the purpose of controlling the decryption process.

~~~
dsl
So ... people with massive amounts of computing power can decide what to
decrypt? Isn't that the exact opposite of what we want?

~~~
coderzach
You're thinking of proof of work. Proof of stake means people with lots of
money (cryptocurrency) can decide what to decrypt. Which is imo even worse.

------
kiniry
The only public paper mentioned during the talk is this one, which focuses
exclusively on the high-performance mixing (cMix).

[http://eprint.iacr.org/2016/008](http://eprint.iacr.org/2016/008)

------
p01926
Why 9? It's spookily reminiscent of the "Nine Eyes" organisation who're the
Orwellian bad guys in the latest Bond film, but I see no technical reason the
keys cannot be split between 8 or 10 parties. And how much more security do
multiple identical servers provide? If one can be hacked — which is frankly a
given — so can all the rest.

There is nothing in this article that makes me think a system of split keys is
any more desirable than when FBI Director Comey proposed the same thing last
year. It's just a bit more terrifying coming from the so-called "Father of
Online Anonymity".

------
2close4comfort
I will give it him it is an idea, I would need MUCH more proof of this being
operable before calling it a good idea. Hopefully it will generate more
discussion about golden keys/backdoors so that gov will understand the
difference.

~~~
tracker1
My first thought is, OMG the latency...

------
Marcomasino
'Chaum is also building into PrivaTegrity .. a carefully controlled backdoor
that allows anyone .. to have their anonymity and privacy stripped
altogether.'

------
not_a_terrorist
How stupid: "It’s like a backdoor with nine different padlocks on it"

It does not make it any harder to remove the hinges. Sigh. Classified in file
13.

------
rdl
According to his talk at RWC, there's a live alpha in AWS right now, with
Android clients.

------
yarrel
Oh, Wired, what are you doing?

