If he had been Satoshi Nakamoto BitCoin would be another 10 years away from being available.
20 years is not an exaggeration. For anyone curious, you can read a good overview of Chaums, and other related, work on anonymous cryptocurrency systems in a report released by the NSA in 1996. When you actually grok what we've known has been possible for 25 years, Bitcoin looks like a naive toy made 'successful' only by virtue of its lack of dependence on the banking system... which is its only real strength.
(x) technical ( ) legislative (x) market-based ( ) vigilante
approach to backdooring cryptography. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) You have to trust a government entity not to reveal the backdoor key
(x) The backdoor key holders are susceptible to a good beating with a rubber hose
(x) The backdoor key holders are susceptible to blackmail
Specifically, your plan fails to account for
(x) Clones that refuse to honor the backdoor
(x) Jurisdictional problems
(x) Lack of incentives for consumers to adopt a crippled product
(x) Actual incentives for the terrorists not to adopt a backdoored product
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
(x) Any scheme based on opt-in is unworkable
( ) Why should we have to trust you and your servers?
(x) Incompatiblity with open source or open source licenses
(x) I don't want the government reading my email
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
With thanks to http://craphound.com/spamsolutions.txt. Please feel free to help me improve this list. Similar to spam prevention, I think we'll see a lot of broken proposals to this problem over the next few years.
My concern is first that it's limited to Western democracies. I'd actually feel a lot more certain that something really is bad if the governments of the United States, the United Kingdom, Russia, Iran, Cuba, Chad & Togo all agreed that it's actually bad. After all, Western democracies are liable to agree that some things are bad or good that actually aren't.
But then, those all have a common thread: they are all governments, and so they are all liable to suspect anything which puts a government in general at risk, even if it's perfectly harmless (say, free speech…). Why not add other organisations to the mix, perhaps religions and notable non-profits? If the governments above, the Catholic Church, the Ecumenical Patriarchate, the Grand Mufti of Saudi Arabia, the Chief Rabbi of Jerusalem, the Electronic Frontier Foundation, the Business Software Alliance, Greenpeace and the National Rifle Association can all agree that something is bad, then it really probably is.
As opposed to nine subdivisions of one company run by a smart guy, which seem likely to all fall sway to whatever that one smart guy thinks is bad.
Another issue I see with the protocol is how far back can the council reach? A day? A year? The beginning of the protocol? I'd want to see some sort of key rotation to know that a dedicated bad actor could spend years working on each of the nine members.
All-in-all, it's probably a neat piece of crypto which can — in twenty years — be put to use solving some interesting problems, but it probably won't solve this problem.
The world does not need more sophisticated tools to pursue criminals, it needs more sophisticated tools to advance freedom which is ultimately the best deterrent of crime to exist.
Would all previously sent messages be completely irretrievable?
However, it's Chaum we're talking about, so we likely won't know until the patent is filed.
And we know the hearts of men are weak, easily swayed by power.
So it's currently vaporware.
The darkest possible outcome is something like this becomes mandated, and traffic is filtered to permit that crypto.
He just wants to make money and sees an opportunity to sell a new blackbox engine.
9 council members with a backdoor is too juicy of a target for large intelligence agencies to be actually effective I feel.
Those who are performing whatever evil acts of information sharing are disallowed by the counsel will use tools that do not have a counsel who can backdoor the system.
Attempting to solve the single point-of-failure backdoor by increasing the number of points by a modest amount still falls prey to making those individuals immediately attractive targets to those who wish to get at the plaintext. Bear in mind it needn't be a technical hack once someone holds keys. It could be a social mechanism that exposes one or more of the counsel member's keys via law of an oppressive government, or other coercion (blackmail, etc).
And if everyone else is using the tools that the council can backdoor if it decides to, then anyone who uses different tools will immediately stand out. I think that's a key reason why Chaum expects that governments and law enforcement agencies are more likely to accept this type of system.
As long as there's a choice in systems (and there is, and will always be), these types of systems only hurt the good guys.
"the new electronic payments system may have a substantial impact on personal privacy as well as on the nature and extent of criminal use of payments. Ideally a new payments system should address both of these seemingly conflicting sets of concerns."
"an anonymous payments system like bank notes and coins suffers from lack of controls and security."
"Ability... to determine the identity of the payee under exceptional circumstances."
Chaum had the same priorities for decades, so his position should be no surprise.
The only thing that got worse is that unlike in DigiCash, where an organization could not unmask individuals alone, in PT, organizations can unmask individuals without their consent or participation in the process. Also, in DigiCash, the cryptographic protocol was separate from the receipts, so individuals could opt out of tracking altogether and still use the cryptography.
In that system, to unmask a payee, an individual payer needed to collude with a bank and still be in possession of an optional receipt voluntarily provided by the payee. This is an adequate level of protection because it requires the consent of both individuals - the payee has to provide a receipt to the payer, and the payer has to provide that receipt to the bank.
Anyway, Chaum has always been interested in deanonymization "under exceptional circumstances."
Any effort that has David Chaum involved with it is going to go nowhere so don't worry too much.
Can we go home now?
Q. When an APT exfiltrates permutation data, what is the privacy failure mode?
A. It would be very difficult for an APT to penetrate all sites simultaneously to violate privacy. It is also not clear that a single server would have access to the full permutation, as it can be MPC separated.
However, even if this is a fatally flawed system as a whole, it's entirely possible there is some interesting research, maybe even useful tools here.
It is an interesting idea, being able to protocol-level enforcement of various types of surveillance. Of course, if the level you choose is "none", then you don't need the complexity of the enforcement mechanism.
I don't really have time for this, though, although it would be fun.
So I need to hire thugs in 9 countries to rubber hose the keys. Hardly impossible task. And lets not even think about the really scary guys in intelligence agencies. Lets say you don't want to meet them in adversarial setting and leave it there.
Those are exactly the guys who would be holding the keys.
No. That would be proof of work.
There is nothing in this article that makes me think a system of split keys is any more desirable than when FBI Director Comey proposed the same thing last year. It's just a bit more terrifying coming from the so-called "Father of Online Anonymity".
It does not make it any harder to remove the hinges. Sigh. Classified in file 13.