Hacker News new | past | comments | ask | show | jobs | submit login
David Chaum Has a Plan to End the Crypto War (wired.com)
99 points by rdl on Jan 6, 2016 | hide | past | favorite | 61 comments

There are people that help, and those that don't, and I've got Chaum in the latter category. He has consistently tried to patent the crap out of anything he does and demand extortionate rates to license those patents. As a result nothing he does has any impact for 20 years except to show people what will eventually be possible.

If he had been Satoshi Nakamoto BitCoin would be another 10 years away from being available.

To make matters worse, their are people who write about Chaum's techno-utopia that mention his patent fetish and those that don't. I really do not understand how the author of the Wired article failed to mention any of the patent backstory. I do not care if it is ignorance, pandering, or something else, Wired should be embarrassed that an article titled "The Father of Online Anonymity Has a Plan to End the Crypto War" failed to mention the history of and/or possibility of future patent problems.

Chaumian blinding was what first introduced me to the patent system as a 12yo. Such rage, which actually still persists even past patent expiration.

> As a result nothing he does has any impact for 20 years except to show people what will eventually be possible.7

20 years is not an exaggeration. For anyone curious, you can read a good overview of Chaums, and other related, work on anonymous cryptocurrency systems in a report[0] released by the NSA in 1996. When you actually grok what we've known has been possible for 25 years, Bitcoin looks like a naive toy made 'successful' only by virtue of its lack of dependence on the banking system... which is its only real strength.

[0] http://groups.csail.mit.edu/mac/classes/6.805/articles/money...

Hey, I didn't realize until just now that you weren't a founder of NetApp. I suddenly like you even better than before, because previously I thought you were complicit in their patent abuse. How do you feel about the GPL these days?

Let us hope he patents the crap out of this and no one is willing to touch it.

Your post advocates a

(x) technical ( ) legislative (x) market-based ( ) vigilante

approach to backdooring cryptography. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) You have to trust a government entity not to reveal the backdoor key

(x) The backdoor key holders are susceptible to a good beating with a rubber hose

(x) The backdoor key holders are susceptible to blackmail

Specifically, your plan fails to account for

(x) Clones that refuse to honor the backdoor

(x) Jurisdictional problems

(x) Lack of incentives for consumers to adopt a crippled product

(x) Actual incentives for the terrorists not to adopt a backdoored product

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical

(x) Any scheme based on opt-in is unworkable

( ) Why should we have to trust you and your servers?

(x) Incompatiblity with open source or open source licenses

(x) I don't want the government reading my email

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.

( ) This is a stupid idea, and you're a stupid person for suggesting it.

( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

With thanks to http://craphound.com/spamsolutions.txt. Please feel free to help me improve this list. Similar to spam prevention, I think we'll see a lot of broken proposals to this problem over the next few years.

(x) This seems transparently unworkable, but worse you seem to think we're all stupid enough to fall for it.

Assuming that the protocol is cryptographically secure against eight of nine members colluding, it's not actually the worst idea ever. 'Backdoors always get cracked' doesn't apply when there's an actual cryptographic proof; what does apply is the trustworthiness of the keyholders and the guarantees of the protocol.

My concern is first that it's limited to Western democracies. I'd actually feel a lot more certain that something really is bad if the governments of the United States, the United Kingdom, Russia, Iran, Cuba, Chad & Togo all agreed that it's actually bad. After all, Western democracies are liable to agree that some things are bad or good that actually aren't.

But then, those all have a common thread: they are all governments, and so they are all liable to suspect anything which puts a government in general at risk, even if it's perfectly harmless (say, free speech…). Why not add other organisations to the mix, perhaps religions and notable non-profits? If the governments above, the Catholic Church, the Ecumenical Patriarchate, the Grand Mufti of Saudi Arabia, the Chief Rabbi of Jerusalem, the Electronic Frontier Foundation, the Business Software Alliance, Greenpeace and the National Rifle Association can all agree that something is bad, then it really probably is.

As opposed to nine subdivisions of one company run by a smart guy, which seem likely to all fall sway to whatever that one smart guy thinks is bad.

Another issue I see with the protocol is how far back can the council reach? A day? A year? The beginning of the protocol? I'd want to see some sort of key rotation to know that a dedicated bad actor could spend years working on each of the nine members.

All-in-all, it's probably a neat piece of crypto which can — in twenty years — be put to use solving some interesting problems, but it probably won't solve this problem.

You're discounting (or at least not mentioning) the probability that one of the eight colluding members will be able to hack the ninth's key.

So, which 9 countries? Which 9 admins? If the US wants info on a user, would 9 of its allies that generally do what the US wants be enough? Would the servers / admins all be government controlled? If so, I fail to see how this wouldn't just be another rubber stamp.

Yeah, and given the amount of cooperation the various Western intelligence agencies have demonstrated, distributing "control" over N governments is just about as dangerous as one.

The world does not need more sophisticated tools to pursue criminals, it needs more sophisticated tools to advance freedom which is ultimately the best deterrent of crime to exist.

I'm curious as to what happens if one of those nine servers suffers a catastrophic failure, like a server room getting flooded, or a weird hardware failure, or a team of people with machine guns rapidly installing lead-based hardware.

Would all previously sent messages be completely irretrievable?

From the limited information, it's rather impossible to tell for sure. But considering you need 9 different admins in different countries, I'm presuming they are basically using a kind of DHT with a bit of extra brains controlling where the various bits and pieces are hashed. So, that said, I would presume it's at least somewhat fault tolerant.

However, it's Chaum we're talking about, so we likely won't know until the patent is filed.

And to the Men, he gave nine rings of power...


And we know the hearts of men are weak, easily swayed by power.

> "Chaum wouldn’t comment on whether the project, which has yet to be fully coded and tested"

So it's currently vaporware.

For those who don't follow these things, Chaum is known as being both brilliant and... well, not so brilliant. A famous example of this: https://cryptome.org/jya/digicrash.htm

So, anyone else concerned that with all the various agencies clamering for crypto they can access, and the staunch refusal for researchers to provide it (and they say it's impossible), political leaders are going to point to something like this and say "see! here it is! let's use this."

The darkest possible outcome is something like this becomes mandated, and traffic is filtered to permit that crypto.

So we are back to allowing governments to decide which crypto is allowed and which crypto is illegal.

No thanks.

He just wants to make money and sees an opportunity to sell a new blackbox engine.

If this will be open source or similar, what prevents people from making a fork that is (PrivaTegrity - council backdoor).

9 council members with a backdoor is too juicy of a target for large intelligence agencies to be actually effective I feel.

Two points make this solution unlikely to meet the goals the author is attempting to meet:

Those who are performing whatever evil acts of information sharing are disallowed by the counsel will use tools that do not have a counsel who can backdoor the system.

Attempting to solve the single point-of-failure backdoor by increasing the number of points by a modest amount still falls prey to making those individuals immediately attractive targets to those who wish to get at the plaintext. Bear in mind it needn't be a technical hack once someone holds keys. It could be a social mechanism that exposes one or more of the counsel member's keys via law of an oppressive government, or other coercion (blackmail, etc).

> Those who are performing whatever evil acts of information sharing are disallowed by the counsel will use tools that do not have a counsel who can backdoor the system.

And if everyone else is using the tools that the council can backdoor if it decides to, then anyone who uses different tools will immediately stand out. I think that's a key reason why Chaum expects that governments and law enforcement agencies are more likely to accept this type of system.

So his plan by ending the crypto war is.... ...simply capitulating? anyone else clicked on article expecting some new crypto coommunication idea

Yes, basically :(

Yeah, I for one will never use this if it has a backdoor.

Actually plenty of regular people would be OK with it, but the bad guys would just use another system.

As long as there's a choice in systems (and there is, and will always be), these types of systems only hurt the good guys.

That was my immediate reaction. No one who genuinely cares about privacy / anonymity will use this.

I don't see why everyone is so surprised Chaum took this side. He was already writing about this in 1982, quote

"the new electronic payments system may have a substantial impact on personal privacy as well as on the nature and extent of criminal use of payments. Ideally a new payments system should address both of these seemingly conflicting sets of concerns."

"an anonymous payments system like bank notes and coins suffers from lack of controls and security."

"Ability... to determine the identity of the payee under exceptional circumstances."


Chaum had the same priorities for decades, so his position should be no surprise.

The only thing that got worse is that unlike in DigiCash, where an organization could not unmask individuals alone, in PT, organizations can unmask individuals without their consent or participation in the process. Also, in DigiCash, the cryptographic protocol was separate from the receipts, so individuals could opt out of tracking altogether and still use the cryptography.

In that system, to unmask a payee, an individual payer needed to collude with a bank and still be in possession of an optional receipt voluntarily provided by the payee. This is an adequate level of protection because it requires the consent of both individuals - the payee has to provide a receipt to the payer, and the payer has to provide that receipt to the bank.

Anyway, Chaum has always been interested in deanonymization "under exceptional circumstances."

David is a very bright person, but what will most likely happen is that he'll do six re-runs just when they are about to go into production or sign some major deal. If you wonder why I believe this you should read up on DigiCash and how David managed to squander a decade lead.

Any effort that has David Chaum involved with it is going to go nowhere so don't worry too much.

This is being presented at Real World Crypto at Stanford in about 4h.

It doesn't really matter. Backdoored "security" is useless, no matter how much noise you make who gets the keys. It's always only a matter of time until everyone has the keys. Always.

Yeah, I meant mostly for the purpose of clarifying and eviscerating it in person, which is always more fun.

More than the security risks, imho (not that security isn't an issue)... is what kind of hell-like latency would such a system introduce?

Then we're all fucked.

Can we go home now?

I would be curious to see how the crowd reacts. Please update if possible.

Q. How does the performance scale? A. Linearly. We can do one anonymity set globally every second.

Q. When an APT exfiltrates permutation data, what is the privacy failure mode? A. It would be very difficult for an APT to penetrate all sites simultaneously to violate privacy. It is also not clear that a single server would have access to the full permutation, as it can be MPC separated.

The talk is halfway over now. A few laughs at various jokes, but no tomato throwing yet. I'll report on the Q&A in a few minutes.

So I watched his talk and I'm pretty confused -- it felt like a rehash of a lot of well-understood stuff (mix nets, which IMO are awesome and underutilized, MPC, etc.), but it was an odd mix of very high level and very low level details. I haven't read either the cMix or PrivaTegrity papers yet.

However, even if this is a fatally flawed system as a whole, it's entirely possible there is some interesting research, maybe even useful tools here.

It is an interesting idea, being able to protocol-level enforcement of various types of surveillance. Of course, if the level you choose is "none", then you don't need the complexity of the enforcement mechanism.

Can you summarize how is it different from Herbivore, Dissent, Riposte and Vuvuzela? Well, especially Riposte, as it is a system where users post their messages via N servers out of which K servers should be trusted. It seems like Riposte can be easily adopted for this use case. Operators can decide to de-anonymize messages and consensus of any K operators is enough.

I was discussing with someone (nim?) about wanting to set up all of these systems, analyze, and write a survey paper about their properties (Desired, achieved) and about the blank spots needed.

I don't really have time for this, though, although it would be fun.

>When PrivaTegrity’s setup is complete, nine server administrators in nine different countries would all need to cooperate to trace criminals within the network and decrypt their communications.

So I need to hire thugs in 9 countries to rubber hose the keys. Hardly impossible task. And lets not even think about the really scary guys in intelligence agencies. Lets say you don't want to meet them in adversarial setting and leave it there.

> And lets not even think about the really scary guys in intelligence agencies.

Those are exactly the guys who would be holding the keys.

Why on earth would a criminal use a service where they can be exposed?

A half brain dead criminal would just do what the Paris guys did - use SMS. Finding a relevant SMS among all other, it's worse than the needle and haystack problem. Also, have you seen those messages? They might as well been some guys going to a barbecue.

If you wanted to have a system where data can be decrypted if there is a consensus, why not use proof-of-stake for managing that? That way the integrity of your data is dependent on who you invite into the system. The idea of arbitrarily requiring consensus among nine people doesn't make much sense to me.

PoS has a fatal flaw: a person who wants to fork a PoS network simply needs to pay other people in the network for the private keys to their older, spent, transactions. Alternatively, any kind of security breach giving access to used private keys would work. After you have enough keys that had coins in them at a certain point in time, you can "grind" the history forward, and create an alternative chain with your chosen transaction history.

Stake in ... what?

A blockchain created for the purpose of controlling the decryption process.

There are much, MUCH better ways of a group controlling a decryption process than the block chain.

So ... people with massive amounts of computing power can decide what to decrypt? Isn't that the exact opposite of what we want?

You're thinking of proof of work. Proof of stake means people with lots of money (cryptocurrency) can decide what to decrypt. Which is imo even worse.

> people with massive amounts of computing power can decide what to decrypt?

No. That would be proof of work.

The only public paper mentioned during the talk is this one, which focuses exclusively on the high-performance mixing (cMix).


Why 9? It's spookily reminiscent of the "Nine Eyes" organisation who're the Orwellian bad guys in the latest Bond film, but I see no technical reason the keys cannot be split between 8 or 10 parties. And how much more security do multiple identical servers provide? If one can be hacked — which is frankly a given — so can all the rest.

There is nothing in this article that makes me think a system of split keys is any more desirable than when FBI Director Comey proposed the same thing last year. It's just a bit more terrifying coming from the so-called "Father of Online Anonymity".

I will give it him it is an idea, I would need MUCH more proof of this being operable before calling it a good idea. Hopefully it will generate more discussion about golden keys/backdoors so that gov will understand the difference.

My first thought is, OMG the latency...

'Chaum is also building into PrivaTegrity .. a carefully controlled backdoor that allows anyone .. to have their anonymity and privacy stripped altogether.'

How stupid: "It’s like a backdoor with nine different padlocks on it"

It does not make it any harder to remove the hinges. Sigh. Classified in file 13.

According to his talk at RWC, there's a live alpha in AWS right now, with Android clients.

Oh, Wired, what are you doing?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact