[1377] in cryptography@c2.net mail archive
Re: distributed virtual bank
daemon@ATHENA.MIT.EDU (tzeruch@ceddec.com)
Wed Aug 27 13:53:44 1997
Date: Wed, 27 Aug 1997 12:35:03 -0400
From: tzeruch@ceddec.com
Reply-To: tzeruch@ceddec.com
To: Adam Back <aba@dcs.ex.ac.uk>
cc: cryptography@c2.net
In-Reply-To: <199708262302.AAA01116@server.test.net>
On Tue, 26 Aug 1997, Adam Back wrote:
> People would trust the bank by virtue of their belief that it would be
> too difficult for an attacker to compromise or acheive sufficent
> collusion to overcome the n of k threshold.
The only problem I see is that once one node has the n of k in the simple
protocols, they have the secret. You need *distributed* N of K secret
splitting such that for whatever function (e.g. signing blinded coins,
processing electronic cheques) the Nth node can accomplish the function
without being able to reconstruct the secret. There are anti-cheating
protocols too, but I haven't researched them.
Off the top of my head:
Since RSA is commutative, if N==K (or K-1), you can "simply" (lots of
qualifications deleted for space) stack the signatures, so that a valid
token is S = M**D1**D2...DN mod n , but then you would have to check the
collective signature (S**E1..EN mod n), and there is no internal way to
figure out if you already signed something or who is missing. If you have
20 nodes, finding which 4 or 10 or 16 signed the message isn't trivial
unless they are specifically identified outside S.
You still have a problem with people entering or leaving the system since
they will have to have new keys or some other update mechanism.
This may all be nonsense, so I hope someone has a better answer.
--- reply to tzeruch - at - ceddec - dot - com ---
