[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Anonymous nym ratings

Adam Back writes:
> Probably a good rule of thumb is never to sign anything and always
> post via a mixmaster chain.

Good idea!

> Some messages don't need a persistent nym
> even.  Perhaps one could construct a zero knowledge proof of nym
> reputation rating without identityfing the nym which might be useful
> for filtering without linkability.

This could be done via some of the recent work on group signatures.
Efficient methods have been developed to show that a message is signed
by a key, without revealing what the key is, but proving that the key
itself is signed by a specific other key.

Imagine an editor who only signs keys belonging to people who deserve
to get through filters.  Call this "endorsing" a key.  If you respect
that editor, you set your filters to let messages through which are by
keys he has endorsed in this manner.  Now, people can submit messages
anonymously, but in such a way that they are provably written by an
endorsed key, without revealing which key it is.

The protocols are reasonably efficient, with signature verification taking
about 20 times longer than a regular DSS signature.  However the methods
involve blind signatures, and hence would infringe upon Chaum's patent.

The group signature was described at Crypto 97; an extension for blind
group signatures at Asiacrypt 98; and more work will be presented at
FC 99.