Cryptography Reference
In-Depth Information
cating signatures is placed in trust with her lawyer
B.
After the death of
A
, the lawyer
can make the secret information public knowledge and all signatures can be verified.
B
does not have the ability to alter or create new signatures on behalf of
A.
52
These justificatory narratives are also remarkable with respect to their
integration of broad assumptions about the litigation process, in particu-
lar the ability of courts to appreciate the evidential power of signatures
based on their underlying mathematics. Fail-stop signatures, for example,
are precisely designed to provide supplementary evidence to the judge,
in the case where a signature scheme's computational assumptions are
broken:
If a signature scheme is broken although one had reasons to hope it would not, the
supposed signer of a message with a forged signature is defenseless: The forged
digital signature looks exactly like an authentic one. If it is presented to a court, the
court decides, still with the public test key T, that the signature is valid. Thus the
supposed signer will be held responsible. (The recipient of a signed message, however,
is absolutely secure: If he has checked that the signature passes the test with the
public test key, he knows that it will also do so in court, no matter if it is authentic
or forged.) At least this is the technical view of what a court should do. A real court
is not obliged to comply with this view. (At least German courts are not obliged to
acknowledge a handwritten signature either.) It could believe the protestation by
the supposed signer that the signature is a forgery, the more so since the signer can
adduce that the signature scheme relies on an unproven assumption, no matter how
long it has been examined. However, if this were the case, recipients would not be
secure at all any more: Even if the assumption is perfectly correct and no signature
is ever forged, the real signers could now deny their signatures in court, just like
the supposed signer above. It is impossible for the court to distinguish the two
cases.
53
The scenarios are sometimes extremely detailed. For example, in “How
to Leak a Secret,” Rivest, Shamir, and Tauman propose the following with
respect to potential applications of ring signatures:
To motivate the title for this paper, suppose that Bob (also known as “Deep Throat”)
is a member of the cabinet of Lower Kryptonia, and that Bob wishes to leak a juicy
fact to a journalist about the escapades of the Prime Minister, in such a way that
Bob remains anonymous, yet such that the journalist is convinced that the leak was
indeed from a cabinet member. Bob cannot send to the journalist a standard digitally
signed message, since such a message, although it convinces the journalist that it
came from a cabinet member, does so by directly revealing Bob's identity.
It also doesn't work for Bob to send the journalist a message through a standard
“anonymizer,” since the anonymizer strips off all source identification and authen-
tication: the journalist would have no reason to believe that the message really came
