How to leak a secret

Posted March 15, 2006

Cryptography is a wonderful subject to dabble in, because it relies both on mathematics and cloak-and-dagger cleverness. You not only have to be smart enough to make the mathematics work, but you have to be smart enough to ensure that your mathematical kung-fu is able to withstand determined attacks from every other cryptographer in the world, armed with resources you can only dream of. Very fun.

I recently heard of a twist on the standard digital-signature schemes which struck me as especially neat. They're called ring signatures (PDF), and they focus on the problem of anonymous whistleblowers.

You want to report your record-falsifying boss without endangering your job. If you sent in a fully anonymous tip, nobody would really believe you. So you create a ring signature, calculated from your private digital-signature key and the known public keys of the other employees in your group. Sign your anonymous email with that, and the recipient (by looking up the various public keys) can verify that someone in your group wrote the note, authenticating the information, but they can't tell which one.

This is very neat, and moreover it doesn't even depend on the details of the digital-signature scheme, so you can co-opt the public key of virtually anyone using any algorithm, and create the possibility that they miiiiight have signed your incriminating message themselves.