How to safely share information in the digital world without revealing yourself?

Man

Man

Professional
Messages
3,222
Reaction score
820
Points
113
Don't talk anonymously!

Don't talk anonymously!

Situations​

For example, a contributor to an open source project wants to talk about plans but remain anonymous.

Or another example: some technology company is involved in shady dealings and some honest employee wants to stop it. He doesn't know how many like-minded people like him are, but he knows for sure that if these shady dealings are confirmed by only one or two people, they will be quickly fired and nothing will change. He writes a message on an anonymous forum and gets support from other users who claim that they are supposedly his colleagues, but you can't believe this because it could just be a troll.

Or maybe there is just some topic that is forbidden for discussion that you really want to discuss.

What to do? Use ring signatures!

Ring signature​

In a ring signature, unlike a regular signature, many public keys are used. A set of such public keys is called a ring, and to create a valid signature, it is enough to know only one private key from this ring. In this way, the author of the signature is hidden among other possible authors.

If you take your public key (to which the private key is known) and the public keys of other people, you can make a signature from which it will be unclear who exactly signed it, but it will be known for sure that it was someone from the ring. Both anonymity and authenticity are preserved.

Signature example​

First, let's create a key pair. In this example, I'll use the OpenSSH format for ED25519 keys.
Code: 
ssh-keygen -t ed25519 -N "" -f demo

We get two files: demoand demo.pub. Contents of the file with the public key:
Code: 
> cat demo.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMm1mCqNBuabE7TJtUUVvQUYQEa3TFuOShS9ytPahlx3 vasilii@carbon

and with private (this is a demo, so you can safely post it)

Code: 
> cat demo
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACDJtZgqjQbmmxO0ybVFFb0FGEBGt0xbjkoUvcrT2oZcdwAAAJjU2/q/1Nv6
vwAAAAtzc2gtZWQyNTUxOQAAACDJtZgqjQbmmxO0ybVFFb0FGEBGt0xbjkoUvcrT2oZcdw
AAAEBtElLYWTIfj186r9w8EhF748GQuEVWtDs6jikaUcEK+cm1mCqNBuabE7TJtUUVvQUY
QEa3TFuOShS9ytPahlx3AAAADnZhc2lsaWlAY2FyYm9uAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----

Now let's take the public keys among which we will hide. I took a couple of React contributors (https://github.com/facebook/react/graphs/contributors) and their public keys from GitHub https://api.github.com/users/zpao/ssh_signing_keys and https://api.github.com/users/acdlite/ssh_signing_keys

Code: 
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM7DuT1T4hHljylm/bTFKg8cGvfafQyI6O+aB1cHM7Yp
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIELtSHIyptiTWlcjVK5HxH+L+AvmcLM3wFNOi7Yqg7UW

Let's add my public key to them, let's say, in the last place, removing the part with the name (it works as a comment):
Code: 
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM7DuT1T4hHljylm/bTFKg8cGvfafQyI6O+aB1cHM7Yp
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIELtSHIyptiTWlcjVK5HxH+L+AvmcLM3wFNOi7Yqg7UW
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMm1mCqNBuabE7TJtUUVvQUYQEa3TFuOShS9ytPahlx3

You can create and check a ring signature on the website https://cryptopoll.org/sign, so we go there, import our private key (everything happens on the frontend, the key does not go anywhere over the network), write a message in the left field, and a list of public keys in the right field:

Signing the message

Signing the message.

We receive a signed message:
Code: 
{"m":"Hello Carder, this is my secret message!",
 "mh":"2d84e3b802b62840ff08025d06f3fe03e0c1d67314b2af473c92108318b44452",
 "pkh":"b7822daca942eafac5e614063f5377ea3e2980baadfd57d02092aac799711a9f",
 "sig":{"II":"650bf8d4a6fa616a2e68b11bf0d23735668328aa850f50a14c46017c882d32de",
        "cc":"6180a0d3d2dcf5dde4892d7e4ba62e22a8217f8691d468471f6aee57aa2ded0e",
        "ss":["2eb3080ebab3bd418c81fd220df62b2ab2f2dc4c8848f2f5c98290be66b46e0a",
              "7d5b5e5218b4601ab0316869a51077dfe3f62e19956aaccfee39e26d011b5502",
              "093fa9e5c809120f71b95f92c3eecee42e4be5499470c238a5f8942966b8bc03"
             ]}}

Now you can send it to someone along with a list of public keys:
Code: 
Hello everyone, here is a message signed by one of us:

{"m":"Hello Carder, this is my secret message!","mh":"2d84e3b802b62840ff08025d06f3fe03e0c1d67314b2af473c92108318b44452","pkh":"b7822daca942eafac5e614063f5377ea3e2980baadfd57d02092aac799711a9f","sig":{"II":"650bf8d4a6fa616a2e68b11bf0d23735668328aa850f50a14c46017c882d32de","cc":"6180a0d3d2dcf5dde4892d7e4ba62e22a8217f8691d468471f6aee57aa2ded0e","ss":["2eb3080ebab3bd418c81fd220df62b2ab2f2dc4c8848f2f5c98290be66b46e0a","7d5b5e5218b4601ab0316869a51077dfe3f62e19956aaccfee39e26d011b5502","093fa9e5c809120f71b95f92c3eecee42e4be5499470c238a5f8942966b8bc03"]}}

The public keys used were these, the fact that they belong to us can be verified on GitHub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM7DuT1T4hHljylm/bTFKg8cGvfafQyI6O+aB1cHM7Yp
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIELtSHIyptiTWlcjVK5HxH+L+AvmcLM3wFNOi7Yqg7UW
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMm1mCqNBuabE7TJtUUVvQUYQEa3TFuOShS9ytPahlx3

Any recipient can verify that the keys are actually on GitHub and that the signature is correct by visiting https://cryptopoll.org/verify

Checking the signature

Checking the signature.

The signature is correct!

The signature is correct!

What kind of site is this anyway?​

Ring signatures were invented quite a long time ago, more than 20 years ago. In the real world, these signatures are used in the cryptocurrency Monero, which provides complete anonymity. Since the cryptocurrency costs real money, as does its anonymity, such crypto code has particularly high security requirements. There is still no known method for hacking or deanonymizing ring signatures and their implementation in Monero. The site above is simply a copy-paste of the code from the cryptocurrency in WebAssembly, one-to-one as in cryptocurrency transactions.

One author of the message or different ones?​

How to understand that messages are from different authors or from the same one? For this, there is a key image in the ring signature, it is something like a hash of a private key. If the same private key was used to create the signature, then the key image will be the same, even if a different ring is used.

For example, here is another message (using the same public key ring):
Code: 
{"m":"Hi, this is my second message!",
 "mh":"297c352910c386aac52c171beef2099a58432f6307cc7cf67709b48498168af8",
 "pkh":"b7822daca942eafac5e614063f5377ea3e2980baadfd57d02092aac799711a9f",
 "sig":{"II":"650bf8d4a6fa616a2e68b11bf0d23735668328aa850f50a14c46017c882d32de",
        "cc":"190394d0406ec4b2ef04b38f8a86f93a0682cbdd39f3caa4d7e881c723a6fd07",
        "ss":["20054842302128c11edc6ec9d806791017c3bbd1f45733ac6a28bb04184bf20d",
              "a727e3cb30cdf8e360921ae6f5eca512e7148181322e24f1625aa0c239ac1409",
              "70318a843f7e9a052e0f4bff9ccdf69d47558046a0b89d979e8dff1db900110f"
             ]}}

When checking the signature, we see that the key image 650bf8d4a6fa616a2e68b11bf0d23735668328aa850f50a14c46017c882d32deis exactly the same as before, so we understand that these messages have the same author:

The signature is correct and the key image is the same.

The signature is correct and the key image is the same.

Accordingly, when the key image is different, we can be sure that the authors are different.

In Monero, this key image is used to prevent double spending.

Other possible uses of ring signature​

In addition to the examples given at the very beginning, this cryptographic approach can be used to organize elections or collect feedback. Anonymity is provided by the ring, and the presence of a key image ensures protection against double voting.

The initial phase of collecting public keys can be difficult, but since developers often add their public keys to GitHub, you can use this platform as a registry of public keys.

Right now I can already take the keys of my colleagues from GitHub, take my GitHub key, make a message, for example, "My boss is good", and distribute this message on forums or on sites like Glassdoor. In this case, accusations of cheating will be unfounded because this is really a message from some employee. Also, if the review is negative, the company will no longer be able to get away with the machinations of competitors!

Total​

Ring signatures are a powerful cryptographic tool that is not yet fully utilized in everyday life, but has proven security through many years of use in the Monero cryptocurrency.

Source
 
You must log in or register to reply here.

Similar threads

Man
Encrypting TLS Certificates - How a Digital Signature is Formed
Replies
0
Views
105
Man
Man
chushpan
How SSH tunnel works
Replies
1
Views
142
Man
Man
Man
Write our own program for file encryption
Replies
0
Views
105
Man
Man
chushpan
Data encryption
Replies
2
Views
71
Cloned Boy
Cloned Boy
Man
Hidden Lake Anonymous Network: Transition to Post-Quantum Cryptography
Replies
0
Views
227
Man
Man
Back
Top