Is-A-Person Credentials

26 Aug 93

Some people have argued that there is no way to prevent the use of multiple pseudonyms on the net, that it is possible today and that the new crypto technologies will provide even easier techniques tomorrow.

This is an oversimplification, as Tim May points out. "Is-a-person" credentials can be used to determine whether someone is a "True Name" or not, which is really what Larry Detweiler wanted to know. Here is one way they might work.

(To make this clearer, it is best to think in terms of the equation, pseudonym == public key. A pseudonym is a public key. We think of pseudonyms as being names, like "wonderer" or "sam hill", or perhaps as email addresses, like "hacker@univ.edu". But from the point of view of cryptography, these are just frills. The important thing is the key. With a public key, a pseudonym can sign his messages, so that nobody else can successfully pretend to be him. He can read messages sent to him, messages which no one else can read. If he has to switch email addresses he can do so and still maintain his identity by continuing to use the same key. It is his key which is his real identity on the net. OK, back to the is-a-person credential:)

An is-a-person credential could be structured identically to the digital coins used in Chaum's simple digital cash proposal. You would go to the credentialling agency and provide some unique form of identification, something that no one else could forge. Today this might be a thumbprint, or in the future it could perhaps be a DNA scan. However, you do not have to identify yourself by name. They don't need to know who you are; they only know that you are a living, breathing human being, one whom they have not seen before. (There could be more than one credentialling agency, but they would all share a database of thumbprints or whatever.)

You choose a special public key which you will use for all of your True Name activities on the net. This public key will be used to sign messages which you want to prove are from a real person. Any message sent with that signature is known to be from a True Name and not from a nym. Only one True Name exists per person.

Note that this True Name doesn't have to be your real name. If you want to always post under John Q. Public and use this special key for that purposes, you can do so. But you won't be able to post under any other name, including your own, as a True Name, not unless you use that same key. And of course if you do, people will be able to know that you are the same as John Q. Public since you are using the same signature key.

The way this is established is that you take your True Name key, which we'll call TN, and do as was done for Chaum's cash: pass it through a one-way function f, and blind with a random number r^3: f(TN)*r^3. You give this to the credentiallying agency when you come in with your thumbprint, and they sign it by taking the cube root. This is f(TN)^(1/3) * r. Back home, you divide by r, getting f(TN)^(1/3).

This is your True Name certificate. You can submit it to a public key registry along with TN; anyone can calculate f(TN) and verify the credentialling agency's signature. People will therefore know that this key is the only one belonging to some real person which is signed in this way. Only one such key can exist for each person.

So, if people claim to be posting under True Names, they can prove it very easily, by using their True Name key, signed by a credentialling agency. People can still post under as many nyms as they want, but only one gets to call itself True.

Note that this solution doesn't reveal very much about the person. Because the certificates are blinded by r^3 when they are signed, even the credentialling agency has no way of knowing which thumbprints are associated with which True Name. (So, actually, it wouldn't be a problem if the agency got your name and address when you came in - this still couldn't be linked with your postings if you didn't want it to be.) Nobody is forced to even use a True Name when they post; they could use nothing but nyms. On the other hand, if people want to reserve certain conferences for True Names only, they can. There is tremendous flexibility to have as much or as little use of nyms as people want.

So, people should not be so quick to claim that crypto can only be used to increase anonymity. It is a powerful technology that can be used to increase our control over information in many ways. Chaum's papers continue to amaze me with what is possible.

Hal Finney
hal@rain.org
Hal Finney Home Page