Bogus digital signatures, Re: OT: utility account transfer frauds

Charles Lindsey Charles Lindsey <chl at clw.cs.man.ac.uk>
Fri, 11 Oct 2002 17:27:45 +0100 (BST) 

	On Fri, 11 Oct 2002 01:11:23 +0100
	Matthew Astley <lists-ukcrypto@fruitcake.demon.co.uk> said...

> 
> On Thu, Oct 10, 2002 at 10:23:49PM +0100, Peter Tomlinson wrote:
> > David Howe wrote:
> 
> > > I am just waiting for this to fail, and fail badly in court. the
> > > obvious defense is to prove (by example) that two documents, with
> > > different content, can have the same digital signature
> 
> I'm told that someone suggested distributed.net should look for an
> instance of a collision on MD5, by collecting values that when hashed
> repeatedly give a result which has the top 32 bits clear.

Yes, but finding a random collision is of no help in the problem we are
discussing. All you will be able to exhibit is two streams of random
bits which have the same hash. So what?

Now if you can produce two English texts that have the same hash, then
that might be something.

But even that is not enough. We started out where the "victim" has
signed some text, presumably a text that was meaningful to him,
otherwise why should he sign it?

Now the bad guy comes along, and he has to find some other meaningful
text that hashes to the same as the original. Worse than that, he
has to find some text whose meaning is such as to be useful in
embarassing/blackmailing/whatever the victim. That is a hard problem,
and the birthday paradox gives you no help at all.

In our scenario, the victim is trying to repudiate some incriminating
text that he has allegedly signed. So he has to persuade the Court that
some Bad Guy has solved the problem I described above, starting with
some other innocent text previously signed by the victim.

The Court is not likely to be convinced by being shown two random bit
strings with the same hash. The Court might be impressed with two
English texts with the same hash, but even then a competent expert
witness should be able to explain why that is irrelevant to the
particular circumstance.
> 
> It's all pointless anyway, because the real question is "how much do
> you need to pay the cleaner, in order to get access to steal the
> private key?".

Or, in this case, the victim has only to convince the court that he did
not keep his key particularly secure, and that the Bad Guy must have
sneaked in and snitched it.

Which seems to me like a good argument why the law should assume that
anyone who does not keep his key secure should be made to abide by the
content of anything signed with it.

Otherwise, you arrive at the situation in W.S.Gilbert's "Utopia Ltd".

Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133   Web: http://www.cs.man.ac.uk/~chl
Email: chl@clw.cs.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5