asciilifeform: mno, he would need an S' such that H(S') == H(S)
asciilifeform: using the formulation above, describe what hitler should do
asciilifeform: so, for convenience, i'll reprint: 1) at time T, i publish Ksign(H(S)), where S is a lengthy random string; at time T1, when i wish to invoke the continuity i publish H(S+J) ; at time T2: J; at time T3, S.
asciilifeform: btw if mircea_popescu ONLY wants to give J' to his best friends, he can do that already via the otp he has with them.
asciilifeform: likewise 'my inner circle knows what the true J' is' is not solving same problem as 'everyone who knew Kpublic can reliably learn true J' ' which in the case of serious 'for the ages' signatures, e.g., vtronics, you actually ~do~ want
asciilifeform: current thread is re parachute specifically against catastrophe that would burn down rsa, c-s, similar.
asciilifeform: gossipd, in all proposed variants, relies on numbertheoretical crypto
asciilifeform: this cannot actually be guaranteed physically, realized.
asciilifeform: which is ~why~ i had the multiple steps.
asciilifeform: you are open to mitm in the act of deedbotting.
asciilifeform: J.sign can sign anything anyone likes once J is known.
asciilifeform: i get it, mircea_popescu reeeeeally loves the repudiability thing, but you gotta be careful not to make a cannon that shoots in ALL directions simultaneously. someone has to get privileged knowledge of the true J' or you are cryptodead.
asciilifeform: outside of buttsex room, there is no such thing as a 'one message' that cannot be mitm'd.
asciilifeform: mircea_popescu: what means 'one message' ?
asciilifeform: recall, if rsa died, mircea_popescu cannot simply pgp the J' to his current circle of friends.
asciilifeform: and if you posit the otp (or some other way, perhaps through buttsex, for him to give the True J' to the intended recipients) it turns into my algo.
asciilifeform: so you published both halves of the k keypair, correct ?
asciilifeform: i have the deedbotted hash(salt+pubkey.K) to work with
asciilifeform: ok, can haz algo? i found a string J, which is a public key for an asymmetric cryptosystem, that purports to belong to mircea_popescu, and published after the rsacalypse. what do i do with it.
asciilifeform: but to permit ~any~ Jsystem and ~any~ J in advance.
asciilifeform: and we want the algo specifically not to depend on how Jsystem works.
asciilifeform: it is just a string of bits, for the purposes of this gedankenexperiment.
asciilifeform: recall, we don't know anything about the cryptosystem J is a pubkey for.
asciilifeform: anyway this is ~= earlier algo, just with one fewer step
asciilifeform: ah in this case with the usual meaning of deedbot, 'sign with wot key'
asciilifeform: or hm, if it's an unpublished key, he does not. but how did you link it with your actual key
asciilifeform: mircea_popescu: here's the lethal boojum: enemy knows privkey.K at t2 and if he can get to his keyboard before you get to yours, you're dead
asciilifeform: if you divulged the seed, you divulged the privkey
asciilifeform: i did say 'key J for a possibly yet-undiscovered cryptosystem'
asciilifeform: mircea_popescu: this works if your K is known in advance
asciilifeform: where you demonstrate that you knew Kpriv and a secret S at time T, and at some time T+i you show that 'he who knew S at time T now wishes to use key J for everyday life.'
asciilifeform: at any rate, it is not difficult to generalize this scheme into a wide variety of 'parachutes'
asciilifeform: perhaps this is obvious from my description, but i have learned that it sometimes helps to restate the obvious.
asciilifeform: which is why for such a scheme to work, it would have to be agreed-upon in advance by the participants.
asciilifeform: but these are to be rejected by the verifier if the latter can locate an earlier Ksign(H(S)).
asciilifeform: if K is broken publicly, or privately by the enemy, any time ~after~ T, the breaker (or anyone who learns the privkey) can try to endeedbot his own Ksign(H(S)) for his own S
asciilifeform: note, J can even be another pgp/rsa key, if you are insuring against merely a 'key costs $100M and takes 5years to break' scenario, rather than catastrophic rsacalypse
asciilifeform: mircea_popescu et al : see if you can find a simpler variant.
asciilifeform: scheme relies strictly on the strength of H (and integrity of the blockchain...)
asciilifeform: at time T3, i reveal, and deedbot, S.
asciilifeform: anyway here is a simple, 'low-tech' lamport-style scheme. let K be my current pgp key; J be a future, continuity-of-life key in some yet-undiscovered system ;
asciilifeform: but i mention lamport specifically because it does not rely on number-theoretical conjecture (on the other hand, hashing relies on ????????? for hardness...)
asciilifeform: would also have a secondary 'fleet in being' effect
asciilifeform: (with which to sign a new conventional pubkey if such a thing were to come.)
asciilifeform: while we're on the subject, there may be merit in deedbotting a lamport-style one-shot public key for the event of an 'asteroid' (serious number-theoretic breakthrough, or the like)
