If you are that paranoid about interception, and someone correlating the messages, it seems like you would also want to rotate the key fairly frequently,perhaps including the new public key in the encrypted text of the email.
Sure, there are lots of ways to avoid that particular risk. But the point (and the point of the article as I understand it) is that the need to do so is not necessarily an intuitive property of signature algorithms.
As the opening paragraph of the article points out, there is a lot of interesting vulnerability space surrounding reasonable properties of cryptographic algorithms that reasonable people might incorrectly assume they do or do not have. This is not necessarily a critique of any particular algorithm, but a reminder that designing secure cryptographic protocols is fiendishly difficult and that all else being equal, designers and users should probably prefer algorithms and protocols designed to limit surprising properties or catastrophic failure modes.
For signatures? That would defeat the entire point, unless you also sign the new key using your old key and attach that signature (and then you're back to square one).
Or do you mean you'd pre-exchange all these public keys? That would work, but be practically pretty tedious. I wonder if there's a way to do better using hierarchical public keys? I think there's a way to derive child public keys without having the corresponding private key.
You can still verify the message was signed by the generated (and attached) key, and no other. Aka verify integrity.
If the goal is to be anonymous, then being able to verify it was signed by a given individual is of course fundamentally undesirable no?
You fundamentally can’t be able to both verify a given individual signed something AND have who signed something be actually anonymous. At best you can obfuscate or attempt to hide who signed it, but if you have a candidate you can check. Which means they aren’t really anonymous.
Just not immediately identifiable. If you have a suspect, you can still nail them.
If you generate a new pub/private key pair per post, if desired the poster could retain the private key and still prove they wrote it later - while not being otherwise identifiable if they wanted to remain anonymous.
> If you generate a new pub/private key pair per post, if desired the poster could retain the private key and still prove they wrote it later
Digital signatures can't prove authorship that way, though. If I write a message m to you, you can be certain that I sent you that message, but not that I was the one who originally wrote it.
> You fundamentally can’t be able to both verify a given individual signed something AND have who signed something be actually anonymous.
Exactly: Signatures without any concept of signer identity don't make sense.
Ownership of the private key (of the original pub/priv key pair) is as strong a verification of ownership as crypto can provide. And the private key could just as easily be signed by the ‘public’ key pair, which is signed by others if you wanted some web of trust whatever. While not requiring disclosure or external per-key signing or validation of the posting keys.
And someone being able to provide that private key on demand, would allow them to de-anonymize themselves if they wanted, without anyone else being able to force themselves to do so - by say resigning the message with a different nonce/padding, same key pair, same cipher text. So they could, if desired, prove to someone else they wrote it, while not having to disclose the private key.
And they could prove to themselves (trivially) that it was their post that made it intact to wherever it was supposed to be posted. And everyone else could verify the post hadn’t been tampered with, without having a clue who made the post. (And yes, someone could duplicate the post with their key - but the original poster could detect that!).
But no one could force de-anonymize them, or impersonate them in a way that would withstand that verification.
Ownership of the private key proves exactly ownership of the private key. Sometimes that means you're trusted to make certain statements (e.g. about value transfers in the case of cryptocurrencies); other times that means you can identify yourself in some scheme.
What you definitely can't do with that by itself is prove that you are the author of a message signed with a given key, because anybody else could just sign the same original message with their key, and then send a follow-up message using that same key. How'd anyone know which message, and by extension which key, is the real one?
You need some extra infrastructure to pseudonymously prove authorship, e.g. a secure timestamping service.
The public key could be exchanged the same way as the one time email addresses, or if the emails are ordered, each email could include the next public key in the message. In the latter case, you effectively have signed the public key with the previous key, but you can only access it if you have the recipient private key.
As the opening paragraph of the article points out, there is a lot of interesting vulnerability space surrounding reasonable properties of cryptographic algorithms that reasonable people might incorrectly assume they do or do not have. This is not necessarily a critique of any particular algorithm, but a reminder that designing secure cryptographic protocols is fiendishly difficult and that all else being equal, designers and users should probably prefer algorithms and protocols designed to limit surprising properties or catastrophic failure modes.