Zebrasign Logo Zebrasign
Verify Signature About FAQ

Practical Ring Signature Q&A

Q: What's in it for me? Why would I want to join a ring full of dissidents? It will surely have adverse selection, putting me in bad company.

A: That is a misunderstanding of the protocol. You can't join someone else's ring. Rings are single-use, assembled fresh for each message, and imposed upon the non-signers by the true signer. Anyone who knows your public key can add it to a ring.

Q: Okay, but still–why would I want to share my public key beyond my trusted friends? Isn't that risky?

A: Yes. If you post your public key publicly, then indeed it becomes much more likely that you will see it signed below messages you don't like, or next to names you don't want to be associated with. That's a genuine downside for you (and it's an upside for the creators of those messages). The upside for you is that you can ring-sign messages that will be credible to the public. If you instead only share your public key with trusted friends, then both the upsides and downsides will be limited: smaller potential risk, smaller potential audience. Navigating that tradeoff is up to you.

Q: Can't a reader infer the true signatory based on the content of the message?

A: Yes. If minister of finance Bob has been complaining too often about the prime minister's secret malfeasance, and then he anonymously reveals that malfeasance inside a ring-signed message, then the PM will identify him as the top suspect and may retaliate accordingly. (Of course, it may turn out that a different cabinet member is trying to frame Bob. It's hard to contrive a truly straightforward threat model even in a thought experiment.) Also, the true signatory may be inferred by stylometric analysis. In the absence of effective obfuscation techniques, this threat will increase as LLM stylometry improves. Consider these risks when creating and sending ring-signed messages.

Q: Can't this be used for petty interpersonal drama?

A: Yes. But it can also be used to overcome isolation tactics or other abusive social dynamics. These use cases cannot be cleanly separated, and I expect the good to be worth the bad. It's also worth noting that, in general, people cannot agree on which interpersonal conflicts are petty drama and which are serious issues that deserve attention.

Q: Didn't Bostrom curse unilateral actions? Given that creating a ring is in general done without permission, won't it be subject to that curse?

A: Presumably yes, but I have trouble thinking of a way to use ring signatures to perpetrate large net harms that couldn't already be perpetrated without ring signatures. The protocol tends to promote transparency and honesty, so ring signatures should cause net counterfactual harms only in situations where increased transparency and honesty are harmful, and fully anonymous messages cannot already cause those harms.

Q: What if I want a message to have multiple true signatories?

A: That is called a k-of-n threshold ring signature. Those would be very useful if there was a safe and convenient way to create them. Unfortunately, it seems that they intrinsically require coordination among each of the k true signatories, which increases the complexity and security burden. It would be a substantially larger software development challenge. I hope someone with more funding and development resources than me attempts to create a convenient app for threshold ring signatures.

Q: Why only MacOS?

A: Developing software is hard. One thing at a time.

Q: Why does the web version allow verifying but not signing?

A: The threat models are different. If users were allowed to do everything from the web version, then the following situation would eventuate: a user would log in to ZebraSign on their employer's WiFi without a VPN, then ring-sign a damning accusation against that same employer, and then navigate over to pastebin or twitter to post it. The employer would see the accusation, check their network logs, easily identify the true accuser, and then expose them or otherwise retaliate. Trust in ZebraSign would be irreparably damaged, which would permanently curtail adoption and network effects. It is too much to expect users to remember to use a VPN every time they use ZebraSign on someone else's network. In contrast, while it's still possible for an employer to make inferences based only on which employees access the web-based verifier at which times (plus the message content), overall it seems like a much smaller threat.

Q: Why can't I move my keys to a new device?

A: I intend to add that feature in the future, via Magic Wormhole, so that users don't have to update their directories every time someone gets a new computer.

Q: Why not let me just access my keys directly?

A: I have thought about adding a command line feature to allow that for power users, but it is low priority. Given the above plan to add key sending via Magic Wormhole, the additional risks of letting regular users read out their own keys directly from the app do not seem worth it.