I get tons of emails from people, telling me they agree with me privately, but that they can't say so out loud for fear of retaliation.
-- various writers, podcasters, public thinkers, etc.
I know very little about cryptography...but shouldn't ring signatures be helpful for exactly this problem? Are there any issues that make them unsuitable, even in principle?
What practical hurdles are there to something like this working well? Should we expect ring signatures to never catch on, even/especially if preference obscurity gets worse than it is now?
What downsides would there be if it did end up happening?
Relevant wikipedia pages:
- https://en.wikipedia.org/wiki/Ring_signature
- https://en.wikipedia.org/wiki/Spiral_of_silence#Spiral_model
- https://en.wikipedia.org/wiki/Preference_falsification
EDIT: It seems like folks are getting confused about how ring signatures work. The first three paragraphs on wikipedia are informative and should help clarify. At ChristianKI's feedback, I have copied and pasted all three of them. Please read.
In cryptography, a ring signature is a type of digital signature that can be performed by any member of a group of users that each have keys. Therefore, a message signed with a ring signature is endorsed by someone in a particular group of people. One of the security properties of a ring signature is that it should be computationally infeasible to determine which of the group members' keys was used to produce the signature.
...
Suppose that a group of entities each have public/private key pairs, (P1, S1), (P2, S2), ..., (Pn, Sn). Party i can compute a ring signature σ on a message m, on input (m, Si, P1, ..., Pn). Anyone can check the validity of a ring signature given σ, m, and the public keys involved, P1, ..., Pn. If a ring signature is properly computed, it should pass the check. On the other hand, it should be hard for anyone to create a valid ring signature on any message for any group without knowing any of the private keys for that group.
...
In the original paper, Rivest, Shamir, and Tauman described ring signatures as a way to leak a secret. For instance, a ring signature could be used to provide an anonymous signature from "a high-ranking White House official", without revealing which official signed the message. Ring signatures are right for this application because the anonymity of a ring signature cannot be revoked, and because the group for a ring signature can be improvised.
What do you mean when you say you don't want to "join a 'ring' of people" who say controversial stuff? That doesn't line up with the (admittedly weak) understanding of the protocol that I'm getting from wikipedia. Someone just assembles a list of public keys at their leisure, and uses all of them plus their own, to sign a message. The only way to not be implicated is to never have a publicly available key, right?