19.1 copyright
   THE  CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666,
   1994-09-10, Copyright Timothy C. May. All rights reserved.
   See the detailed disclaimer. Use short sections under "fair
   use" provisions, with appropriate credit, but don't put your
   name on my words.

19.2 - SUMMARY: Appendices
19.2.1. Main Points
19.2.2. Connections to Other Sections
19.2.3. Where to Find Additional Information
19.2.4. Miscellaneous Comments
  - This is still under construction
  - Disorganized!!!
  - URLs need to be checked

19.3 - Appendix -- Sites, Addresses, URL/Web Sites, Etc.
19.3.1. be sure to get soda address straight!!!  [use clones]
  - I received mine from     soda.csua.berkeley.edu
     the menus are:            /pub/cypherpunks/pgp/pgp26
19.3.2. How to use this section
  + comment on URLs being only a snapshot...
    - use reply to Sherry Mayo here
19.3.3. General Crypto and Cypherpunks Sites
  - sci.crypt archive: anon ftp to ftp.wimsey.bc.ca:/pub/crypto
     [Mark Henderson]
  + ftp://soda.berkeley.edu/pub/cypherpunks/Home.html      [has
     probably been changed to soda.csua.edu site]
    - ftp://ftp.u.washington.edu/public/phantom/cpunk/README.ht
  - ftp://furmint.nectar.cs.cmu.edu/security/cypheressay/what-
     is-cypherpunk.html   [Vincent Cate, 1994-07-03]
  - ftp://wiretap.spies.com/Gov/World/usa.con
  - http://www.quadralay.com/www/Crypt/Crypt.html
  - http://cs.indiana.edu/ripem/dir.html
  - misc. article on crypto:
  - ftp.wimsey.bc.ca:/pub/crypto has REDOC III, Loki91, SHS and
     HAVAL (Mark Henderson, markh@vanbc.wimsey.com, 4-17-94,
  + Some misc. ftp sites to check:
    - soda.berkeley.edu
    - ftp.informatik.uni-hamburg.de
    - ripem.msu.edu
    - garbo.uwasa.fi
    - wimsey.bc.ca
    - ghost.dsi.unimi.it
  - http://rsa.com
  - PC Expo disk package to ftp.wimsey.bc.ca [Arsen Ray
     Arachelian, 1994-07-05]
  + PC Expo disk
    - ftp.wimsey.bc.ca
  - "The FTP site ripem.msu.edu has a bunch of crypto stuff."
     [Mark Riordan, 1994-07-08]
  + URL for "Applied Cryptography"-related files
    - http://www.openmarket.com/info/cryptography/applied_crypt
19.3.4. PGP Information and Sites
  + http://www.mantis.co.uk/pgp/pgp.html
    - information on where to find PGP
  + pgpinfo@mantis.co.uk
    - send any mail to this site and receive a list back of PGP
  - PGP info: ftp.netcom.com, in /pub/gbe and in /pub/qwerty
  - more PGP:
  - For non-U.S. sources of PGP: send blank mail to
  + Sherry Mayo, a crypto researcher in Australia, is also
     making versions available:
    - "PGP2.6ui is available (I hope!) on my experimental WWW
       server, aim your browser at
       http://rschp2.anu.edu.au:8080/crypt.html   I am new to
       this WWW thing so let me know if you have any probs
       downloading. Available on the server is:
       PGP2.6ui source for unix machines
       Executable for the PC version of PGP 2.6ui
       Executable for MacPGP 2.3" [Sherry Mayo,
       talk.politics.crypto, 1994-09-06]
19.3.5. Key Servers
  + pgp-public-keys@demon.co.uk
    - HELP in the subject line for more information about how
       to use
  - pgp-public-keys@jpunix.com
  + pgp-public-keys@pgp.iastate.edu
    - ``help'' as the subject, to get a list of keyservers
       [Michael Graff  , alt.security.pgp,
19.3.6. Remailer Sites
  - To show active remailers: finger remailer@soda.berkeley.edu
19.3.7. Mail-to-Usenet gateways:
  + group.name@paris.ics.uci.edu
    - group.name@cs.dal.ca
    - group.name@ug.cs.dal.ca
19.3.8. Government Information
  + California Legislative Information
    - "You are invited to browse the new edition of my list of
       Internet and direct dial sources of California government
       information at URL:
       " [Chris Mays, comp.org.cpsr.talk, 1994-07-01]
  + NSA Information
    - Can get on NSA/NCSC/NIST mailing list by sending to:
  - csrc.nist.gov:/pub/nistpubs
19.3.9. Clipper Info
  + http://www.mantis.co.uk/~mathew/
    - some good Clipper articles and testimony
19.3.10. Other
  + ftp://furmint.nectar.cs.cmu.edu/security/README.html#taxes
    - Vincent Cate
  - http://www.acns.nwu.edu/surfpunk/
  + Export Laws
    - "EFF Board member and Cygnus Support co-founder John
       Gilmore has set up a World Wide Web page on cryptography
       export issues, including information on how to apply for
       export clearance, exchages with Commerce Dept. on export
       licensing, legal documents on networking issues in
       relation to export of technology and crypto, and more.
       The URL is: http://www.cygnus.com/~gnu/export.html"
       [Stanton McCandlish, mech@eff.org, 1994-04-21]
  + Large integer math libraries
    - ripem.msu.edu 
    - ftp:csn.org//mpj 
  + Phrack
    - archived at ftp.netsys.com
  + Bruce Sterling's comments at CFP
    + Bruce Sterling's remarks delivered at the "Computers,
       Freedom and Privacy IV"
      - conference , Mar. 26 1994 in Chicago, are now online at
      - ftp://ftp.eff.org/pub/Publications/Bruce_Sterling/cfp_9
      - http://www.eff.org/pub/Publications/Bruce_Sterling/cfp_
      - gopher://gopher.eff.org/11/Publications/Bruce_Sterling/
      - gopher.eff.org, 1/Publications/Bruce_Sterling,
    - (source: Stanton McCandlish * mech@eff.org, 3-31-94)
19.3.11. Crypto papers
  -  ftp.cs.uow.edu.au
  - (quantum, other, Siberry, etc.)
19.3.12. CPSR URL
  - CPSR URL:  http://www.cpsr.org/home

19.4 - Appendix -- Glossary
19.4.1. **Comments**
  - Release Note: I regret that I haven't had time to add many
     new entries here. There are a lot of specialized terms, and
     I probably could have doubled the number of entries here.
  - Much more work is needed here. In fact, I debated at one
     point making the FAQ instead into a kind of "Encycopedia
     Cypherpunkia," with a mix of short and long articles on
     each of hundreds of topics. Such an organization would
     suffer the disadvantages found in nearly all
     lexicographically-organized works: confusion of the
  - Many of the these entries were compiled for a long handout
     at the first Cypherpunks meeting, September, 1992. Errors
     are obviously present. I'll try to keep correcting them
     when I can.
  - Schneier's "Applied Cryptography" is of course an excellent
     place to browse for terms, special uses, etc.
19.4.2. agoric systems -- open, free market systems in which
   voluntary transactions are central.
19.4.3. Alice and Bob -- crypographic protocols are often made
   clearer by considering parties A and B, or Alice and Bob,
   performing some protocol. Eve the eavesdropper, Paul the
   prover, and Vic the verifier are other common stand-in names.
19.4.4. ANDOS -- all or nothing disclosure of secrets.
19.4.5. anonymous credential -- a credential which asserts some right
   or privelege or fact without revealing the identity of the
   holder.  This is unlike CA driver's licenses.
19.4.6. assymmetric cipher -- same as public key cryptosystem.
19.4.7. authentication -- the process of verifying an identity or
   credential, to ensure you are who you said you were.
19.4.8. biometric security -- a type of authentication using
   fingerprints, retinal scans, palm prints, or other
   physical/biological signatures of an individual.
19.4.9. bit commitment -- e.g., tossing a coin and then committing to
   the value without being able to change the outcome. The blob
   is a cryptographic primitive for this.
19.4.10. BlackNet -- an experimental scheme devised by T. May to
   underscore the nature of anonymous information markets. "Any
   and all" secrets can be offered for sale via anonymous
   mailers and message pools. The experiment was leaked via
   remailer to the Cypherpunks list (not by May) and thence to
   several dozen Usenet groups by Detweiler. The authorities are
   said to be investigating it.
19.4.11. blinding, blinded signatures -- A signature that the signer
   does not remember having made.  A blind signature is always a
   cooperative protocol and the receiver of the signature
   provides the signer with the blinding information.
19.4.12. blob -- the crypto equivalent of a locked box. A
   cryptographic primitive for bit commitment, with the
   properties that a blobs can represent a 0 or a 1, that others
   cannot tell be looking whether it's a 0 or a 1, that the
   creator of the blob can "open" the blob to reveal the
   contents, and that no blob can be both a 1 and a 0. An
   example of this is a flipped coin covered by a hand.
19.4.13. BnD --
19.4.14. Capstone --
19.4.15. channel -- the path over which messages are transmitted.
   Channels may be secure or insecure, and may have
   eavesdroppers (or enemies, or disrupters, etc.) who alter
   messages, insert and delete messages, etc. Cryptography is
   the means by which communications over insecure channels are
19.4.16. chosen plaintext attack -- an attack where the cryptanalyst
   gets to choose the plaintext to be enciphered, e.g., when
   possession of an enciphering machine or algorithm is in the
   possession of the cryptanalyst.
19.4.17. cipher -- a secret form of writing, using substitution or
   transposition of characters or symbols. (From Arabic "sifr,"
   meaning "nothing.")
19.4.18. ciphertext -- the plaintext after it has been encrypted.
19.4.19. Clipper -- the infamous Clipper chip
19.4.20. code -- a restricted cryptosystem where words or letters of a
   message are replaced by other words chosen from a codebook.
   Not part of modern cryptology, but still useful.
19.4.21. coin flippping -- an important crypto primitive, or protocol,
   in which the equivalent of flipping a fair coin is possible.
   Implemented with blobs.
19.4.22. collusion -- wherein several participants cooperate to deduce
   the identity of a sender or receiver, or to break a cipher.
   Most cryptosystems are sensitive to some forms of collusion.
   Much of the work on implementing DC Nets, for example,
   involves ensuring that colluders cannot isolate message
   senders and thereby trace origins and destinations of mail.
19.4.23. COMINT --
19.4.24. computationally secure -- where a cipher cannot be broken
   with available computer resources, but in theory can be
   broken with enough computer resources. Contrast with
   unconditionally  secure.
19.4.25. countermeasure -- something you do to thwart an attacker
19.4.26. credential -- facts or assertions about some entity. For
   example, credit ratings, passports, reputations, tax status,
   insurance records, etc.  Under the current system, these
   credentials are increasingly being cross-linked. Blind
   signatures may be used to create anonymous credentials.
19.4.27. credential clearinghouse  -- banks, credit agencies,
   insurance companies, police departments, etc., that correlate
   records and decide the status of records.
19.4.28. cryptanalysis -- methods for attacking and breaking ciphers
   and related cryptographic systems. Ciphers may be broken,
   traffic may be analyzed, and passwords may be cracked.
   Computers are of course essential.
19.4.29. crypto anarchy -- the economic and political system after the
   deployment of encryption, untraceable e-mail, digital
   pseudonyms, cryptographic voting, and digital cash. A pun on
   "crypto," meaning "hidden," and as when Gore Vidal called
   William F. Buckley a "crypto fascist."
19.4.30. cryptography -- another name for cryptology.
19.4.31. cryptology -- the science and study of writing, sending,
   receiving, and deciphering secret messages. Includes
   authentication, digital signatures, the hiding of messages
   (steganography), cryptanalysis, and several other fields.
19.4.32. cyberspace  -- the electronic domain, the Nets, and computer-
   generated spaces. Some say it is the "consensual reality"
   described in "Neuromancer." Others say it is the phone
   system. Others have work to do.
19.4.33. DC protocol, or DC-Net -- the dining cryptographers protocol.
   DC-Nets use multiple participants communicating with the DC
19.4.34. DES -- the Data Encryption Standard, proposed in 1977 by the
   National Bureau of Standards (now NIST), with assistance from
   the National Security Agency. Based on the "Lucifer" cipher
   developed by Horst Feistel at IBM, DES is a secret key
   cryptosystem that cycles 64-bit blocks of data through
   multiple permutations with a 56-bit key controlling the
   routing. "Diffusion" and "confusion" are combined to form a
   cipher that has not yet been cryptanalyzed (see "DES,
   Security of"). DES is in use for interbank transfers, as a
   cipher inside of several RSA-based systems, and is available
   for PCs.
19.4.35. DES, Security of  -- many have speculated that the NSA placed
   a trapdoor (or backdoor) in DES to allow it to read DES-
   encrypted messages. This has not been proved. It is known
   that the original Lucifer algorithm used a 128-bit key and
   that this key length was shortened to 64 bits (56 bits plus 8
   parity bits), ths making exhaustive search much easier (so
   far as is known, brute-force search has not been done, though
   it should be feasible today). Shamir and Bihan have used a
   technique called "differential cryptanalysis" to reduce the
   exhaustive search needed for chosen plaintext attacks (but
   with no import for ordinary DES).
19.4.36. differential cryptanalysis -- the Shamir-Biham technique for
   cryptanalyzing DES. With a chosen plaintext attack, they've
   reduced the number of DES keys that must be tried from about
   2^56 to about 2^47 or less. Note, however, that rarely can an
   attacker mount a chosen plaintext attack on DES systems.
19.4.37. digital cash, digital money -- Protocols for transferring
   value, monetary or otherwise, electronically.  Digital cash
   usually refers to systems that are anonymous. Digital money
   systems can be used to implement any quantity that is
   conserved, such as points, mass, dollars, etc.  There are
   many variations of  digital money systems, ranging from VISA
   numbers to blinded signed digital coins.  A topic too large
   for a single glossary entry.
19.4.38. digital pseudonym -- basically, a "crypto identity." A way
   for individuals to set up accounts with various organizations
   without revealing more information than they wish. Users may
   have several digital pseudonyms, some used only once, some
   used over the course of many years. Ideally, the pseudonyms
   can be linked only at the will of the holder. In the simplest
   form, a public key can serve as a digital pseudonym and need
   not be linked to a physical identity.
19.4.39. digital signature --  Analogous to a written signature on a
   document. A modification to a message that only the signer
   can make but that everyone can recognize.  Can  be used
   legally to contract at a distance.
19.4.40. digital timestamping -- one function of a digital notary
   public, in which some message (a song, screenplay, lab
   notebook, contract, etc.) is stamped with a time that cannot
   (easily) be forged.
19.4.41. dining cryptographers protocol (aka DC protocol, DC nets) --
   the untraceable message sending system invented by David
   Chaum. Named after the "dining philosophers" problem in
   computer science, participants form circuits and pass
   messages in such a way that the origin cannot be deduced,
   barring collusion. At the simplest level, two participants
   share a key between them. One of them sends some actual
   message by bitwise exclusive-ORing the message with the key,
   while the other one just sends the key itself. The actual
   message from this pair of participants is obtained by XORing
   the two outputs. However, since nobody but the pair knows the
   original key, the actual message cannot be traced to either
   one of the participants.
19.4.42. discrete logarithm problem -- given integers a, n, and x,
   find some integer m such that a^m mod n = x, if m exists.
   Modular exponentiation, the a^m mod n part, is
   straightforward (and special purpose chips are available),
   but the inverse problem is believed to be very hard, in
   general.  Thus it is conjectured that modular exponentiation
   is a one-way function.
19.4.43. DSS, Digital Signature Standard -- the latest NIST (National
   Institute of Standards and Technology, successor to NBS)
   standard for digital signatures. Based on the El Gamal
   cipher, some consider it weak and poor substitute for RSA-
   based signature schemes.
19.4.44. eavesdropping, or passive wiretapping -- intercepting
   messages without detection. Radio waves may be intercepted,
   phone lines may be tapped, and computers may have RF
   emissions detected. Even fiber optic lines can be tapped.
19.4.45. Escrowed Encryption Standard (EES) -- current name for the
   key escrow system known variously as Clipper, Capstone,
   Skipjack, etc.
19.4.46. factoring -- Some large numbers are difficult to factor. It
   is conjectured that there are no feasible--i.e."easy," less
   than exponential in size of number-- factoring methods. It is
   also an open problem whether RSA may be broken more easily
   than by factoring the modulus (e.g., the public key might
   reveal information which simplifies the problem).
   Interestingly, though factoring is believed to be "hard", it
   is not known to be in the class of NP-hard problems.
   Professor Janek invented a factoring device, but he is
   believed to be fictional.
19.4.47. HUMINT --
19.4.48. information-theoretic security -- "unbreakable" security, in
   which no amount of cryptanalysis can break a cipher or
   system. One time pads are an example (providing the pads are
   not lost nor stolen nor used more than once, of course). Same
   as unconditionally secure.
19.4.49. key -- a piece of information needed to encipher or decipher
   a message. Keys may be stolen, bought, lost, etc., just as
   with physical keys.
19.4.50. key exchange, or key distribution -- the process of sharing a
   key with some other party, in the case of symmetric ciphers,
   or of distributing a  public key in an asymmetric cipher. A
   major issue is that the keys be exchanged reliably and
   without compromise. Diffie and Hellman devised one such
   scheme, based on the discrete logarithm problem.
19.4.51. known-plaintext attack -- a cryptanalysis of a cipher where
   plaintext-ciphertext pairs are known. This attack searches
   for an unknown key. Contrast with the chosen plaintext
   attack, where the cryptanalyst can also choose the plaintext
   to be enciphered.
19.4.52. listening posts -- the NSA and other intelligence agencies
   maintain sites for the interception of radio, telephone, and
   satellite communications. And so on. Many sites have been
   identified (cf.  Bamford), and many more sites are suspected.
19.4.53. mail, untraceable  -- a system for sending and receiving mail
   without traceability or observability. Receiving mail
   anonymously can be done with broadcast of the mail in
   encrypted form.  Only the intended recipient (whose identity,
   or true name, may be unknown to the sender) may able to
   decipher the message. Sending mail anonymously apparently
   requires mixes or use of the dining cryptographers (DC)
19.4.54. Message Pool
19.4.55. minimum disclosure proofs  -- another name for zero knowledge
   proofs, favored by Chaum.
19.4.56. mixes -- David Chaum's term for a box which performs the
   function of mixing, or decorrelating, incoming and outgoing
   electronic mail messages. The box also strips off the outer
   envelope (i.e., decrypts with its private key) and remails
   the message to the address on the inner envelope. Tamper-
   resistant modules may be used to prevent cheating and forced
   disclosure of the mapping between incoming and outgoing mail.
   A sequence of many remailings effectively makes tracing
   sending and receiving impossible. Contrast this with the
   software version, the DC protocol. The "remailers" developed
   by Cypherpunks are an approximation of a Chaumian mix.
19.4.57. modular exponentiation  -- raising an integer to the power of
   another integer, modulo some integer. For integers a, n, and
   m, a^m mod n. For example, 5^3 mod 100 = 25. Modular
   exponentiation can be done fairly quickly with a sequence of
   bit shifts and adds, and special purpose chips have been
   designed. See also discrete logarithm.
19.4.58. National Security Agency (NSA)  -- the largest intelligence
   agency, responsible for making and breaking ciphers, for
   intercepting communications, and for ensuring the security of
   U.S. computers. Headquartered in Fort Meade, Maryland, with
   many listening posts around the world.  The NSA funds
   cryptographic research and advises other agencies about
   cryptographic matters. The NSA once obviously had the world's
   leading cryptologists, but this may no longer be the case.
19.4.59. negative credential -- a credential that you possess that you
   don't want any one else to know, for example, a bankruptcy
   filing.  A formal version of a negative reputation.
19.4.60. NP-complete -- a large class of difficult problems.  "NP"
   stands for nondeterministic polynomial time, a class of
   problems thought in general not to have feasible algorithms
   for their solution.  A problem is "complete"  if  any other
   NP problem may be reduced to that problem.   Many important
   combinatorial and algebraic problems are NP-complete: the
   travelling salesman problem, the Hamiltonian cycle problem,
   the graph isomorphism problem, the word problem, and on and
19.4.61. oblivious transfer -- a cryptographic primitive that involves
   the probablistic transmission of bits. The sender does not
   know if the bits were received.
19.4.62. one-time pad -- a string of randomly-selected bits or symbols
   which is combined with a plaintext message to produce the
   ciphertext. This combination may be shifting letters some
   amount, bitwise exclusive-ORed, etc.). The recipient, who
   also has a copy of the one time pad, can easily recover the
   plaintext. Provided the pad is only used once and then
   destroyed, and is not available to an eavesdropper, the
   system is perfectly secure, i.e., it is information-
   theoretically secure. Key distribution (the pad)  is
   obviously a practical concern, but consider CD-ROM's.
19.4.63. one-way function -- a function which is easy to compute in
   one direction but hard to find any inverse for, e.g. modular
   exponentiation, where the inverse problem is known as the
   discrete logarithm problem. Compare the special case of trap
   door one-way functions.  An example of  a one-way operation
   is multiplication: it is  easy to multiply two prime numbers
   of 100 digits to produce a 200-digit number, but  hard to
   factor that 200-digit number.
19.4.64. P ?=? NP  -- Certainly the most  important unsolved problem
   in complexity theory. If P = NP, then cryptography as we know
   it today does not exist.  If P = NP,  all NP problems are
19.4.65. padding -- sending extra messages to confuse eavesdroppers
   and to defeat traffic analysis.   Also adding random bits to
   a message to be enciphered.
19.4.66. PGP
19.4.67. plaintext -- also called cleartext, the text that is to be
19.4.68. Pool
19.4.69. Pretty Good Privacy (PGP)  -- Phillip Zimmerman's
   implementation of RSA, recently upgraded to version 2.0, with
   more robust components and several new features. RSA Data
   Security has threatened PZ so he no longer works on it.
   Version 2.0 was written by a consortium of non-U.S. hackers.
19.4.70. prime numbers -- integers with no factors other than
   themselves and 1. The number of primes is unbounded.  About
   1% of the 100 decimal digit numbers are prime.  Since there
   are about 10^70 particles in the universe, there are about
   10^23  100 digit primes for each and every particle in the
19.4.71. probabalistic encryption  -- a scheme by Goldwasser, Micali,
   and Blum that allows multiple ciphertexts for the same
   plaintext, i.e., any given plaintext may have many
   ciphertexts if the ciphering is repeated. This protects
   against certain types of known ciphertext attacks on RSA.
19.4.72. proofs of identity -- proving who you are, either your true
   name, or your digital identity. Generally, possession of the
   right key is sufficient proof (guard your key!). Some work
   has been done on "is-a-person" credentialling agencies, using
   the so-called Fiat-Shamir protocol...think of this as a way
   to issue unforgeable digital passports. Physical proof of
   identity may be done with biometric security methods. Zero
   knowledge proofs of identity reveal nothing beyond the fact
   that the identity is as claimed. This has obvious uses for
   computer access, passwords, etc.
19.4.73. protocol -- a formal procedure for solving some problem.
   Modern cryptology is mostly about the study of protocols for
   many problems, such as coin-flipping, bit commitment (blobs),
   zero knowledge proofs, dining cryptographers, and so on.
19.4.74. public key -- the key distributed publicly to potential
   message-senders. It may be published in a phonebook-like
   directory or otherwise sent. A major concern is the validity
   of this public key to guard against spoofing or
19.4.75. public key cryptosystem -- the modern breakthrough in
   cryptology, designed by Diffie and Hellman, with
   contributions from several others. Uses trap door one-way
   functions so that encryption may be done by anyone with
   access to the "public key" but decryption may be done only by
   the holder of the "private key." Encompasses public key
   encryption, digital signatures, digital cash, and many other
   protocols and applications.
19.4.76. public key encryption -- the use of modern cryptologic
   methods to provided message security and authentication. The
   RSA algorithm is the most widely used form of public key
   encryption, although other systems exist. A public key may be
   freely published, e.g., in phonebook-like directories, while
   the corresponding private key is closely guarded.
19.4.77. public key patents  -- M.I.T. and Stanford, due to the work
   of Rivest, Shamir, Adleman, Diffie, Hellman, and Merkle,
   formed Public Key Partners to license the various public key,
   digital signature, and RSA patents. These patents, granted in
   the early 1980s, expire in the between 1998 and 2002. PKP has
   licensed RSA Data Security Inc., of Redwood City, CA, which
   handles the sales, etc.
19.4.78. quantum cryptography -- a system based on quantum-mechanical
   principles. Eavesdroppers alter the quantum state of the
   system and so are detected. Developed by Brassard and
   Bennett, only small laboratory demonstrations have been made.
19.4.79. remailers -- software versions of Chaum's "mixes," for the
   sending of untraceable mail. Various features are needed to
   do this: randomized order of resending, encryption at each
   stage (picked in advance by the sender, knowing the chain of
   remailers), padding of message sizes. The first remailer was
   written by E. Hughes in perl, and about a dozen or so are
   active now, with varying feature sets.
19.4.80. reputations -- the trail of positive and negative
   associations and judgments that some entity accrues. Credit
   ratings, academic credentials, and trustworthiness are all
   examples. A digital pseudonym will accrue these reputation
   credentials based on actions, opinions of others, etc. In
   crypto anarchy, reputations and agoric systems will be of
   paramount importance. There are many fascinating issues of
   how reputation-based systems work, how credentials can be
   bought and sold, and so forth.
19.4.81. RSA -- the main public key encryption algorithm, developed by
   Ron Rivest, Adi Shamir, and Kenneth Adleman. It exploits the
   difficulty of factoring large numbers to create a private key
   and public key. First invented in 1978, it remains the core
   of modern public key systems. It is usually much slower than
   DES, but special-purpose modular exponentiation chips will
   likely speed it up. A popular scheme for speed is to use RSA
   to transmit session keys and then a high-speed cipher like
   DES for the actual message text.
  - Description -- Let p and q be large primes, typically with
     more than 100 digits. Let n = pq and find some e such that
     e is relatively prime to (p - 1)(q - 1). The set of numbers
     p, q, and e is the private key for RSA. The set of numbers
     n and e forms the public key (recall that knowing n is not
     sufficient to easily find p and q...the factoring problem).
     A message M is encrypted by computing M^e mod n. The owner
     of the private key can decrypt the encrypted message by
     exploiting number theory results, as follows. An integer d
     is computed such that ed =1 (mod (p - 1)(q - 1)). Euler
     proved a theorem that M^(ed) = M mod n and so M^(ed) mod n
     = M. This means that in some sense the integers e and d are
     "inverses" of each other. [If this is unclear, please see
     one of the many texts and articles on public key
19.4.82. secret key cryptosystem -- A system which uses the same key
   to encrypt and decrypt traffic at each end of a communication
   link.  Also called a symmetric or one-key system.  Contrast
   with public key cryptosystem.
19.4.83. SIGINT --
19.4.84. smart cards -- a computer chip embedded in credit card.  They
   can hold cash, credentials, cryptographic keys, etc. Usually
   these are built with some degree of tamper-resistance. Smart
   cards may perform part of a crypto transaction, or all of it.
   Performing part of it may mean checking the computations of a
   more powerful computer, e.g., one in an ATM.
19.4.85. spoofing, or masquerading -- posing as another user. Used for
   stealing passwords, modifying files, and  stealing cash.
   Digital signatures and other authentication methods are
   useful to prevent this. Public keys must be validated and
   protected to ensure that others don't subsititute their own
   public keys which users may then unwittingly use.
19.4.86. steganography -- a part of cryptology dealing with hiding
   messages and obscuring who is sending and receiving messages.
   Message traffic is often padded to reduce the signals that
   would otherwise come from a sudden beginning of messages.
   "Covered writing."
19.4.87. symmetric cipher -- same as private key cryptosystem.
19.4.88. tamper-responding modules, tamper-resistant modules (TRMs) --
   sealed boxes or modules which are hard to open, requiring
   extensive probing and usually leaving ample evidence that the
   tampering has occurred. Various protective techniques are
   used, such as special metal or oxide layers on chips, armored
   coatings, embedded optical fibers, and other measures to
   thwart analysis. Popularly called "tamper-proof boxes." Uses
   include: smart cards, nuclear weapon initiators,
   cryptographic key holders, ATMs, etc.
19.4.89. tampering, or active wiretapping -- intefering with messages
   and possibly modifying them. This may compromise data
   security, help to break ciphers, etc.  See also spoofing.
19.4.90. Tessera
19.4.91. token -- some representation, such as ID cards, subway
   tokens, money, etc., that indicates possession of some
   property or value.
19.4.92. traffic analysis -- determining who is sending or receiving
   messages by analyzing packets, frequency of packets, etc. A
   part of steganography. Usually handled with traffic padding.
19.4.93. traffic analysis -- identifying characteristics of a message
   (such as sender, or destination) by watching traffic.
   Remailers and encryption help to foil traffic analysys.
19.4.94. transmission rules -- the protocols for determining who can
   send messages in a DC protocol, and when. These rules are
   needed to prevent collision and deliberate jamming of the
19.4.95. trap messages -- dummy messages in DC Nets which are used to
   catch jammers and disrupters. The messages contain no private
   information and are published in a blob beforehand so that
   the trap message can later be opened to reveal the disrupter.
   (There are many strategies to explore here.)
19.4.96. trap-door -- In cryptography, a piece of secret information
   that allows the holder of a private key to invert a normally
   hard to invert function.
19.4.97. trap-door one way functions -- functions which are easy to
   compute in both the forward and reverse direction but for
   which the disclosure of an algorithm to compute the function
   in the forward direction does not provide information on how
   to compute the function in the reverse direction. More simply
   put, trap-door one way functions are one way for all but the
   holder of the secret information. The RSA algorithm is the
   best-known example of such a function.
19.4.98. unconditional security -- same as information-theoretic
   security, that is, unbreakable except by loss or theft of the
19.4.99. unconditionally  secure -- where no amount of intercepted
   ciphertext is enough to allow the cipher to be broken, as
   with the use of a one-time pad cipher. Contrast with
   computationally secure.
19.4.100. URLs
19.4.101. voting, cryptographic -- Various schemes have been devised
   for anonymous, untraceable voting. Voting schemes should have
   several properties: privacy of the vote, security of the vote
   (no multiple votes), robustness against disruption by jammers
   or disrupters, verifiability (voter has confidence in the
   results), and efficiency.
19.4.102. Whistleblowers
19.4.103. zero knowledge proofs -- proofs in which no knowledge of the
   actual proof is conveyed. Peggy the Prover demonstrates to
   Sid the Skeptic that she is indeed in possession of some
   piece of knowledge without actually revealing any of that
   knowledge. This is useful for access to computers, because
   eavesdroppers or dishonest sysops cannot steal the knowledge
   given. Also called minimum disclosure proofs. Useful for
   proving possession of some property, or credential, such as
   age or voting status, without revealing personal information.

19.5 - Appendix -- Summary of Crypto Versions
19.5.1. DOS and Windows
  - SecureDevice
  + SecureDrive
    - "Secdrv13d is the latest version.  There was an unupdated
       .exe file in the package that had to be fixed.  From the
       readme file: If you found this file inside FPART13D.ZIP,
       this is an update and bug fix for the FPART utility of
       SecureDrive Release 1.3d,
    - Edgar Swank involved?
  + SecureDevice
    - Major Versions:
    - Functions:
    - Principal Authors:
    - Major Platforms:
    + Where to Find:
      - ftp://ftp.csn.org/mpj/I_will_not_export/crypto_???????/
         See ftp://ftp.csn.org/mpj/README.MPJ for the ???????
    - Strengths:
    - Weaknesses:
    + Notes:
      - By the way, I'm not the only one who gets SecureDrive
         and SecureDevice confused. Watch out for this.
  + SFS
    - "A MS-DOS-based package for hard disk encryption. It is
       implemented as a device driver and encrypts a whole
       partition (i.e., not a file or a directory). It uses the
       MDC/SHA cipher. ... It is available from Grabo
       (garbo.uwasa.fi:/pc/crypt/sfs110.zip, I think), and also
       from our ftp site: ftp.informatik.uni-
       hamburg.de:/pub/virus/crypt/disk/sfs110.zip    I would
       recommend the Garbo site, because ours is a bit slow."
       [Vesselin Bontchev, alt.security.pgp, 1994-09-05]
    - Compared to SecureDrive, users report it to be faster,
       better-featured, has a Windows interface, is a device
       driver, and is robust. The disadvantages are that it
       currently does not ship with source code and uses a more
       obscure cipher.
    - "SFS (Secure FileSystem) is a set of programs which
       create and manage a number of encrypted disk volumes, and
       runs under both DOS and Windows.  Each volume appears as
       a normal DOS drive, but all data stored on it is encryped
       at the individual-sector level....SFS 1.1 is a
       maintenance release which fixes a few minor problems in
       1.0, and adds a number of features suggested by users.
       More details on changes are given in in the README file."
       [Peter Gutmann, sci.crypt, 1994-08-25]
    - "from garbo.uwasa.fi and all its mirror sites worldwide
       as  /pc/crypt/sfs110.zip."
  + WinCrypt.
    - "WinCrypt is pretty good IF you keep your encrypted text
       to less than the length of your password, AND IF you
       generate your password randomly, AND IF you only use each
       password ONCE.  :-)" [Michael Paul Johnson,  sci.crypt,
  + Win PGP
    + there seem to be two identically-named programs:
      - WinPGP, by Christopher w. Geib
      + WinPGP, by Timothy M. Janke and Geoffrey C. Grabow
        - ftp WinPGP 1.0 from
      - Until this is clarified...
  + PGPShell
    - "PGPShell v3.2 has been released and is available at
       these sites: (U.S.)
       [still@rintintin.Colorado.EDU (Johannes Kepler), 1994-07-
  + PGS
    - ftp.informatik.uni-
    - "I just uploaded the bug fix of PGS (v0.99b) on some FTP-
          (Just uploaded it, should be on in a few days)
        oak.oakland.edu:/SimTel/msdos/security/pgs099b.zip (Just
       uploaded it, should be on in a few days)
       [Eelco Cramer , 1994-06-27]
  + DOS disk encryption utilities
    + Several free or nearly free utilities are available:
      - ftp.informatik.uni-hamburg.de:/pub/virus/crypt/disk/
         [Vesselin Vladimirov Bontchev, as of 1994-08]
    + Norton's "Diskreet" is weak and essentially useless
      - uses DES in weak (ECB) mode...is probably the "snake
         oil" that Zimmermann writes about in his docs. SFS docs
         say it is even worse than that.
  + PGS
    - "PGS v0.99c is out there!
       This new version of PGS supports 8 bytes keyid's.
       This version will be able to run in a OS/2 DOS box.
       PGS v0.99c is available on the following site:
       [ER CRAMER , 1994-07-08]
  + Program:
    - Major Versions:
    - Functions:
    - Principal Authors:
    - Major Platforms:
    - Where to Find:
    - Strengths:
    - Weaknesses:
    - Notes:
19.5.2. OS/2
19.5.3. Amiga
  + Program: PGPAmiga, Amiga PGP
    + Major Versions:  2.3a.4, PGP 2.6
      - "The Amiga equivalent of PGP 2.6ui is called PGP
         2.3a.3" [unknown commenter]
    - Functions:
    - Principal Authors:
    - Major Platforms:
    - Where to Find:
    - Strengths:
    - Weaknesses:
    - Notes: Situation is confusing. 2.3a.3 is not equivalent
       to PGP 2.6ui.
19.5.4. Unix
  - NeXTStep
  - Sun 4.3
  - Solaris
  - HP
  - SGI
  + swIPe
    - Metzger: It was John Ioannidis' swIPe package, and it was
       not merely announced
       but released. Phil has done a similar package for KA9Q
       and was one of
19.5.5. SFS ?
  - "A MS-DOS-based package for hard disk encryption. It is
     implemented as a device driver and encrypts a whole
     partition (i.e., not a file or a directory). It uses the
     MDC/SHA cipher. ... It is available from Grabo
     (garbo.uwasa.fi:/pc/crypt/sfs110.zip, I think), and also
     from our ftp site: ftp.informatik.uni-
     hamburg.de:/pub/virus/crypt/disk/sfs110.zip    I would
     recommend the Garbo site, because ours is a bit slow."
     [Vesselin Bontchev, alt.security.pgp, 1994-09-05]
19.5.6. Macintosh
  + more on MacPGP
    - From: phinely@uhunix.uhcc.Hawaii.Edu (Peter Hinely)
       Subject: Re: MacPGP 2.6ui doesn't actually work
       Sender: news@news.Hawaii.Edu
       Organization: University of Hawaii
       Date: Wed, 6 Jul 1994 04:17:15 GMT
       Lines: 9
       In article 
       mathew@stallman.mantis.co.uk (mathew at home) writes:
       >Well, I downloaded the rumoured MacPGP 2.6ui, but sadly
       it bombs out
       >immediately with an address error when I try to run it.
       MacPGP 2.6ui works on my Quadra 605.
       The MacBinary process cannot handle pathnames >63
       characters, but as long
       an you encrypt files on the desktop, it's not too much of
       a problem.
    - From: warlord@MIT.EDU (Derek Atkins)
       Newsgroups: alt.security.pgp
       Subject: Re: When will there be a bug fix for MacPGP?
       Followup-To: alt.security.pgp
       Date: 6 Jul 1994 10:19:13 GMT
       Organization: Massachusetts Institute of Technology
       Lines: 19
       NNTP-Posting-Host: toxicwaste.media.mit.edu
       In-reply-to: AWILSON@DRUNIVAC.DREW.EDU's message of 2 Jul
       1994 12:25:14 GMT
       In article 
          When will there be a bug fix for MacPGP (1.1.1)?  I am
       not complaining, I
          know that the software is free.  I just want to start
       utilizing it for
          communications at the earliest possible time.
       There are still a number of outstanding bugs that need to
       fixed, but the hope is to make a bugfix release in the
       future.  I don't know when that is going to be, but
       it will be Real Soon Now (TM).
    - Date: Wed, 6 Jul 1994 10:42:08 -0700
       From: tcmay (Timothy C. May)
       To: tcmay
       Subject: (fwd) Re: What is the difference between 2.6 &
       Newsgroups: alt.security.pgp
       Organization: NETCOM On-line Communication Services (408
       261-4700 guest)
       Status: O
       Xref: netcom.com alt.security.pgp:16979
       Path: netcom.com!netcomsv!decwrl!lll-
       From: iwj10@cus.cam.ac.uk (Ian Jackson)
       Newsgroups: alt.security.pgp
       Subject: Re: What is the difference between 2.6 & 2.6ui?
       Date: Wed, 6 Jul 1994 10:14:24 GMT
       Organization: Linux Unlimited
       Lines: 55
       NNTP-Posting-Host: bootes.cus.cam.ac.uk
       Summary: Use 2.6ui :-).
       Originator: iwj10@bootes.cus.cam.ac.uk
       In article ,
       Stainless Steel Rat  wrote:
       >Ed Dantes  writes [quoting
       normalised - iwj]:
       >> subject line says it all.
       >PGP 2.6 is distributed from MIT and is legally available
       to US and Canadian
       >residents. It uses the RSAREF library. It has code that
       will prevent
       >interoperation with earlier versions of PGP.
       >PGP 2.6ui is a modified version of PGP 2.3a which
       functions almost
       >identically to MIT PGP 2.6, without the "cripple code"
       of MIT PGP 2.6. It
       >is legally available outside the US and Canada only.
       This is false.  PGP 2.6ui is available to US and Canadian
       It is definitely legal for such people to download PGP
       2.6ui and study
       However, RSADSI claim that *using* PGP 2.6ui in the US
       and Canada
       violates their patents on the RSA algorithm and on public
       cryptography in general.  Other people (like myself)
       believe that
       these patents wouldn't stand up if tested in court, and
       that in any
       case the damages recoverable would be zero.
       You might also like to know that the output formats
       generated by 2.6ui
       and MIT-2.6 are identical, so that if you choose to use
       2.6ui in North
       America noone will be able to tell the difference anyway.
       Unfortunately these patent problems have caused many
       North American
       FTP sites to stop carrying 2.3a and 2.6ui, for fear of
       contributory infringement.
       If you would like to examine PGP 2.3a or 2.6ui, they are
       available on
       many FTP sites.  Try
       for starters.  Look out for the regular postings here in
       alt.security.pgp for other sites.
       -----BEGIN PGP SIGNATURE-----
       Version: 2.6
       -----END PGP SIGNATURE-----
       Ian Jackson, at home   or
       +44 223 575512    Escoerea on IRC.
       2 Lexington Close, Cambridge, CB4 3LS, England.   Urgent:
       Timothy C. May         | Crypto Anarchy: encryption,
       digital money,
       tcmay@netcom.com       | anonymous networks, digital
       pseudonyms, zero
       408-688-5409           | knowledge, reputations,
       information markets,
       W.A.S.T.E.: Aptos, CA  | black markets, collapse of
       Higher Power: 2^859433 | Public Key: PGP and MailSafe
       "National borders are just speed bumps on the information
  + CurveEncrypt, for Mac
    - "Curve Encrypt 1.1, IDEA encryption for the Macintosh is
       now available.....Curve Encrypt is a freeware drag-and-
       drop encryption application for the Macintosh. It uses
       IDEA cipher-feedback mode with a 255 character pass
       phrase, encrypts both the data and resource forks of
       files, and will encrypt the contents of a folder or
       volume in a single operation. Source code is provided,
       natch. CE is System 7 only....(Note that this program has
       nothing whatsoever to do with elliptic curve
       encryption methods, just so nobody gets confused...)" [
       "W. Kinney" , 1994-07-08]
    - "Ftp Sites:
       This is an export controlled ftp site: read
       pub/crypt/GETTING_ACCESS for
       csn.org is also export-controlled: read /mpj/README for
       the characters
       to replace ???????."  [ "W. Kinney"
       , 1994-07-08]
  + RIPEM on Macintosh
    - Carl Ellison says "I've only used RIPEM on AOL -- but it
       should be the same....I run on a Mac, generating the
       armored file, and then use AOL's "paste from file" option
       in the File menu to include the encrypted file in the
       body of my message.....In the other direction, I have to
       use Select All and Copy to get it out of AOL mail, Paste
       to get it into an editor.  From there I can file it and
       give that file to PGP or RIPEM.....BBEDIT on the Mac has
       good support for RIPEM.  I wish I knew how to write
       BBEDIT extensions for Mac PGP as well." [C.E., 1994-07-
  + URL for Stego (Macintosh)
    - http://www.nitv.net/~mech/Romana/stego.html
19.5.7. Newton
19.5.8. Atari
19.5.9. VMS
19.5.10. IBM VM/etc.
19.5.11. Miscellaneous
19.5.12. File-splitting utilities
  + Several exist.
    - XSPLIT
    - cryptosplit, Ray Cromwell
    - shade

19.6 - Appendix -- References
19.6.1. the importance of libraries
  - "Use a library.  That's a place with lots of paper
     periodicals and paper books.  Library materials not online,
     mostly, but it is still where most of the world's encoded
     knowledge is stored.  If you don't   like paper, tough.
     That's the way the world is right now." [Eric Hughes, 1994-
19.6.2. Books
  - Bamford, James, "The Puzzle Palace," 1982. The seminal
     reference on the NSA.
  - N. Koblitz, "A course in number theory and cryptography",
     QA3.G7NO.114. Very technical, with an emphasis on elliptic
  + D. Welsh, "Codes and Cryptography", Oxford Science
     Publications, 1988,         Eric Hughes especially
     recommends this.
    - Z103.W461988
  - D.E. Denning, "Cryptography and Data Security", 1982,
     Addison-Wesley, 1982,   QA76.9.A25D46. A classic, if a bit
     dated, introduction by the woman who later became the chief
     supporter of Clipper.
  + G. Brassard, "Modern Cryptology: a tutorial", Lecture Notes
     in Computer
    - Science 325, Springer 1988, QA76.L4V.325 A slim little
       book that's a gem. Sections by David Chaum.
  - Vinge, V., "True Names," 1981. A novel about digital
     pseudonyms and cyberspace.
  - Card, Orson Scott, "Ender's Game," 1985-6. Novel about kids
     who adopt digital pseudonyms for political debate.
  - G.J. Simmons,"Contemporary Cryptology", IEEE Press, 1992,
     QA76.9.A25C6678. A collection of articles by well-known
     experts. Surprisingly, no discussion of digital money. Gus
     Simmons designed "Permissive Action Links" for nukes, at
19.6.3. sci.crypt
  - archived at ripem.msu.edu and rpub.cl.msu.edu
  + The cryptography anon ftp archive at
    - has been moved to ftp.wimsey.bc.ca
19.6.4. cryptography-faq
  - in about 10 parts, put out by Crypt Cabal (several
     Cypherpunks on it)
  - rtfm.mit.edu, in /pub/usenet/news.answers/cryptography-
  + posted every 21 days to sci.crypt, talk.politics.crypto,
    - sci.answers, news.answers
19.6.5. RSA FAQ
  - Paul Fahn, RSA Laboratories
  - anonymous FTP to rsa.com:/pub/faq
  - rtfm.mit.edu, /pub/usenet/news.answers/cryptography-faq/rsa
19.6.6. Computers, Freedom and Privacy Conference
  - next Computers, Freedom and Privacy Conference will be
     March 1995, San Francisco
19.6.7. Various computer security papers, publications, and programs
   can be found at cert.org.
  - anonymous ftp to it and look in /pub. /pub/info even has
     the NSA "Orange Book." (Not a secret, obviously. Anyone can
     get on the NSA/NCSC's mailing list and get a huge pile of
     documents sent to them, with new ones arriving every
     several weeks.)
  - or try ftp.win.tue.nl   /pub/security
19.6.8. Clipper information by Internet
  - ftp.cpsr.org
  - ftp.eff.org

19.7 - Glossary Items
19.7.1. message pools --
19.7.2. pools -- see "message pools."
19.7.3. cover traffic --
19.7.4. padding -- see "message padding."
19.7.5. message padding --
19.7.6. latency --
19.7.7. BlackNet -- an experiment in information markets, using
   anonymous message pools for exchange of instructions and
   items. Tim May's experiment in guerilla ontology.
19.7.8. ILF -- Information Liberation Front. Distributes copyrighted
   material via remailers, anonymously. Another experiment in
   guerilla ontology.
19.7.9. digital mix --
19.7.10. FinCEN -- Financial Crimes Enforcement Network.
19.7.11. true name -- one's actual, physical name. Taken from Vernor
   Vinge's novel of the same name.
19.7.12. mix --
19.7.13. TEMPEST --
19.7.14. OTP --
19.7.15. Vernam cipher --
19.7.16. detweiler -- verb, to rant and rave about tentacles that are
   destroying one's sanity through crypto anarchist thought
   control. Named after L. Detweiler. "He's just detweilering."
19.7.17. remailer --
19.7.18. Stego --
19.7.19. incipits -- message indicators or tags (relates to stego)
19.7.20. duress code -- a second key which can decrypt a message to
   something harmless. Could be useful for bank cards, as well
   as for avoiding incrimination. A form of security through
   obscurity, and not widely used.

19.8 - A comment on software versions, ftp sites, instructions, etc.
19.8.1. I regret that I can't be complete in all versions, platforms
   supported, sites for obtaining, instructions,
   incompatibilities, etc. Frankly, I'm drowning in reports of
   new versions, questions about use, etc. Most of these
   versions I have no direct knowledge of, have no experience
   with, and no appreciation of subtle incompatibilites
19.8.2. There are others who have concentrated on providing up-to-
   date reports on what is available. Some of them are"
  - site
19.8.3. Reading sci.crypt, alt.security.pgp, and related groups for a
   few weeks and looking for programs of interest to one's own
   situation should give the most recent and current results.
   Things are moving quickly, so if one is interested in
   "AmigaPGP," for example, then the right place to look for the
   latest versions is in the groups just mentioned, or in groups
   and ftp sites specific to the Amiga. (Be careful that
   sabotaged or spoofed versions are not used, as in all crypto.
   "Joe's AmigaPGP" might need a closer look.)