5.1 copyright
   THE  CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666,
   1994-09-10, Copyright Timothy C. May. All rights reserved.
   See the detailed disclaimer. Use short sections under "fair
   use" provisions, with appropriate credit, but don't put your
   name on my words.

5.2 - SUMMARY: Cryptology
 5.2.1. Main Points
  - gaps still exist here...I treated this as fairly low
     priority, given the wealth of material on cryptography
 5.2.2. Connections to Other Sections
  - detailed crypto knowledge is not needed to understand many
     of the implications, but it helps to know the basics (it
     heads off many of the most wrong-headed interpretations)
  - in particular, everyone should learn enough to at least
     vaguely understand how "blinding" works
 5.2.3. Where to Find Additional Information
  + a dozen or so major books
    - Schneier, "Applied Cryptography"--is practically
       "required reading"
    - Denning
    - Brassard
    - Simmons
    - Welsh, Dominic
    - Salomaa
    - "CRYPTO" Proceedings
    - Other books I can take or leave
  - many ftp sites, detailed in various places in this doc
  - sci.crypt, alt.privacy.pgp, etc.
  - sci.crypt.research is a new group, and is moderated, so it
     should have some high-quality, technical posts
  - FAQs on sci.crypt, from RSA, etc.
  - Dave Banisar of EPIC (Electronic Privacy Information
     Center) reports: "...we have several hundred files on
     encryption available via ftp/wais/gopher/WWW from cpsr.org
     /cpsr/privacy/crypto." [D.B., sci.crypt, 1994-06-30]
 5.2.4. Miscellaneous Comments
  - details of algorithms would fill several books...and do
  - hence, will not cover crypto in depth here (the main focus
     of this doc is the implications of crypto, the
     Cypherpunkian aspects, the things not covered in crypto
     textbooks)
  - beware of getting lost in the minutiae, in the details of
     specific algorithms...try to keep in the mind the
     _important_ aspects of any system

5.3 - What this FAQ Section Will Not Cover
 5.3.1. Why a section on crypto when so many other sources exist?
  - A good question. I'll be keeping this section brief, as
     many textbooks can afford to do a much better job here than
     I can.
  - not just for those who read number theory books with one
     hand
 5.3.2. NOTE: This section may remain disorganized, at least as
   compared to some of the later sections. Many excellent
   sources on crypto exist, including readily available FAQs
   (sci.crypt, RSADSI FAQ) and books. Schneier's books is
   especially recommended, and should be on _every_ Cypherpunk's
   bookshelf.

5.4 - Crypto Basics
 5.4.1. "What is cryptology?"
  - we see crypto all around us...the keys in our pockets, the
     signatures on our driver's licenses and other cards, the
     photo IDs, the credit cards
  + cryptography or cryptology, the science of secret
     writing...but it's a lot more...consider I.D.  cards, locks
     on doors, combinations to safes, private
     information...secrecy is all around us
    - some say this is bad--the tension between "what have you
       got to hide?" and "none of your business"
  - some exotic stuff: digital money, voting systems, advanced
     software protocols
  - of importance to protecting privacy in a world of
     localizers (a la Bob and Cherie), credit cards, tags on
     cars, etc....the dossier society
  + general comments on cryptography
    - chain is only as strong as its weakest link
    - assume opponnent knows everything except the secret key
    -
  - Crypto is about economics
  + Codes and Ciphers
    + Simple Codes
      - Code Books
    + Simple Ciphers
      + Substitution Ciphers (A=C, B=D, etc.)
        - Caesar Shift (blocks)
      + Keyword Ciphers
        + Vigen¸re (with Caesar)
          + Rotor Machines
            - Hagelin
            - Enigma
            - Early Computers (Turing, Colossus)
    + Modern Ciphers
      + 20th Century
        + Private Key
          + One-Time Pads (long strings of random numbers,
             shared by both parties)
            + not breakable even in principle, e.g., a one-time
               pad with random characters selected by a truly
               random process (die tosses, radioactive decay,
               certain types of noise, etc.)
              - and ignoring the "breakable by break-ins"
                 approach of stealing the one-time pad, etc.
                 ("Black bag cryptography")
            - Computer Media (Floppies)
            + CD-ROMs and DATs
              - "CD ROM is a terrible medium for the OTP key
                 stream.  First, you want exactly two copies of
                 the random stream.  CD ROM has an economic
                 advantage only for large runs. Second, you want
                 to destroy the part of the stream already used.
                 CD ROM has no erase facilities, outside of
                 physical destruction of the entire disk."
                 [Bryan G. Olson, sci.crypt, 1994-08-31]
          + DES--Data Encryption Standard
            - Developed from IBM's Lucifer, supported by NSA
            - a standard since 1970s
            + But is it "Weak"?
              + DES-busting hardware and software studied
                + By 1990, still cracked
                  - But NSA/NIST has ordered a change
          + Key Distribution Problem
            + Communicating with 100 other people means
               distributing and  securing 100 keys
              - and each of those 100 must keep their 100 keys
                 secure
              - no possibility of widespread use
        + Public Key
          + 1970s: Diffie, Hellman, Merkle
            + Two Keys: Private Key and Public Key
              + Anybody can encrypt a message to Receiver with
                 Receiver's PUBLIC key, but only the Receiver's
                 PRIVATE key can decrypt the message
                + Directories of public keys can be published
                   (solves the key distribution problem)
                  + Approaches
                    + One-Way Functions
                      - Knapsack (Merkle, Hellman)
                      + RSA (Rivest, Shamir, Adleman)
                        - relies on difficulty of factoring
                           large numbers (200 decimal digits)
                        - believed to be "NP-hard"
                        + patented and licensed to "carefully
                           selected" customers
                          - RSA, Fiat-Shamir, and other
                             algorithms are not freely usable
                          - search for alternatives continues
 5.4.2. "Why does anybody need crypto?"
  + Why the Need
    - electronic communications...cellular phones, fax
       machines, ordinary phone calls are all easily
       intercepted...by foreign governments, by the NSA, by
       rival drug dealers, by casual amateurs
    + transactions being traced....credit card receipts,
       personal checks, I.D. cards presented at time of
       purchase...allows cross-referencing, direct mail data
       bases, even government raids on people who buy greenhouse
       supplies!
      - in a sense, encryption and digital money allows a
         return to cash
    - Why do honest people need encryption? Because not
       everyone is honest, and this applies to governments as
       well. Besides, some things are no one else's  business.
  - Why does anybody need locks on doors? Why aren't all
     diaries available for public reading?
  + Whit Diffie, one of the inventors of public key
     cryptography (and a Cypherpunk) points out that human
     interaction has largely been predicated on two important
     aspects:
    - that you are who you say you are
    - expectation of privacy in private communications
  - Privacy exists in various forms in various cultures. But
     even in police states, certain concepts of privacy are
     important.
  - Trust is not enough...one may have opponents who will
     violate trust if it seems justified
  + The current importance of crypto is even more striking
    + needed to protect privacy in cyberspace, networks, etc.
      - many more paths, links, interconnects
      - read Vinge's "True Names" for a vision
    + digital money...in a world of agents, knowbots, high
       connectivity
      - (can't be giving out your VISA number for all these
         things)
    + developing battle between:
      - privacy advocates...those who want privacy
      - government agencies...FBI, DOJ, DEA, FINCEN, NSA
      + being fought with:
        - attempts to restrict encryption (S.266, never passed)
        - Digital Telephony Bill, $10K a day fine
        - trial balloons to require key registration
        - future actions
  + honest people need crypto because there are dishonest
     people
    - and there may be other needs for privacy
  - Phil Zimmerman's point about sending all mail, all letters,
     on postcards--"What have you got to hide?" indeed!
  - the expectation of privacy in out homes and in phone
     conversations
  + Whit Diffie's main points:
    + proving who you say you are...signatures, authentications
      - like "seals" of the past
    - protecting privacy
    - locks and keys on property and whatnot
  + the three elements that are central to our modern view of
     liberty and privacy (a la Diffie)
    - protecting things against theft
    - proving who we say we are
    - expecting privacy in our conversations and writings
 5.4.3. What's the history of cryptology?
 5.4.4. Major Classes of Crypto
  - (these sections will introduce the terms in context, though
     complete definitions will not be given)
  + Encryption
    - privacy of messages
    - using ciphers and codes to protect the secrecy of
       messages
    - DES is the most common symmetric cipher (same key for
       encryption and decryption)
    - RSA is the most common asymmetric cipher (different keys
       for encryption and decryption)
  + Signatures and Authentication
    - proving who you are
    - proving you signed a document (and not someone else)
    + Authentication
      + Seals
        + Signatures (written)
          + Digital Signatures (computer)
            - Example: Numerical codes on lottery tickets
            + Using Public Key Methods (see below)
              - Digital Credentials (Super Smartcards)
        - Tamper-responding Systems
      + Credentials
        - ID Cards, Passports, etc.
      + Biometric Security
        - Fingerprints, Retinal Scans, DNA, etc.
  + Untraceable Mail
    - untraceable sending and receiving of mail and messages
    - focus: defeating eavesdroppers and traffic analysis
    - DC protocol (dining cryptographers)
  + Cryptographic Voting
    - focus: ballot box anonymity
    - credentials for voting
    - issues of double voting, security, robustness, efficiency
  + Digital Cash
    - focus: privacy in transactions, purchases
    - unlinkable credentials
    - blinded notes
    - "digital coins" may not be possible
  + Crypto Anarchy
    - using the above to evade gov't., to bypass tax
       collection, etc.
    - a technological solution to the problem of too much
       government
  + Security
    + Locks
      - Key Locks
      + Combination Locks
        - Cardkey Locks
    + Tamper-responding Systems (Seals)
      + Also known as "tamper-proof" (misleading)
        - Food and Medicine Containers
        - Vaults, Safes (Alarms)
        + Weapons, Permissive Action Links
          - Nuclear Weapons
          - Arms Control
        - Smartcards
        - Currency, Checks
        + Cryptographic Checksums on Software
          - But where is it stored? (Can spoof the system by
             replacing the whole package)
        + Copy Protection
          - Passwords
          - Hardware Keys ("dongles")
          - Call-in at run-time
    + Access Control
      - Passwords, Passphrases
      - Biometric Security, Handwritten Signatures
      - For: Computer Accounts, ATMs, Smartcards
 5.4.5. Hardware vs. Software
  - NSA says only hardware implementations can really be
     considered secure, and yet most Cypherpunks and ordinary
     crypto users favor the sofware approach
  - Hardware is less easily spoofable (replacement of modules)
  - Software can be changed more rapidly, to make use of newer
     features, faster modules, etc.
  - Different cultures, with ordinary users (many millions)
     knowing they are less likely to have their systems black-
     bag spoofed (midnight engineering) than are the relatively
     fewer and much more sensitive military sites.
 5.4.6. "What are 'tamper-resistant modules' and why are they
   important?"
  - These are the "tamper-proof boxes" of yore: display cases,
     vaults, museum cases
  - that give evidence of having been opened, tampered with,
     etc.
  + modern versions:
    - display cases
    - smart cards
    + chips
      - layers of epoxy, abrasive materials, fusible links,
         etc.
      - (goal is to make reverse engineering much more
         expensive)
    - nuclear weapon "permissive action links" (PALs)
 5.4.7. "What are "one way functions"?"
  - functions with no inverses
  - crypto needs functions that are seemingly one-way, but
     which actually have an inverse (though very hard to find,
     for example)
  - one-way function, like "bobbles" (Vinge's "Marooned in
     Realtime")
 5.4.8. When did modern cryptology start?
  + "What are some of the modern applications of cryptology?"
    + "Zero Knowledge Interactive Proof Systems" (ZKIPS)
      - since around 1985
      - "minimum disclosure proofs"
      + proving that you know something without actually
         revealing that something
        + practical example: password
          + can prove you have the password without actually
             typing it in to computer
            - hence, eavesdroppers can't learn your password
            - like "20 questions" but more sophisticated
        - abstract example: Hamiltonian circuit of a graph
    + Digital Money
      + David Chaum: "RSA numbers ARE money"
        - checks, cashiers checks, etc.
        - can even know if attempt is made to cash same check
           twice
        + so far, no direct equivalent of paper currency or
           coins
          - but when combined with "reputation-based systems,"
             there may be
    + Credentials
      + Proofs of some property that do not reveal more than
         just that property
        - age, license to drive, voting rights, etc.
        - "digital envelopes"
      + Fiat-Shamir
        - passports
    + Anonymous Voting
      - protection of privacy with electronic voting
      - politics, corporations, clubs, etc.
      - peer review of electronic journals
      - consumer opinions, polls
    + Digital Pseudonyms and Untraceable E-Mail
      + ability to adopt a digital pseudonym that is:
        - unforgeable
        - authenticatable
        - untraceable
      - Vinge's "True Names" and Card's "Ender's Game"
      + Bulletin Boards, Samizdats, and Free Speech
        + banned speech, technologies
          - e.g., formula for RU-486 pill
          - bootleg software, legally protected material
        + floating opinions without fears for professional
           position
          - can even later "prove" the opinions were yours
      + "The Labyrinth"
        - store-and-forward switching nodes
        + each with tamper-responding modules that decrypt
           incoming messages
          + accumulate some number (latency)
            + retransmit to next address
              - and so on....
        + relies on hardware and/or reputations
          + Chaum claims it can be done solely in software
            - "Dining Cryptographers"
 5.4.9. What is public key cryptography?
5.4.10. Why is public key cryptography so important?
  + The chief advantage of public keys cryptosystems over
     conventional symmetric key (one key does both encryption
     and decryption) is one _connectivity_ to recipients: one
     can communicate securely with people without exchanging key
     material.
    - by looking up their public key in a directory
    - by setting up a channel using Diffie-Hellman key exchange
       (for example)
5.4.11. "Does possession of a key mean possession of *identity*?"
  - If I get your key, am I you?
  - Certainly not outside the context of the cryptographic
     transaction. But within the context of a transaction, yes.
     Additional safeguards/speedbumps can be inserted (such as
     biometric credentials, additional passphrases, etc.), but
     these are essentially part of the "key," so the basic
     answer remains "yes." (There are periodically concerns
     raised about this, citing the dangers of having all
     identity tied to a single credential, or number, or key.
     Well, there are ways to handle this, such as by adopting
     protocols that limit one's exposure, that limits the amount
     of money that can be withdrawn, etc. Or people can adopt
     protocols that require additional security, time delays,
     countersigning, etc.)
  + This may be tested in court soon enough, but the answer for
     many contracts and crypto transactions will be that
     possession of key = possession of identity. Even a court
     test may mean little, for the types of transactions I
     expect to see.
    - That is, in anonymous systems, "who ya gonna sue?"
  - So, guard your key.
5.4.12. What are digital signatures?
  + Uses of Digital Signatures
    - Electronic Contracts
    - Voting
    - Checks and other financial instruments (similar to
       contracts)
    - Date-stamped Transactions (augmenting Notary Publics)
5.4.13. Identity, Passports, Fiat-Shamir
  - Murdoch, is-a-person, national ID cards, surveillance
     society
  + "Chess Grandmaster Problem" and other Frauds and Spoofs
    - of central importance to proofs of identity (a la Fiat-
       Shamir)
    - "terrorist" and "Mafia spoof" problems
5.4.14. Where  else should I look?
5.4.15. Crypto, Technical
  + Ciphers
    - traditional
    - one-time pads, Vernams ciphers, information-theoretically
       secure
    + "I Have a New Idea for a Cipher---Should I Discuss it
       Here?"
      - Please don't. Ciphers require careful analysis, and
         should be in paper form (that is, presented in a
         detailed paper, with the necessary references to show
         that due diligence was done, the equations, tables,
         etc. The Net is a poor substitute.
      - Also, breaking a randomly presented cipher is by no
         means trivial, even if the cipher is eventually shown
         to be weak. Most people don't have the inclination to
         try to break a cipher unless there's some incentive,
         such as fame or money involved.
      - And new ciphers are notoriously hard to design. Experts
         are the best folks to do this. With all the stuff
         waiting to be done (described here), working on a new
         cipher is probably the least effective thing an amateur
         can do. (If you are not an amateur, and have broken
         other people's ciphers before, then you know who you
         are, and these comments don't apply. But I'll guess
         that fewer than a handful of folks on this list have
         the necessary background to do cipher design.)
      - There are a vast number of ciphers and systems, nearly
         all of no lasting significance. Untested, undocumented,
         unused--and probably unworthy of any real attention.
         Don't add to the noise.
    - What is DES and can it be broken?
    + ciphers
      - RC4, stream cipher
      + DolphinEncrypt
        -
        + "Last time Dolphin Encrypt reared its insecure head
           in this forum,
          - these same issues came up.  The cipher that DE uses
             is not public and
          - was not designed by a person of known
             cryptographicc competence.  It
          - should therefore be considered extremely weak.
             
  + RSA
    - What is RSA?
    - Who owns or controls the RSA patents?
    - Can RSA be broken?
    - What alternatives to RSA exist?
  + One-Way Functions
    - like diodes, one-way streets
    - multiplying two large numbers together is
       easy....factoring the product is often very hard
    - (this is not enough for a usable cipher, as the recipient
       must be able to perform the reverse operation..it turns
       out that "trapdoors" can be found)
  - Digital Signatures
  + Digital Cash
    - What is digital cash?
    - How does digital cash differ from VISA and similar
       electronic systems?
    - Clearing vs. Doublespending Detection
  - Zero Knowledge
  - Mixes and Remailers
  - Dining Cryptographers
  + Steganography
    - invisible ink
    - microdots
    - images
    - sound files
  + Random Number Generators
    + von Neumann quote about living in a state of sin
      - also paraphrased (I've heard) to include _analog_
         methods, presumably because the nonrepeating (form an
         initial seed/start)  nature makes repeating experiments
         impossible
    + Blum-Blum-Shub
      + How it Works
        - "The Blum-Blum-Shub PRNG is really very simple.
           There is source floating around on the crypto ftp
           sites, but it is a set of scripts for the Unix bignum
           calculator "bc", plus some shell scripts, so it is
           not very portable.
           
           "To create a BBS RNG, choose two random primes p and
           q which are congruent to 3 mod 4.  Then the RNG is
           based on the iteration x = x*x mod n.  x is
           initialized as a random seed.  (x should be a
           quadratic residue, meaning that it is the square of
           some number mod n, but that can be arranged by
           iterating the RNG once before using its output.)"
           [Hal Finney, 1994-05-14]
      - Look for blum-blum-shub-strong-randgen.shar and related
         files in pub/crypt/other at ripem.msu.edu. (This site
         is chock-full of good stuff. Of course, only Americans
         are allowed to use these random number generators, and
         even they face fines of $500,000 and imprisonment for
         up to 5 years for inappopriate use of random numbers.)
      - source code at ripem ftp site
      - "If you don't need high-bandwidth randomness, there are
         several good PRNG, but none of them run fast.  See the
         chapter on PRNG's in "Cryptology and Computational
         Number Theory"." [Eric Hughes, 1994-04-14]
    + "What about hardware random number generators?"
      + Chips are available
        -
        + "Hughes Aircraft also offers a true non-deterministic
           chip (16 pin DIP).
          - For more info contact me at kephart@sirena.hac.com"
             <7 April 94, sci.crypt>
    + "Should RNG hardware be a Cypherpunks project?"
      - Probably not, but go right ahead. Half a dozen folks
         have gotten all fired up about this, proposed a project-
         -then let it drop.
    - can use repeated applications of a cryptographic has
       function to generate pretty damn good PRNs (the RSAREF
       library has hooks for this)
    + "I need a pretty good random number generator--what
       should I use?"
      - "While Blum-Blum-Shub is probably the cool way to go,
         RSAREF uses repeated iterations of MD5 to generate its
         pseudo-randoms, which can be reasonably secure and use
         code you've probably already got hooks from perl
         for.[BillStewart,1994-04-15]
    + Libraries
      - Scheme code: ftp://ftp.cs.indiana.edu/pub/scheme-
         repository/scm/rand.scm
  + P and NP and all that jazz
    - complexity, factoring,
    + can quantum mechanics help?
      - probably not
  + Certification Authorities
    - heierarchy vs. distributed web of trust
    - in heierarchy, individual businesses may set themselves
       up as CAs, as CommerceNet is talking about doing
    + Or, scarily, the governments of the world may insist that
       they be "in the loop"
      - several ways to do this: legal system invocation, tax
         laws, national security....I expect the legal system to
         impinge on CAs and hence be the main way that CAs are
         partnered with the government
      - I mention this to give people some chance to plan
         alternatives, end-runs
    - This is one of the strongest reasons to support the
       decoupling of software from use (that is, to reject the
       particular model RSADSI is now using)
5.4.16. Randomness
  - A confusing subject to many, but also a glorious subject
     (ripe with algorithms, with deep theory, and readily
     understandable results).
  + Bill Stewart had a funny comment in sci.crypt which also
     shows how hard it is to know if something's really random
     or not: "I can take a simple generator X[i] = DES( X[i-1],
     K ), which will produce nice random white noise, but you
     won't be able to see that it's non-random unless you rent
     time on NSA's DES-cracker." [B.S. 1994-09-06]
    - In fact, many seemingly random strings are actually
       "cryptoregular": they are regular, or nonrandom, as soon
       as one uses the right key. Obviously, most strings used
       in crypto are cryptoregular in that they _appear_ to be
       random, and pass various randomness measures, but are
       not.
  + "How can the randomness of a bit string be measured?"
    - It can roughly be estimated by entropy measures, how
       compressible it is (by various compression programs),
       etc.
    - It's important to realize that measures of randomness
       are, in a sense, "in the eye of the beholder"--there just
       is no proof that a string is random...there's always room
       for cleverness, if you will
    + Chaitin-Kolmogoroff complexity theory makes this clearer.
       To use someone else's words:
      - "Actually, it can't be done.  The consistent measure of
         entropy for finite objects like a string or a (finite)
         series of random numbers is the so-called ``program
         length complexity''.  This is defined as the length of
         the shortest program for some given universal Turing
         machine
         which computes the string.  It's consistent in the
         sense that it has the familiar properties of
         ``ordinary'' (Shannon) entropy.  Unfortunately, it's
         uncomputable: there's no algorithm which, given an
         arbitrary finite string S, computes the program-length
         complexity of S.
         
         Program-length complexity is well-studied in the
         literature.  A good introductory paper is ``A Theory of
         Program Size Formally Identical to Information Theory''
         by  G. J. Chaitin, _Journal of the ACM_, 22 (1975)
         reprinted in Chaitin's book _Information Randomness &
         Incompleteness_, World Scientific Publishing Co.,
         1990." [John E. Kreznar, 1993-12-02]
  + "How can I generate reasonably random numbers?"
    - I say "reasonably" becuae of the point above: no number
       or sequence is provably "random." About the best that can
       be said is that a number of string is the reuslt of a
       process we call "random." If done algorithimically, and
       deterministically, we call this process "pseudo-random."
       (And  pseudorandom is usually more valuable than "really
       random" because we want to be able to generate the same
       sequence repeatedly, to repeat experiments, etc.)
5.4.17. Other crypto and hash programs
  + MDC, a stream cipher
    - Peter Gutman, based on NIST Secure Hash Algorithm
    - uses longer keys than IDEA, DES
  - MD5
  - Blowfish
  - DolphinEncrypt
5.4.18. RSA strength
  - casual grade, 384 bits, 100 MIPS-years (Paul Leyland, 3-31-
     94)
  - RSA-129, 425 bits, 4000 MIPS-years
  - 512 bits...20,000 MIPS-years
  - 1024 bits...
5.4.19. Triple DES
  - "It involves three DES cycles, in encrypt-decrypt-encrypt
     order. THe keys used may be either K1/K2/K3 or K1/K2/K1.
     The latter is   sometimes caled "double-DES".  Combining
     two DES operations like this requires twice as much work to
     break as one DES, and a lot more storage. If you have the
     storage, it just adds one bit to the effective key size.  "
     [Colin Plumb, colin@nyx10.cs.du.edu, sci.crypt, 4-13-94]
5.4.20. Tamper-resistant modules (TRMs) (or tamper-responding)
  + usually "tamper-indicating", a la seals
    - very tough to stop tampering, but relatively easy to see
       if seal has been breached (and then not restored
       faithfully)
    - possession of the "seal" is controlled...this is the
       historical equivalent to the "private key" in a digital
       signature system, with the technological difficulty of
       forging the seal being the protection
  + usually for crypto. keys and crypto. processing
    - nuclear test monitoring
    - smart cards
    - ATMs
  + one or more sensors to detect intrusion
    - vibration (carborundum particles)
    - pressure changes (a la museum display cases)
    - electrical
    - stressed-glass (Corning, Sandia)
  + test ban treaty verification requires this
    - fiber optic lines sealing a missile...
    - scratch patterns...
    - decals....
  + Epoxy resins
    - a la Intel in 1970s (8086)
    + Lawrence Livermore: "Connoisseur Project"
      - gov't agencies using this to protect against reverse
         engineering, acquisition of keys, etc.
    + can't stop a determined effort, though
      - etches, solvents, plasma ashing, etc.
      - but can cause cost to be very high (esp. if resin
         formula is varied frequently, so that "recipe" can't be
         logged)
    + can use clear epoxy with "sparkles" in the epoxy and
       careful 2-position photography used to record pattern
      - perhaps with a transparent lid?
  + fiber optic seal (bundle of fibers, cut)
    - bundle of fibers is looped around device, then sealed and
       cut so that about half the fibers are cut; the pattern of
       lit and
       unlit fibers is a signature, and is extremely difficult
       to reproduce
  - nanotechnology may be used (someday)
5.4.21. "What are smart cards?"
  - Useful for computer security, bank transfers (like ATM
     cards), etc.
  - may have local intelligence (this is the usual sense)
  - microprocessors, observor protocol (Chaum)
  + Smart cards and electronic funds transfer
    - Tamper-resistant modules
    + Security of manufacturing
      - some variant of  "cut-and-choose" inspection of
         premises
    + Uses of smart cards
      - conventional credit card uses
      - bill payment
      - postage
      - bridge and road tolls
      - payments for items received electronically (not
         necessarily anonymously)

5.5 - Cryptology-Technical, Mathematical
 5.5.1. Historical Cryptography
  + Enigma machines
    - cracked by English at Bletchley Park
    - a secret until mid-1970s
    + U.K. sold hundreds of seized E. machines to embassies,
       governments, even corporations, in late 1940s, early
       1950s
      - could then crack what was being said by allies
  + Hagelin, Boris (?)
    - U.S. paid him to install trapdoors, says Kahn
    + his company, Crypto A.G., was probably an NSA front
       company
      - Sweden, then U.S., then Sweden, then Zug
    - rotor systems cracked
 5.5.2. Public-key Systems--HISTORY
  + Inman has admitted that NSA had a P-K concept in 1966
    - fits with Dominik's point about sealed cryptosystem boxes
       with no way to load new keys
    - and consistent with NSA having essentially sole access to
       nation's top mathematicians (until Diffies and Hellmans
       foreswore government funding, as a result of the anti-
       Pentagon feelings of the 70s)
  - Merkle's "puzzle" ideas, circa mid-70s
  - Diffie and Hellman
  - Rivest, Shamir, and Adleman
 5.5.3. RSA and Alternatives to RSA
  + RSA and other P-K patents are strangling development and
     dissemination of crypto systems
    - perhaps out of marketing stupidity, perhaps with the help
       of the government (which has an interest in keeping a
       monopoly on secure encryption)
  + One-way functions and "deposit-only envelopes"
    - one-way functions
    - deposit-only envelopes: allow additions to envelopes and
       only addressee can open
  - hash functions are easy to implement one-way functions
     (with no need for an inverse)
 5.5.4. Digital Signatures
  + Uses of Digital Signatures
    - Electronic Contracts
    - Voting
    - Checks and other financial instruments (similar to
       contracts)
    - Date-stamped Transactions (augmenting Notary Publics)
  - Undeniable digital signatures
  + Unforgeable signatures, even with unlimited computational
     power, can be achieved if the population is limited (a
     finite set of agents)
    - using an untraceable sending protocol, such as "the
       Dining Cryptographers Problem" of Chaum
 5.5.5. Randomness and incompressibility
  + best definition we have is due to Chaitin and Kolmogoroff:
     a string or any structure is "random" if it has no shorter
     description of itself than itself.
    - (Now even specific instances of "randomly generated
       strings" sometimes will be compressible--but not very
       often. Cf. the works of Chaitin and others for more on
       these sorts of points.)
 5.5.6. Steganography: Methods for Hiding the Mere Existence of
   Encrypted Data
  + in contrast to the oft-cited point (made by crypto purists)
     that one must assume the opponent has full access to the
     cryptotext, some fragments of decrypted plaintext,  and to
     the algorithm itself, i.e., assume the worst
    - a condition I think is practically absurd and unrealistic
    - assumes infinite intercept power (same assumption of
       infinite computer power would make all systems besides
       one-time pads breakable)
    - in reality, hiding the existence and form of an encrypted
       message is important
    + this will be all the more so as legal challenges to
       crypto are mounted...the proposed ban on encrypted
       telecom (with $10K per day fine), various governmental
       regulations, etc.
      - RICO and other broad brush ploys may make people very
         careful about revealing that they are even using
         encryption (regardless of how secure the keys are)
  + steganography, the science of hiding the existence of
     encrypted information
    - secret inks
    - microdots
    - thwarting traffic analysis
    - LSB method
  + Packing data into audio tapes (LSB of DAT)
    + LSB of DAT: a 2GB audio DAT will allow more than 100
       megabytes in the LSBs
      - less if algorithms are used to shape the spectrum to
         make it look even more like noise
      - but can also use the higher bits, too (since a real-
         world recording will have noise reaching up to perhaps
         the 3rd or 4th bit)
      + will manufacturers investigate "dithering"  circuits?
         (a la fat zero?)
        - but the race will still be on
  + Digital video will offer even more storage space (larger
     tapes)
    - DVI, etc.
    - HDTV by late 1990s
  + Messages can be put into GIFF, TIFF image files (or even
     noisy faxes)
    - using the LSB method, with a 1024 x 1024 grey scale image
       holding 64KB in the LSB plane alone
    - with error correction, noise shaping, etc., still at
       least 50KB
    - scenario: already being used to transmit message through
       international fax and image transmissions
  + The Old "Two Plaintexts" Ploy
    - one decoding produces "Having a nice time. Wish you were
       here."
    - other decoding, of the same raw bits, produces "The last
       submarine left this morning."
    - any legal order to produce the key generates the first
       message
    + authorities can never prove-save for torture or an
       informant-that another message exists
      - unless there are somehow signs that the encrypted
         message is somehow "inefficiently encrypted, suggesting
         the use of a dual plaintext pair method" (or somesuch
         spookspeak)
    - again, certain purist argue that such issues (which are
       related to the old "How do you know when to stop?"
       question) are misleading, that one must assume the
       opponent has nearly complete access to everything except
       the actual key, that any scheme to combine multiple
       systems is no better than what is gotten as a result of
       the combination itself
  - and just the overall bandwidth of data...
  + Several programs exist:
    - Stego
    - etc. (described elsewhere)
 5.5.7. The Essential Impossibility of Breaking Modern Ciphers and
   Codes
  - this is an important change from the past (and from various
     thriller novels that have big computers cracking codes)
  - granted, "unbreakable" is a misleading term
  + recall the comment that NSA has not really broken any
     Soviet systems in many years
    - except for the cases, a la the Walker case, where
       plaintext versions are gotten, i.e., where human screwups
       occurred
  - the image in so many novels of massive computers breaking
     codes is absurd: modern ciphers will not be broken (but the
     primitive ciphers used by so many Third World nations and
     their embassies will continue to be child's play, even for
     high school science fair projects...could be a good idea
     for a small scene, about a BCC student who has his project
     pulled)
  + But could novel computational methods crack these public
     key ciphers?
    + some speculative candidates
      + holographic computers, where large numbers are
         factored-or at least the possibilities are somehown
         narrowed-by using arrays that (somehow) represent the
         numbers to be factored
        - perhaps with diffraction, channeling, etc.
      - neural networks and evolutionary systems (genetic
         algorithms)
    - the idea is that somehow the massive computations can be
       converted into something that is inherently parallel
       (like a crystal)
    + hyperspeculatively: finding the oracle for these problems
       using nonconventional methods such as ESP and lucid
       dreaming
      - some groups feel this is worthwhile
 5.5.8. Anonymous Transfers
  - Chaum's digital mixes
  - "Dining Cryptographers"
  + can do it with exchanged diskettes, at a simple level
    - wherein each person can add new material
    + Alice to Bob to Carol....Alice and Carol can conspire to
       determine what Bob had added, but a sufficient "mixing"
       of bits and pieces is possible such that only if
       everybody conspires can one of the participants be caught
      - perhaps the card-shuffling results?
  + may become common inside compute systems...
    - by this vague idea I mean that various new OS protocols
       may call for various new mechanisms for exchanging
       information
 5.5.9. Miscellaneous Abstract Ideas
  - can first order logic predicates be proven in zero
     knowledge?
  - Riemannn hypothesis
  + P = NP?
    - would the universe change?
    - Smale has shown that if the squares have real numbers in
       them, as opposed to natural numbers (integers), then P =
       NP; perhaps this isn't surprising, as a real implies sort
       of a recursive descent, with each square having unlimited
       computer power
    + oracles
      - speculatively,  a character asks if Tarot cards, etc.,
         could be used (in addition to the normal idea that such
         devices help psychologically)
      - "a cascade of changes coming in from hundreds of
         decimal places out"
  + Quantum cryptography
    - bits can be exchanged-albeit at fairly low
       efficiencies-over a channel
    - with detection of taps, via the change of polarizations
    + Stephen Wiesner wrote a 1970 paper, half a decade before
       the P-K work, which outlined this-not published until
       much later
      - speculate that the NSA knew about this and quashed the
         publication
  + But could novel computational methods crack these public
     key ciphers?
    + some speculative candidates
      + holographic computers, where large numbers are
         factored-or at least the possibilities are somehown
         narrowed-by using arrays that (somehow) represent the
         numbers to be factored
        - perhaps with diffraction, channeling, etc.
      - neural networks and evolutionary systems (genetic
         algorithms)
    - the idea is that somehow the massive computations can be
       converted into something that is inherently parallel
       (like a crystal)
    + hyperspeculatively: finding the oracle for these problems
       using nonconventional methods such as ESP and lucid
       dreaming
      - some groups feel this is worthwhile
  - links to knot theory
  - "cut and choose" protocols (= zero knowledge)
  + can a "digital coin" be made?
    - this is formally similar to the idea of an active agent
       that is unforgeable, in the sense that the agent or coin
       is "standalone"
    + bits can always be duplicated (unless tied to hardware,
       as with TRMs), so must look elsewhere
      + could tie the bits to a specific location, so that
         duplication would be obvious or useless
        - the idea is vaguely that an agent could be placed in
           some location...duplications would be both detectable
           and irrelevant (same bits, same behavior,
           unmodifiable because of digital signature)
  + coding theory and cryptography at the "Discrete
     Mathematics"
    - http://www.win.tue.nl/win/math/dw/index.html
5.5.10. Tamper-resistant modules (TRMs) (or tamper-responding)
  + usually "tamper-indicating", a la seals
    - very tough to stop tampering, but relatively easy to see
       if seal has been breached (and then not restored
       faithfully)
    - possession of the "seal" is controlled...this is the
       historical equivalent to the "private key" in a digital
       signature system, with the technological difficulty of
       forging the seal being the protection
  + usually for crypto. keys and crypto. processing
    - nuclear test monitoring
    - smart cards
    - ATMs
  + one or more sensors to detect intrusion
    - vibration (carborundum particles)
    - pressure changes (a la museum display cases)
    - electrical
    - stressed-glass (Corning, Sandia)
  + test ban treaty verification requires this
    - fiber optic lines sealing a missile...
    - scratch patterns...
    - decals....
  + Epoxy resins
    - a la Intel in 1970s (8086)
    + Lawrence Livermore: "Connoisseur Project"
      - gov't agencies using this to protect against reverse
         engineering, acquisition of keys, etc.
    + can't stop a determined effort, though
      - etches, solvents, plasma ashing, etc.
      - but can cause cost to be very high (esp. if resin
         formula is varied frequently, so that "recipe" can't be
         logged)
    + can use clear epoxy with "sparkles" in the epoxy and
       careful 2-position photography used to record pattern
      - perhaps with a transparent lid?
  + fiber optic seal (bundle of fibers, cut)
    - bundle of fibers is looped around device, then sealed and
       cut so that about half the fibers are cut; the pattern of
       lit and
       unlit fibers is a signature, and is extremely difficult
       to reproduce
  - nanotechnology may be used (someday)

5.6 - Crypto Programs and Products
 5.6.1. PGP, of course
  - it's own section, needless to say
 5.6.2. "What about hardware chips for encryption?"
  - Speed can be gotten, for sure, but at the expense of
     limiting the market dramatically. Good for military uses,
     not so good for civilian uses (especially as most civilians
     don't have a need for high speeds, all other things being
     equal).
 5.6.3. Carl Ellison's "tran" and mixing various ciphers in chains
  - "tran.shar is available at ftp.std.com:/pub/cme
  -      des | tran | des | tran | des
  - to make the job of the attacker much harder, and to make
     differential cryptanalyis harder
  - "it's in response to Eli's paper that I advocated prngxor,
     as in:
              des | prngxor | tran | des | tran | des
     with the DES instances in ECB mode (in acknowledgement of
     Eli's attack). The prngxor destroys any patterns from the
     input, which was the purpose of CBC, without using the
     feedback path which Eli exploited."[ Carl Ellison, 1994-07-
     15]
 5.6.4. The Blum-Blum-Shub RNG
  - about the strongest algorithmic RNG we know of, albeit slow
     (if they can predict the next bit of BBS, they can break
     RSA, so....
  - ripem.msu.edu:/pub/crypt/other/blum-blum-shub-strong-
     randgen.shar
 5.6.5. the Blowfish cipher
  + BLOWFISH.ZIP, written by Bruce Schneier,1994. subject of an
     article in Dr. Dobb's Journal:
    - ftp.dsi.unimi.it:/pub/security/crypt/code/schneier-
       blowfish.c.gz

5.7 - Related Ideas
 5.7.1. "What is "blinding"?"
  + This is a basic primitive operation of most digital cash
     systems. Any good textbook on crypto should explain it, and
     cover the math needed to unerstand it in detail. Several
     people have explained it (many times) on the list; here's a
     short explanation by Karl Barrus:
    - "Conceptually, when you blind a message, nobody else can
       read it.  A property about blinding is that under the
       right circumstances if another party digitally signs a
       blinded message, the unblinded message will contain a
       valid digital signature.
       
       "So if Alice blinds the message "I owe Alice $1000" so
       that it reads (say) "a;dfafq)(*&" or whatever, and Bob
       agrees to sign this message, later Alice can unblind the
       message Bob signed to retrieve the original.  And Bob's
       digital signature will appear on the original, although
       he didn't sign the original directly.
       
       "Mathematically, blinding a message means multiplying it
       by a number (think of the message as being a number).
       Unblinding is simply dividing the original blinding
       factor out." [Karl Barrus, 1993-08-24]
  + And another explanation by Hal Finney, which came up in the
     context of how to delink pharmacy prescriptions from
     personal identity (fears of medial dossiers(:
    - "Chaum's "blinded credential" system is intended to solve
       exactly this kind of problem, but it requires an
       extensive infrastructure.  There has to be an agency
       where you physically identify yourself.  It doesn't have
       to know anything about you other than some physical ID
       like fingerprints.  You and it cooperate to create
       pseudonyms of various classes, for example, a "go to the
       doctor" pseudonym, and a "go to the pharmacy" pseudonym.
       These pseudonyms have a certain mathematical relationship
       which allows you to re-blind credentials written to one
       pseudonym to apply to any other.  But the agency uses
       your physical ID to make sure you only get one pseudonym
       of each kind....So, when the doctor gives you a
       prescription, that is a credential applied to your "go to
       the doctor" pseudonym.  (You can of course also reveal
       your real name to the doctor if you want.)  Then you show
       it at the pharmacy using your "go to the pharmacy"
       pseudonym.  The credential can only be shown on this one
       pseudonym at the pharamacy, but it is unlinkable to the
       one you got at the doctor's.  " [Hal Finney, 1994-09-07]
 5.7.2. "Crypto protocols are often confusing. Is there a coherent
   theory of these things?"
  - Yes, crypto protocols are often expressed as scenarios, as
     word problems, as "Alice and Bob and Eve" sorts of
     complicated interaction protocols. Not exactly game theory,
     not exactly logic, and not exactly anything else in
     particular...its own area.
  - Expert systems, proof-of-correctness calculi, etc.
  - spoofing, eavesdropping, motivations, reputations, trust
     models
  + In my opinion, much more work is needed here.
    - Graphs, agents, objects, capabilities, goals, intentions,
       logic
    - evolutionary game theory, cooperation, defection, tit-for-
       tat, ecologies, economies
    - mostly ignored, to date, by crypto community
 5.7.3. The holder of a key *is* the person, basically
  - that's the bottom line
  - those that worry about this are free to adopt stronger,
     more elaborate systems (multi-part, passphrases, biometric
     security, limits on account access, etc.)
  - whoever has a house key is essentially able to gain access
     (not saying this is the legal situation, but the practical
     one)
 5.7.4. Strong crypto is helped by huge increases in processor power,
   networks
  + Encryption *always wins out* over cryptanalysis...gap grows
     greater with time
    - "the bits win"
  + Networks can hide more bits...gigabits flowing across
     borders, stego, etc.
    - faster networks mean more "degrees of freedom," more
       avenues to hide bits in, exponentially increasing efforts
       to eavesdrop and track
    - (However, these additional degrees of freedome can mean
       greater chances for slipping up and leaving clues that
       allow correlation. Complexity can be a problem.)
  + "pulling the plug" hurts too much...shuts down world
     economy to stop illegal bits ("naughty bits"?)
    - one of the main goals is to reach the "point of no
       return," beyond which pulling the plug hurts too much
    - this is not to say they won't still pull the plug, damage
       be damned
 5.7.5. "What is the "Diffie-Hellman" protocol and why is it
   important?"
  + What it is
    - Diffie-Hellman, first described in 1976, allows key
       exchange over insecure channels.
    + Steve Bellovin was one of several people to explaine D-H
       to the list (every few months someone does!). I'm
       including his explanation, despite its length, to help
       readers who are not cryptologists get some flavor of the
       type of math involved. The thing to notice is the use of
       *exponentiations* and *modular arithmetic* (the "clock
       arithmetic" of our "new math" childhoods, except with
       really, really big numbers!). The difficulty of inverting
       the exponention (the discrete log problem) is what makes
       this a cryptographically interesting approach.
      - "The basic idea is simple.  Pick a large number p
         (probably a prime), and a base b that is a generator of
         the group of integers modulo p. Now, it turns out that
         given a known p, b, and (b^x) mod p, it's extremely
         hard to find out x.  That's known as the discrete log
         problem.
         
         "Here's how to use it.  Let two parties, X and Y, pick
         random numbers x and y, 1 < x,y < p.  They each
         calculate
         
             (b^x) mod p
         
         and
         
                 (b^y) mod p
         
         and transmit them to each other.  Now, X knows x and
         (b^y) mod p, so s/he can calculate (b^y)^x mod p =
         (b^(xy)) mod p.  Y can do the same calculation.  Now
         they both know (b^(xy)) mod p.  But eavesdroppers know
         only (b^x) mod p and (b^y) mod p, and can't use those
         quantities to recover the shared secret.  Typically, of
         course, X and Y will use that shared secret as a key to
         a conventional cryptosystem.
         
         "The biggest problem with the algorithm, as outlined
         above, is that there is no authentication.  An attacker
         can sit in the middle and speak that protocol to each
         legitimate party.
         
         "One last point -- you can treat x as a secret key, and
         publish
         (b^X) mod p as a public key.  Proof is left as an
         exercise for
         the reader."  [Steve Bellovin, 1993-07-17]
  - Why it's important
  + Using it
    + Matt Ghio has made available Phil Karn's program for
       generating numbers useful for D-H:
      - ftp cs.cmu.edu:
         /afs/andrew.cmu.edu/usr12/mg5n/public/Karn.DH.generator
  + Variants and Comments
    + Station to Station protocol
      - "The STS protocol is a regular D-H followed by a
         (delicately designed) exchange of signatures on the key
         exchange parameters.  The signatures in the second
         exchange that they can't be separated from the original
         parameters.....STS is a well-thought out protocol, with
         many subtleties already arranged for.  For the issue at
         hand, though, which is Ethernet sniffing, it's
         authentication aspects are not required now, even
         though they certainly will be in the near future."
         [Eric Hughes, 1994-02-06]
 5.7.6. groups, multiple encryption, IDEA, DES, difficulties in
   analyzing
 5.7.7. "Why and how is "randomness" tested?"
  - Randomness is a core concept in cryptography. Ciphers often
     fail when things are not as random as designers thought
     they would be.
  - Entropy, randomness, predictablility. Can never actually
     _prove_ a data set is random, though one can be fairly
     confident (cf. Kolmogorov-Chaitin complexity theory).
  - Still, tricks can make a random-looking text block look
     regular....this is what decryption does; such files are
     said to be cryptoregular.
  + As to how much testing is needed, this depends on the use,
     and on the degree of confidence needed. It may take
     millions of test samples, or even more, to establish
     randomness in set of data. For example:
    - "The standard tests for 'randomness' utilized in govt
       systems requires 1X10^6 samples. Most of the tests are
       standard probability stuff and some are classified. "
       [Wray Kephart, sci.crypt, 1994-08-07]
    - never assume something is really random just becuase it
       _looks_ random! (Dynamic Markov compressors can find
       nonrandomness quickly.)
 5.7.8. "Is it possible to tell if a file is encrypted?"
  - Not in general. Undecideability and all that. (Can't tell
     in general if a virus exists in code, Adleman showed, and
     can't tell in general if a file is encrypted, compressed,
     etc. Goes to issues of what we mean by encrypted or
     compressed.)
  + Sometimes we can have some pretty clear signals:
    - headers are attached
    - other characteristic signs
    - entropy per character
  + But files encrypted with strong methods typically look
     random; in fact, randomness is closely related to
     encyption.
    + regularity: all symbols represented equally, in all bases
       (that is, in doubles, triples, and all n-tuples)
      - "cryptoregular" is the term: file looks random
         (regular) until proper key is applied, then the
         randomness vaDCharles Bennett, "Physics of Computation
         Workshop," 1993]
    - "entropy" near the maximum (e.g., near 6 or 7 bits per
       character, whereas ordinary English has roughly 1.5-2
       bits per character of entropy)
 5.7.9. "Why not use CD-ROMs for one-time pads?"
  - The key distribution problem, and general headaches. Theft
     or compromise of the keying material is of course the
     greatest threat.
  - And one-time pads, being symmetric ciphers, give up the
     incredible advantages of public key methods.
  - "CD ROM is a terrible medium for the OTP key stream.
     First, you want exactly two copies of the random stream.
     CD ROM has an economic advantage only for large runs.
     Second, you want to destroy the part of the stream already
     used.  CD ROM has no erase facilities, outside of physical
     destruction of the entire disk." [Bryan G. Olson,
     sci.crypt, 1994-08-31]
  - If you have to have a one-time pad, a DAT makes more sense;
     cheap, can erase the bits already used, doesn't require
     pressing of a CD, etc. (One company claims to be selling CD-
     ROMs as one-time pads to customers...the security problems
     here should be obvious to all.)

5.8 - The Nature of Cryptology
 5.8.1. "What are the truly basic, core, primitive ideas of
   cryptology, crypto protocols, crypto anarchy, digital cash,
   and the things we deal with here?"
  - I don't just mean things like the mechanics of encryption,
     but more basic conceptual ideas.
 5.8.2. Crypto is about the creation and linking of private spaces...
 5.8.3. The "Core" Ideas of Cryptology and What we Deal With
  - Physics has mass, energy, force, momentum, angular
     momentum, gravitation, friction, the Uncertainty Principle,
     Complementarity, Least Action, and a hundred other such
     concepts and prinicples, some more basic than others. Ditto
     for any other field.
  + It seems to many of us that crypto is part of a larger
     study of core ideas involving: identity, proof, complexity,
     randomness, reputations, cut-and-choose protocols, zero
     knowledge, etc. In other words, the buzzwords.
    - But which of these are "core" concepts, from which others
       are derived?
    - Why, for example, do the "cut-and-choose" protocols work
       so well, so fairly? (That they do has been evident for a
       long time, and they literally are instances of Solomonic
       wisdom. Game theory has explanations in terms of payoff
       matrices, Nash equilibria, etc. It seems likely to me
       that the concepts of crypto will be recast in terms of a
       smaller set of basic ideas taken from these disparate
       fields of economics, game theory, formal systems, and
       ecology. Just my hunch.)
  + statements, assertions, belief, proof
    - "I am Tim"
    + possession of a key to a lock is usually treated as proof
       of...
      - not always, but that's the default assumption, that
         someone who unlocks a door is one of the proper
         people..access privileges, etc.
 5.8.4. We don't seem to know the "deep theory" about why certain
   protocols "work." For example, why is "cut-and-choose," where
   Alice cuts and Bob chooses (as in fairly dividing a pie),
   such a fair system? Game theory has a lot to do with it.
   Payoff matrices, etc.
  - But many protocols have not been fully studied. We know
     they work, but I think we don't know fully why they work.
     (Maybe I'm wrong here, but I've seen few papers looking at
     these issues in detail.)
  - Economics is certainly crucial, and tends to get overlooked
     in analysis of crypto protocols....the various "Crypto
     Conference Proceedings" papers typically ignore economic
     factors (except in the area of measuring the strength of a
     system in terms of computational cost to break).
  - "All crypto is economics."
  - We learn what works, and what doesn't. My hunch is that
     complex crypto systems will have emergent behaviors that
     are discovered only after deployment, or good simulation
     (hence my interest in "protocol ecologies").
 5.8.5. "Is it possible to create ciphers that are unbreakable in any
   amount of time with any amount of computer power?"
  + Information-theoretically secure vs. computationally-secure
    + not breakable even in principle, e.g., a one-time pad
       with random characters selected by a truly random process
       (die tosses, radioactive decay, certain types of noise,
       etc.)
      - and ignoring the "breakable by break-ins" approach of
         stealing the one-time pad, etc. ("Black bag
         cryptography")
    - not breakable in "reasonable" amounts of time with
       computers
  - Of course, a one-time pad (Vernam cipher) is theoretically
     unbreakable without the key. It is "information-
     theoretically secure."
  - RSA and similar public key algorithms are said to be only
     "computationally-secure," to some level of security
     dependent on modulus lenght, computer resources and time
     available, etc. Thus, given enough time and enough computer
     power, these ciphers are breakable.
  - However, they may be practically impossible to break, given
     the amount of energy in the universe.Not to split universes
     here, but it is interesting to consider that some ciphers
     may not be breakable in _our_ universe, in any amount of
     time. Our universe presumably has some finite number of
     particles (currently estimated to be 10^73 particles). This
     leads to the "even if every particle were a Cray Y-MP it
     would take..." sorts of thought experiments.
     
     But I am considering _energy_ here. Ignoring reversible
     computation for the moment, computations dissipate energy
     (some disagree with this point). There is some uppper limit
     on how many basic computations could ever be done with the
     amount of free energy in the universe. (A rough calculation
     could be done by calculating the energy output of stars,
     stuff falling into black holes, etc., and then assuming
     about kT per logical operation. This should be accurate to
     within a few orders of magnitude.) I haven't done this
     calculation, and won't today, but the result would likely
     be something along the lines of X joules of energy that
     could be harnessed for computation, resulting in Y basic
     primitive computational steps.
     
     I can then find a modulus of 3000 digits or 5000 digits, or
     whatever,that takes more than this number of steps to
     factor.
     
     Caveats:
     
     1. Maybe there are really shortcuts to factoring. Certainly
     improvements in factoring methods will continue. (But of
     course these improvements are not things that convert
     factoring into a less than exponential-in-length
     problem...that is, factoring appears to remain "hard.")
     
     2. Maybe reversible computations (a la Landauer, Bennett,
     et. al.) actually work. Maybe this means a "factoring
     machine" can be built which takes a fixed, or very slowly
     growing, amount of energy.
     
     3. Maybe the quantum-mechanical idea of Shore is possible.
     (I doubt it, for various reasons.)
     
     I continue to find it useful to think of very large numbers
     as creating "force fields" or "bobbles" (a la Vinge) around
     data. A 5000-decimal-digit modulus is as close to being
     unbreakable as anything we'll see in this universe.

5.9 - Practical Crypto
 5.9.1. again, this stuff is covered in many of the FAQs on PGP and
   on security that are floating around...
 5.9.2. "How long should crypto be valid for?"
  + That is, how long should a file remain uncrackable, or a
     digital signature remain unforgeable?
    - probabalistic, of course, with varying confidence levels
    - depends on breakthroughs, in math and in computer power
  + Some messages may only need to be valid for a few days or
     weeks. Others, for decades. Certain contracts may need to
     be unforgeable for many decades. And given advances in
     computer power, what appears to be a strong key today may
     fail utterly by 2020 or 2040.  (I'm of course not
     suggesting that a 300- or 500-digit RSA modulus will be
     practical by then.)
    + many people only need security for a matter of months or
       so, while others may need it (or think they need it) for
       decades or even for generations
      - they may fear retaliation against their heirs, for
         example, if certain communications were ever made
         public
  - "If you are signing the contract digitally, for instance,
     you would want to be sure that no one could forge your
     signature to change the terms after the fact -- a few
     months isn't enough for such purposes, only something that
     will last for fifteen or twenty years is okay." [Perry
     Metzger, 1994-07-06]
 5.9.3. "What about commercial encryption programs for protecting
   files?"
  - ViaCrypt, PGP 2.7
  - Various commercial programs have existed for years (I got
     "Sentinel" back in 1987-8...long since discontinued). Check
     reviews in the leading magazines.
  + Kent Marsh, FolderBolt for Macs and Windows
    - "The best Mac security program....is CryptoMactic by Kent
       Marsh Ltd.  It uses triple-DES in CBC mode, hashes an
       arbitrary-length password into a key, and has a whole lot
       of Mac-interface features.  (The Windows equivalent is
       FolderBolt for Windows, by the way.)" [Bruce Schneier,
       sci.crypt, 1994-07-19]
 5.9.4. "What are some practical steps to take to improve security?"
  - Do you, like most of us, leave backup diskettes laying
     around?
  - Do you use multiple-pass erasures of disks? If not, the
     bits may be recovered.
  - (Either of these can compromise all encrypted material you
     have, all with nothing more than a search warrant of your
     premises.)
 5.9.5. Picking (and remembering) passwords
  - Many of the issues here also apply to choosing remailers,
     etc. Things are often trickier than they seem. The
     "structure" of these spaces is tricky. For example, it may
     seem really sneaky (and "high entropy" to permute some
     words in a popular song and use that as a pass
     phrase....but this is obviously worth only a few bits of
     extra entropy. Specifically, the attacker will like take
     the thousand or so most popular songs, thousand or so most
     popular names, slogans, speeches, etc., and then run many
     permutations on each of them.
  - bits of entropy
  - lots of flaws, weaknesses, hidden factors
  - avoid simple words, etc.
  - hard to get 100 or more bits of real entropy
  - As Eli Brandt puts it, "Obscurity is no substitute for
     strong random numbers." [E.B., 1994-07-03]
  - Cryptanalysis is a matter of deduction, of forming and
     refining hypotheses. For example, the site
     "bitbucket@ee.und.ac.za" is advertised on the Net as a
     place to send "NSA food" to...mail sent to it gets
     discarded. So , a great place to send cover traffic to, no?
     No, as the NSA will mark this site for what it is and its
     usefulness is blown. (Unless its usefulness is actually
     something else, in which case the recursive descent has
     begun.)
  - Bohdan Tashchuk suggests [1994-07-04] using telephone-like
     numbers, mixed in with words, to better fit with human
     memorization habits; he notes that 30 or more bits of
     entropy are routinely memorized this way.
 5.9.6. "How can I remember long passwords or passphrases?"
  - Lots of security articles have tips on picking hard-to-
     guess (high entropy) passwords and passphrases.
  + Just do it.
    - People can learn to memorize long sequences. I'm not good
       at this, but others apparently are. Still, it seems
       dangerous, in terms of forgetting. (And writing down a
       passphrase may be vastly more risky than a shorter but
       more easily memorized passphrase is.  I think theft
       of keys and keystroke capturing on compromised machines
       are much
       more important practical weaknesses.)
  + The first letters of long phrases that have meaning only to
     the owner.
    - e.g., "When I was ten I ate the whole thing."--->
       "wiwtiatwt" (Purists will quibble that prepositional
       phrases like "when i was" have lower entropy. True, but
       better than "Joshua.")
  + Visual systems
    - Another approach to getting enough entropy in
       passwords/phrases is a "visual key" where one mouses from
       position to position in a visual environment. That is,
       one is presented with a scene containg some number of
       nodes, perhaps representing familiar objects from one's
       own home, and a path is chosen.  The advantage is that
       most people can remember fairly complicated
       (read: high entropy) "stories." Each object triggers a
       memory of the next object to visit. (Example: door to
       kitchen to blender to refrigerator to ..... ) This is the
       visual memory system said to be favored by Greek epic
       poets. This also gets around the keyboard-monitoring
       trick (but not necessarily the CRT-reading trick, of
       course).
       
       
       It might be an interesting hack to offer this as a front
       end for PGP. Even a simple grid of characters which could
       be moused on could be an assist in using long
       passphrases.

5.10 - DES
5.10.1. on the design of DES
  - Biham and Shamir showed how "differential cryptanalyis"
     could make the attack easier than brute-force search of the
     2^56 keyspace. Wiener did a thought experiment design of a
     "DES buster" machine (who ya gonna call?) that could break
     a DES key in a matter of days. (Similar to the Diffie and
     Hellman analysis of the mid-70s, updated to current
     technology.)
  + The IBM designers knew about differential cryptanalyis, it
     is now clear, and took steps to optimize DES. After Shamir
     and Biham published, Don Coppersmith acknowledged this.
     He's written a review paper:
    - Coppersmith, D.,  "The Data Encryption Standard (DES) and
       its strength against attacks."  IBM Journal of Research
       and Development.  38(3): 243-250. (May 1994)

5.11 - Breaking Ciphers
5.11.1. This is not a main Cypherpunks concern, for a variety of
   reasons (lots of work, special expertise, big machines, not a
   core area, ciphers always win in the long run). Breaking
   ciphers is something to consider, hence this brief section.
5.11.2. "What are the possible consequences of weaknesses in crypto
   systems?"
  - maybe reading messages
  - maybe forging messages
  - maybe faking timestamped documents
  - maybe draining a bank account in seconds
  - maybe winning in a crypto gambling system
  - maybe matters of life and death
5.11.3. "What are the weakest places in ciphers, practically
   speaking?"
  - Key management, without a doubt. People leave their keys
     lying around , write down their passphrases. etc.
5.11.4. Birthday attacks
5.11.5. For example, at Crypto '94 it was reported in a rump session
   (by Michael Wiener with Paul van Oorschot) that a machine to
   break the MD5 ciphers could be built for about $10 M (in 1994
   dollars, of course) and could break MD5 in about 20 days.
   (This follows the 1993 paper on a similar machine to break
   DES.)
  - Hal Finney did some calculations and reported to us:
  - "I mentioned a few days ago that one of the "rump session"
     papers at the crypto conference claimed that a machine
     could be built which would find MD5 collisions for $10M in
     about 20 days.....The net result is that we have taken
     virtually no more time (the 2^64 creations of MD5 will
     dominate) and virtually no space (compared to 2^64  stored
     values) and we get the effect of a birthday attack.  This
     is another cautionary data point about the risks of relying
     on space costs for security rather than time costs." [Hal
     Finney, 1994-09-09]
5.11.6. pkzip reported broken
  - "I finally found time to take a closer look at the
     encryption algorithm by Roger Schlafly that is used in
     PKZIP and have developed a practical known plaintext attack
     that can find the entire 96-bit internal state." [Paul Carl
     Kocher, comp.risks, 1994-09-04]
5.11.7. Gaming attacks, where loopholes in a system are exploited
  - contests that are defeated by automated attacks
  - the entire legal system can be viewed this way, with
     competing teams of lawyers looking for legal attacks  (and
     the more complex the legal code, the more attacks can be
     mounted)
  - ecologies, where weaknesses are exploited ruthlessly,
     forcing most species into extinction
  - economies, ditto, except must faster
  - the hazards for crypto schemes are clear
  + And there are important links to the issue of overly formal
     systems, or systems in which ordinary "discretion" and
     "choice" is overridden by rules from outside
    - as with rules telling employers in great detail when and
       how they can discharge employees (cf. the discussion of
       "reasonable rules made mandatory," elsewhere)
    - such rules get exploited by employees, who follow the
       "letter of the law" but are performing in a way
       unacceptable to the employer
    - related to "locality of reference" points, in that
       problem should be resolved locally, not with intervention
       from afar.
    - things will never be perfect, from the perspetive of all
       parties, but meddling from outside makes things into a
       game, the whole point of this section
  + Implications for digital money: overly complex legal
     systems, without the local advantages of true cash (settled
     locally)
    + may need to inject some supra-legal enforcement
       mechanisms into the system, to make it converge
      - offshore credit databases, beyond reach of U.S. and
         other laws
      + physical violence (one reason people don't "play games"
         with Mafia, Triads, etc., is that they know the
         implications)
        - it's not unethical, as I see it, for contracts  in
           which the parties understand that a possible or even
           likely consequence of their failure to perform is
           death
5.11.8. Diffie-Hellman key exchange vulnerabilities
  - "man-in-the-midle" attack
  + phone systems use voice readback of LCD indicated number
    - as computer power increases, even _this_ may be
       insufficient
5.11.9. Reverse engineering of ciphers
  - A5 code used in GSM phones was reverse engineered from a
     hardware description
  - Graham Toal reports (1994-07-12) that GCHQ blocked a public
     lectures on this

5.12 - Loose Ends
5.12.1. "Chess Grandmaster Problem" and other Frauds and Spoofs
  - of central importance to proofs of identity (a la Fiat-
     Shamir)
  - "terrorist" and "Mafia spoof" problems