18.1 copyright
   THE  CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666,
   1994-09-10, Copyright Timothy C. May. All rights reserved.
   See the detailed disclaimer. Use short sections under "fair
   use" provisions, with appropriate credit, but don't put your
   name on my words.

18.2 - SUMMARY: Loose Ends and Miscellaneous Topics
18.2.1. Main Points
18.2.2. Connections to Other Sections
18.2.3. Where to Find Additional Information
18.2.4. Miscellaneous Comments
  - I hate to have a section like this, but there are just some
     things that don't seem to fit neatly elsewhere
  - hopefully you found this topics with your editor search
     tools

18.3 - Quantum Cryptography
18.3.1. "What is quantum cryptography?"
  + Two main flavors:
    + secure channels exploiting the Uncertainty Principle
      + Brassard, Bennett, fiber optic lines, short distances,
         detects tapping
        + Quantum cryptography
          - bits can be exchanged-albeit at fairly low
             efficiencies-over a channel
          - with detection of taps, via the change of
             polarizations
          + Stephen Wiesner wrote a 1970 paper, half a decade
             before the P-K work, which outlined this-not
             published until much later
            - speculate that the NSA knew about this and
               quashed the publication
    + factoring of numbers using a strange Many World
       interpretation
      - Shor
      + hearkens to my spoof about Russians
        - I never knew I hit so close to the mark!
18.3.2. "What about _quantum cryptography_?"
  + Exploiting Uncertainty Principle to make untappable
     communication lines. (More precisely, tapped lines give
     indication of having been tapped.)
    - Bennett and Brassard
    - faint flashes of light in a fiber optic cable used;
       polarized photons
    - Alice and  Bob go through a protocol that involves them
       picking Linear or Circular Polarization (LP or CP); can't
       be simultaneously measured...
    -
  - Not likely to be important for a long time.
  - An additional tool, or crypto primitive building block.

18.4 - Chaotic Cryptography
18.4.1. the oscillator scheme was broken at Crypto '94

18.5 - Neural Nets and AI in Crypto
18.5.1. "What about neural nets and AI in crypto?"
  - Of limited use, at least in breaking modern ciphers. Marvin
     Minsky once said that if you don't understand how to solve
     a problem, adding randomness usually doesn't help.
  - The shape of  the solution space is very spiky, very poorly-
     suited to hill-climbing or divide-and-conquer methods
  + Neural nets are not likely to do well with modern ciphers
     (e.g., RSA, IDEA, DES, etc.), mainly because of the shape
     of the solution space.  Instead of the "rolling hills and
     valleys" that neural nets (and related methods, such as
     genetic algorithms, simulated annealing, etc.) do well in,
     the solution space for modern ciphers offers very little in
     the way of "learning" opportunities: you either have the
     solution (the key), or you don't.
     
     Think of a needle standing up from a flat plain...a NN or
     any other hill-climber could wander for years and never
     find it. Well-designed modern ciphers like RSA and IDEA
     appear to admit no analysis based on "nonrandom"
     properties. If anybody has found shortcuts to factoring the
     modulus in RSA, for example, they haven't let on.
     
     I suspect there are uses in peripheral aspects, such as
     guessing passwords (when people have not picked high-
     entropy passwords, but have instead used familiar names).
     Or in traffic analysis. Those who munch on lots of traffic
     may well be using neural nets, custom signal processing,
     etc. to "prepare" the captured traffic for further
     analysis. A safe bet, in fact.
     
     But the move in modern cryptology is definitely away from
     using anything with "structure" that can be learned. Put
     another way, neural nets and such work well in structured
     environments, where there's something to _learn), but not
     in the high-entropy, seemingly random world of encrypted
     data.
    + AI may be useful in other areas
      - protocol generation
      - SIGINT
18.5.2. Evolutionary or Genetic Programming
  - a la Holland, Koza
  - RNGs

18.6 - Miscellaneous Advanced Crypto Ideas
18.6.1. "Why have provably "NP-complete" problems not found uses in
   crypto?"
  - One of the great Unresolved Mysteries! Or the Holy Grail,
     if you will.
  - The issue is why have provably hard (or NP-complete, to be
     more accurate) problems not been used? (Factoring is not
     known to NP-complete...experts can correct my phrasing here
     if I'm misstating things.)
  - It would be nice if a provably hard problem, such as the
     domino tiling problem, or 3SAT, or other such things out of
     Garey and Johnson's book on NP-Completeness could be used.
     This would increase confidence in ciphers still further.
18.6.2. "Can cellular automata, like Conway's "Game of Life," be used
   for cryptography?"
  - Stephen Wolfram proposed use of cellular automata for
     crytography some years back; his collection of essays on
     cellular automata contains at least one such mention. Many
     people suspected that 1D CAs were no stronger than linear
     feedback shift registers (LFSRs), and I recally hearing a
     couple of years ago that someone proved 1D CAs (and maybe
     all CAs?) are equivalent to LFSRs, which have been used in
     crypto for many years.
  - Wolfram's book is "Theory and Applications of Cellular
     Automata," 1986, World Scientific. Several papers on using
     CAs for random sequence generation. P. Bardell showed
     in1990 that CAs produce the outputs of LFSRs.) Wolfram also
     has a paper, "Cryptography with cellular automata," in
     Proc. CRYPTO 85.
  - Intuitively, the idea of a CA looks attractive for "one-way
     functions," for the reasons mentioned. But what's the
     "trapdoor" that gives the key holder a shortcut to reverse
     the process? (Public key crypto needs a trapdoor 1-way
     funtion that is easy to reverse if one has the right
     information).

18.7 - Viruses and Crypto
18.7.1. "What's the connection between Cypherpunks and viruses?"
  - Like, dewd, it's so kool.
  - Beavis 'n Butthead use PGP (actually, Eric Hughes proposed
     at one point that we suggest a crypto tie-in to the
     writers)
  - There's only peripheral connection.
  - Viruses can be spread with anonymous remailers, but digital
     signatures can be used to safeguard software. Signed
     software, no mods allowed.
18.7.2. "What about the "encryption viruses," like KOH?"
  - (A little far afield, but the issue does come up.)
  - Somebody asked about this on sci.crypt and Vesselin
     Bontchev said:  "This topic has been debated to death in
     alt.security.pgp, when somebody posted KOH, without even a
     warning that it is a virus.....Both viruses indeed use the
     IDEA cipher - the same that is used both by SecureDevice
     and SecureDrive. However, the viruses pose some significant
     threats to the integrity of your data, exactly because of
     their viral replication means.....Also, if you aquire it by
     viral means, you do not get the doumentation and one
     utility, both of which are essential for the proper usage
     of the product - thus proving one more time that its viral
     capabilities are unnecessary and harmful. Also, the virus
     does not come in source, which means that it could have
     some hidden backdoors or simply security flaws, and you
     have no way to check this or to fix them. At last, in some
     cases the virus could destroy valuable information during
     its replication process."
  - "In short - don't use them. You will gain nothing over
     using
     stand-alone encryption programs, and you'll expose your
     data's
     integrity to significant risks. Those viruses are
     completely useless
     and even harmful; they have been created with the only
     reason to
     condone the illicit activities of the virus writers, by
     claiming that
     computer viruses can be "useful"." [Vesselin Bontchev,
     sci.crypt, 1994-08-31]
18.7.3. "What about viruses? Are there any ties to crypto and
   Cypherpunks themes?"
  - No direct link that any of us see clearly. Occasionally a
     virus fan sees the "punks" name and thinks we're involved
     in writing viruses. (Actually, a few folks on the list have
     virus expertise.)
  - Crypto may protect against viruses, by having code signed.
     And the reliance on self-responsibility and self-protection
     is in contrast to the legal approach, which tends not to
     work too well for virus protection (by the covert nature of
     many viruses).
18.7.4. "What interests do Cypherpunks have in viruses?"
  - Not much, though the topic comes up periodically.
  - Some overlap in the communities involved.
  - And there are some virus methods which use forms of
     encryption.
  - Also, digital signatures on code can be used to ensure that
     code has not been modified since being released by the
     original author.

18.8 - Making Money in Crypto
18.8.1. "How can I make money in crypto?"
  - crypto experts are hired by software companies
  + start up companies
    - a tough road
    - not clear that even Phil Zimmermann has made money
    - and even RSADSI is facing a challenge (hasn't gone
       public, not a cash cow, etc.)
  - There may be an explosive growth--the phase change I often
     talk about--and many opportunities will emerge. But, having
     said this, I still don't see obvious opportunities right
     now. And starting a company based on hope and ideology,
     rather than supplying a real market or pushing real
     technology (market pull vs. technology push argument) seem
     misguided.

18.9 - The Net
18.9.1. Limitations of the current net
  - interoperability
  + subsidized, not pay as you go
    - makes spamming inevitable, doesn't allocate resources to
       those who want them the most
    - this will require digicash in a better form than most
       users now have access to
  - sysadmins get worried
  - encryption sometimes banned
  - common carrier status not clear
  - general cruftiness of Net ("imminent death of Usenet
     predicted")

18.10 - Duress Switches, Dead Man Switches
18.10.1. "What about "duress" codes for additional security?"
  - Where a harmless decrytion can be done, or an alarm sent.
  + Examples
    - sending alarm, like an under the counter alarm button
    - decrypting a bank card number for a lesser-value account
    - two sets of books (not strictly a "duress" code, unless
       you view the IRS as causing duress)
    - alarms to associates, as in cells
  - " Having a separate authentication mechanism that is used
     under duress is a very good idea that some existing systems
     already
     employ....  From a systems point of view, it is hard to
     figure out exactly how the system should respond when it
     recognizes a duress authentication....The safe inside the
     ATM machines used by BayBanks (Boston Mass) can be opened
     with two combinations.  One combination sends an alarm to
     the bank via a separate phone line (not the one used to
     perform the ATM transaction).  The alarm phone line is also
     connected to a conventional panic switch." [Bob Baldwin,
     Duress Passwords/PINs/Combinations, 1993-11-18]
18.10.2. Duress switches, dead man switches, etc.
  + "Digital flash paper," can be triggered to erase files,
     etc.
    - (BATF and DEA raiders may have sophisticated means of
       disabling computers)
  + Duress codes..."erase my files," ways of not giving esrowed
     information unless proper code is given, etc.
    + "Don't release if I am under indictment"
      - interesting issues about secret indictments, about
         publicity of such cases, access to court records by
         offshore computers, etc.
18.10.3. Personal security for disks, dead man switches
  + I have heard that some BBS operators install dead man
     switches near the doors to rooms containing their
     systems...entering the room without flipping the switch
     causes some action to be taken
    - erasing a disk, dumping a RAM disk (a dangerous way to
       store data, given power failures, soft errors, restarts,
       etc.)

18.11 - Can Encryption be Detected?
18.11.1. "Can messages be scanned and checked for encryption?"
  - If the encryption produces _markers_ or other indications,
     then of course. "BEGIN PGP" is a pretty clear beacon. (Such
     markers assists in decryption by the recipient, but are not
     essential. "Stealth" versions of PGP and other encryption
     programs--such as S-Tools for DOS--don't have such
     markers.)
  - If the encryption produces "random-looking" stuff, then
     entropy measures and other statistical tests may or may not
     be able detect such messages reliably. Depends on what non-
     encrypted messages look like, and how the algorithm  works.
  + Steganography:
    - making messages look like normal ones
    - tucking th ebits in with other random-like bits, such as
       in the low-order bits of images or sound files
  - The practical concern depends on one's local political
     environment. In many countries, mere suspicion of using
     crypto could put one in real danger.

18.12 - Personal Digital Assistants, Newtons, etc.
18.12.1. "Are there cryptographic uses for things like Newtons?"
  - Probably. Eventually. Digital wallets, portable key
     holders, local agents for access, etc.
  + Meanwhile, a few encryption programs exist. Here's one:
    - -> nCrypt, the strong cryptography application for
       Newton:
       -> ftp.sumex-aim.stanford.edu/info-mac/nwt/utils/n-crypt-
       lite.hqx

18.13 - Physical Security
18.13.1. "Can fiber optical cables be tapped?"
  + Yes. Light can escape from the fiber in bends, and "near-
     field" tapping is theoretically possible, at least under
     lab conditions. Active measures for puncturing cable
     shields and tapping fibers are also possible.
    - "The Fed's want a cost effective F/O tap. My company was
       approached to develop such a system, can be done but not
       cheap like copper wire tapping." [
       domonkos@access.digex.net (andy domonkos),
       comp.org.eff.talk, 1994-06-29]
  - Los Alamos technology? 1990?

18.14 - Attacking Governments
18.14.1. "termites" (rumors, psy-ops) that can undermine governments,
   followed by "torpedoes" (direct attack)
18.14.2. WASTE (War Against Strong, Tamper-resistant Encryption).

18.15 - Cypherpunks List Issues
18.15.1. too much noise on the list?
  - "Of all the lists I'm subscribed to, this is the only one
     that I read
     *every* article in.  Even the "noise" articles.  Humans
     being what
     they are, the noise is needed to help decide the direction
     of the
     group.  Besides, for those of us who are just starting on
     our journey
     through crypto-underworld need the noise to help
     familiarize
     ourselves with how crypto works.  I've learned more from
     the informal
     ramblings than I've gathered out of all the formal and/or
     mathematical
     postings to date." [Patrick E. Hykkonen, 5-25-93]

18.16 - Tamper-Resistant Modules
18.16.1. TRMs--claims that "Picbuster" processor can be locally
   overwritten with focussed or directed UV (OTP)
18.16.2. tamper-resistant modules have some downsides as well
  - cash registers for ensuring compliance with all relevant
     sales tax, value-added tax (VAT), and rationing rules; a
     tamper-resistant module cash register could be the
     enforcement mechanism for a national security state.
  - "observers"

18.17 - Deeper Connections
18.17.1. In several places I've referred to "deep connections" between
   things like crypto, money, game theory, evolutionary
   ecologies, human motivations, and the nature of law. By this
   I mean that there are deeper, unifying principles. Principles
   involving locality, identity, and disclosure of knowledge. A
   good example: the deep fairness of "cut-and-choose" protocols-
   -I've seen mention of this in game theory tesxts, but not
   much discussion of other, similar protocols.
18.17.2. For example, below the level of number theory and algorithms
   in cryptology lies a level dealing with "identity," "proof,"
   "collusion," and other such core concepts, concepts that can
   almost be dealt with independent of the acual algorithms
   (though the concrete realization of public key methods took
   this out of the abstract realm of philosophy and made it
   important to analyze). And these abstract concepts are linked
   to other fields, such as economics, human psychology, law,
   and evolutionary game theory (the study of evolved strategies
   in multi-agent systems, e.g., human beings interacting and
   trading with each other).
18.17.3. I believe there are important questions about why things work
   the way they do at this level. To be concrete, why do threats
   of physical coercion create market distortions and what
   effects does this have? Or, what is the nature of emergent
   behavior in reputation-based systems? (The combinatiion of
   crypto and economics is a fertile area, barely touched upon
   by the academic cryptology community.) Why is locality is
   important, and what does this mean for digital cash? Why does
   regulation often produce _more_ crime?
18.17.4. Crypto and the related ideas of reputation, identity, and
   webs of trust has introduced a new angle into economic
   matters. I suspect there are a couple of Nobel Prizes in
   Economics for those who integrate these important concepts.

18.18 - Loose End Loose Ends
18.18.1. What the core issues are...a tough thing to analyze
  - untraceablility as a basic construct has major implications
  + can often ask what the implications would be if, say:
    - invisibility existed
    - untraceability existed
  - By "tough to analyze" I mean that things are often
     coflated, mixed together. Is it the "reputations" that
     matter, or the "anonymity"? The "untraceability" or the
     "digital money"?
18.18.2. Price signalling in posts...for further information
  + When an article is posted, and there is more complete
     information available elsewhere by ftp, gopher, mosaic,
     etc., then how is this to to be signalled without actually
     advertising prominently?
    - why not a code, like the "Geek code" so many people put
       in their sigs? The code could be parsed by a reader and
       used to automatically fetch the information, pay for it,
       etc. (Agents that can be built in to newsreaders.)
18.18.3. "What should Cypherpunks support for "cable" or "set-top box"
   standards?
  - Caveats: My opinions, offered only to help frame the
     debate. And many of us reject the idea of government-
     mandated "standards," so my phrasing here is not meant to
     imply support of such standards.
  + Major alternatives:
    + Set-top box, with t.v. as core of access to "information
       superhighway."
      + Problems:
        - limited number of channels, even if "500 channels"
        - makes t.v. the focus, loses some other capabilities
        - few consumers will have television sets with the
           resolution capabilities that even current computer
           monitors have (there are reasons for this: size of
           monitors (related to viewing distance), NTSC
           constraints, age of televisions, etc.)
    + Switched-packet cable, as in ATM or even SONET
       (Synchronous Optical Network) access
      + Advantages:
        - Television is just one more switched-packet
           transmission, not using up the bandwidth
    + Radical Proposal: Complete deregulation
      + let cable suppliers--especially of optical fibers,
         which are small and unobtrusive--lay fibers to any home
         they can negotiate access to
        - e.g., by piggybacking on telephone lines, electrical
           cables, etc. (to remove the objection about unsightly
           new poles or cables being strung...should not be an
           issue with fiber optics)
      - let the market decide...let customers decide
  + In my view, government standards are a terrible idea here.
     Sure, NTSC was an effective standard, but it likely would
     have emerged without government involvement. Ditto for
     Ethernet and a zillion other standards. No need for
     government involvement.
    - Of course, when industry groups meet to discuss
       standards, one hopes that antitrust laws will not be
       invoked.
18.18.4. minor point: the importance of "But does it scale?" is often
   exaggerated
  - in many cases, it's much more important to simply get
     something deployed than it is to worry in advance about how
     it will break if too many people use it (e.g., MacDonald's
     worrying in 1955 about scalabilty of their business).
  - Remailer networks, for example, may not scale especially
     well in their current form...but who cares? Getting them
     used will allow further refinement.