2.1 copyright
   THE  CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666,
   1994-09-10, Copyright Timothy C. May. All rights reserved.
   See the detailed disclaimer. Use short sections under "fair
   use" provisions, with appropriate credit, but don't put your
   name on my words.

2.2 - SUMMARY: MFAQ--Most Frequently Asked Questions
 2.2.1. Main Points
  - These are the main questions that keep coming up. Not
     necessarily the most basic question, just the ones that get
     asked a lot. What most FAQs are.
 2.2.2. Connections to Other Sections
 2.2.3. Where to Find Additional Information
  - newcomers to crypto should buy Bruce Schneier's "Applied
     Cryptography"...it will save many hours worth of
     unnecessary questions and clueless remarks about
     cryptography.
  - the various FAQs publishe in the newsroups (like sci.crypt,
     alt.security.pgp) are very helpful. (also at rtfm.mit.edu)
 2.2.4. Miscellaneous Comments
  - I wasn't sure what to include here in the MFAQ--perhaps
     people can make suggestions of other things to include.
  - My advice is that if something interests you, use your
     editing/searching tools to find the same topic in the main
     section. Usually (but not always) there's more material in
     the main chapters than here in the MFAQ.

2.3 - "What's the 'Big Picture'?"
 2.3.1. Strong crypto is here. It is widely available.
 2.3.2. It implies many changes in the way the world works. Private
   channels between parties who have never met and who never
   will meet are possible. Totally anonymous, unlinkable,
   untraceable communications and exchanges are possible.
 2.3.3. Transactions can only be *voluntary*, since the parties are
   untraceable and unknown and can withdraw at any time. This
   has profound implications for the conventional approach of
   using the threat of force, directed against parties by
   governments or by others. In particular, threats of force
   will fail.
 2.3.4. What emerges from this is unclear, but I think it will be a
   form of anarcho-capitalist market system I call "crypto
   anarchy." (Voluntary communications only, with no third
   parties butting in.)

2.4 - Organizational
 2.4.1. "How do I get on--and off--the Cypherpunks list?"
  - Send a message to "cypherpunks-request@toad.com"
  - Any auto-processed commands?
  - don't send requests to the list as a whole....this will
     mark you as "clueless"
 2.4.2. "Why does the Cypherpunks list sometimes go down, or lose the
   subscription list?"
  - The host machine, toad.com, owned by John Gilmore, has had
     the usual problems such machines have: overloading,
     shortages of disk space, software upgrades, etc. Hugh
     Daniel has done an admirable job of keeping it in good
     shape, but problems do occur.
  - Think of it as warning that lists and communication systems
     remain somewhat fragile....a lesson for what is needed to
     make digital money more robust and trustable.
  - There is no paid staff, no hardware budget for
     improvements. The work done is strictly voluntarily.
 2.4.3. "If I've just joined the Cypherpunks list, what should I do?"
  - Read for a while. Things will become clearer, themes will
     emerge, and certain questions will be answered. This is
     good advice for any group or list, and is especially so for
     a list with 500 or more people on it. (We hit 700+ at one
     point, then a couple of list outages knocked the number
     down a bit.)
  - Read the references mentioned here, if you can. The
     sci.crypt FAQ should be read. And purchase Bruce Schneier's
     "Applied Cryptography" the first chance you get.
  - Join in on things that interest you, but don't make a fool
     of yourself. Reputations matter, and you may come to regret
     having come across as a tedious fool in your first weeks on
     the list. (If you're a tedious fool after the first few
     weeks, that may just be your nature, of course.)
  - Avoid ranting and raving on unrelated topics, such as
     abortion (pro or con), guns (pro or con), etc. The  usual
     topics that usually generate a lot of heat and not much
     light. (Yes, most of us have strong views on these and
     other topics, and, yes, we sometimes let our views creep
     into discussions. There's no denying that certain
     resonances exist. I'm just urging caution.)
 2.4.4. "I'm swamped by the list volume; what can I do?"
  - This is a natural reaction. Nobody can follow it all; I
     spend entirely too many hours a day reading the list, and I
     certainly can't follow it all. Pick areas of expertise and
     then follow them and ignore the rest. After all, not seeing
     things on the list can be no worse than not even being
     subscribed to the list!
  - Hit the "delete" key quickly
  - find someone who will digest it for you (Eric Hughes has
     repeatedly said anyone can retransmit the list this way;
     Hal Finney has offered an encrypted list)
  + Better mailers may help. Some people have used mail-to-news
     systems and then read the list as a local newsgroup, with
     threads.
    - I have Eudora, which supports off-line reading and
       sorting features, but I generally end up reading with an
       online mail program (elm).
  - The mailing list may someday be switched over to a
     newsgroup, a la "alt.cypherpunks." (This may affect some
     people whose sites do not carry alt groups.)
 2.4.5. "It's very easy to get lost in the morass of detail here. Are
   there any ways to track what's *really* important?"
  - First, a lot of the stuff posted in the Usenet newsgroups,
     and on the Cypherpunks list, is peripheral stuff,
     epiphenomenal cruft that will blow away in the first strong
     breeze. Grungy details about PGP shells, about RSA
     encryption speeds, about NSA supercomputers. There's just
     no reason for people to worry about "weak IDEA keys" when
     so many more pressing matters exist. (Let the experts
     worry.) Little of this makes any real difference, just as
     little of the stuff in daily newspapers is memorable or
     deserves to be memorable.
  - Second, "read the sources." Read "1984," "The Shockwave
     Rider," "Atlas Shrugged," "True Names." Read the Chaum
     article on making Big Brother obsolete (October 1985,
     "Communications of the ACM").
  - Third, don't lose sight of the core values: privacy,
     technological solutions over legal solutions, avoiding
     taxation, bypassing laws, etc. (Not everyone will agree
     with all of these points.)
  - Fourth, don't drown in the detail. Pick some areas of
     interest and follow _them_. You may not need to know the
     inner workings of DES or all the switches on PGP to make
     contributions in other areas. (In fact, you surely don't.)
 2.4.6. "Who are the Cypherpunks?"
  - A mix of about 500-700
  + Can find out who by sending message to majordomo@toad.com
     with the message body text "who cypherpunks" (no quotes, of
     course).
    - Is this a privacy flaw? Maybe.
  - Lots of students (they have the time, the Internet
     accounts). Lots of computer science/programming folks. Lots
     of libertarians.
  - quote from Wired article, and from "Whole Earth Review"
 2.4.7. "Who runs the Cypherpunks?"
  - Nobody. There's no formal "leadership." No ruler = no head
     = an arch = anarchy. (Look up the etymology of anarchy.)
  - However, the mailing list currently resides on a physical
     machine, and this machine creates some nexus of control,
     much like having a party at someon'e house. The list
     administrator is currently Eric Hughes (and has been since
     the beginning). He is helped by Hugh Daniel, who often does
     maintenance of the toad.com, and by John Gilmore, who owns
     the toad.com machine and account.
  - In an extreme situation of abuse or neverending ranting,
     these folks could kick someone off the list and block them
     from resubscribing via majordomo. (I presume they could--
     it's never happened.)
  - To emphasize: nobody's ever been kicked off the list, so
     far as I know. Not even Detweiler...he asked to be removed
     (when the list subscribes were done manually).
  - As to who sets policy, there is no policy! No charter, no
     agenda, no action items. Just what people want to work on
     themselves. Which is all that can be expected. (Some people
     get frustrated at this lack of consensus, and they
     sometimes start flaming and ranting about "Cypherpunks
     never do anything," but this lack of consensus is to be
     expected. Nobody's being paid, nobody's got hiring and
     firing authority, so any work that gets done has to be
     voluntary. Some volunteer groups are more organized than we
     are, but there are other factors that make this more
     possible for them than it is for us. C'est la vie.)
  - Those who get heard on the mailing list, or in the physical
     meetings, are those who write articles that people find
     interesting or who say things of note. Sounds fair to me.
 2.4.8. "Why don't the issues that interest me get discussed?"
  - Maybe they already have been--several times. Many newcomers
     are often chagrined to find arcane topics being discussed,
     with little discussion of "the basics."
  - This is hardly surprising....people get over the "basics"
     after a few months and want to move on to more exciting (to
     them) topics. All lists are like this.
  - In any case, after you've read the list for a while--maybe
     several weeks--go ahead and ask away. Making your topic
     fresher may generate more responses than, say, asking
     what's wrong with Clipper. (A truly overworked topic,
     naturally.)
 2.4.9. "How did the Cypherpunks group get started?"
2.4.10. "Where did the name 'Cypherpunks' come from?"
  + Jude Milhon, aka St. Jude, then an editor at "Mondo 2000,"
     was at the earliest meetings...she quipped "You guys are
     just a bunch of cypherpunks." The name was adopted
     immediately.
    - The 'cyberpunk' genre of science fiction often deals with
       issues of cyberspace and computer security ("ice"), so
       the link is natural.  A point of confusion is that
       cyberpunks are popularly thought of as, well, as "punks,"
       while many Cyberpunks are frequently libertarians and
       anarchists of various stripes. In my view, the two are
       not in conflict.
    - Some, however, would prefer a more staid name. The U.K.
       branch calls itself the "U.K. Crypto Privacy
       Association."  However, the advantages of the
       name are clear. For one thing, many people are bored by
       staid names. For another, it gets us noticed by
       journalists and others.
    -
  - We are actually not very "punkish" at all. About as punkish
     as most of our cyberpunk cousins are, which is to say, not
     very.
  + the name
    - Crypto Cabal (this before the sci.crypt FAQ folks
       appeared, I think), Crypto Liberation Front, other names
    - not everybody likes the name...such is life
2.4.11. "Why doesn't the Cypherpunks group have announced goals,
   ideologies, and plans?"
  - The short answer: we're just a mailing list, a loose
     association of folks interested in similar things
  - no budget, no voting, no leadership (except the "leadership
     of the soapbox")
  - How could such a consensus emerge? The usual approach is
     for an elected group (or a group that seized power) to
     write the charter and goals, to push their agenda. Such is
     not the case here.
  - Is this FAQ a de facto statement of goals? Not if I can
     help it, to be honest. Several people before me planned
     some sort of FAQ, and had they completed them, I certainly
     would not have felt they were speaking for me or for the
     group. To be consistent, then, I cannot have others think
     this way about _this_ FAQ!
2.4.12. "What have the Cypherpunks actually done?"
  - spread of crypto: Cypherpunks have helped
     (PGP)...publicity, an alternative forum to sci.crypt (in
     many ways, better...better S/N ratio, more polite)
  - Wired, Whole Earth Review, NY Times, articles
  - remailers, encrypted remailers
  + The Cypherpunk- and Julf/Kleinpaste-style remailers were
     both written very quickly, in just days
    - Eric Hughes wrote the first Cypherpunks remailer in a
       weekend, and he spent the first day of that weekend
       learning enough Perl to do the job.
    + Karl Kleinpaste wrote the code that eventually turned
       into Julf's remailer (added to since, of course) in a
       similarly short time:
      - "My original anon server, for godiva.nectar.cs.cmu.edu
         2 years ago, was written in a few hours one bored
         afternoon.  It
         wasn't as featureful as it ended up being, but it was
         "complete" for
         its initial goals, and bug-free."
         [Karl_Kleinpaste@cs.cmu.edu, alt.privacy.anon-server,
         1994-09-01]
    - That other interesting ideas, such as digital cash, have
       not yet really emerged and gained use even after years of
       active discussion, is an interesting contrast to this
       rapid deployment of remailers. (The text-based nature of
       both straight encryption/signing and of remailing is
       semantically simpler to understand and then use than are
       things like digital cash, DC-nets, and other crypto
       protocols.)
  - ideas for Perl scripts, mail handlers
  - general discussion, with folks of several political
     persuasions
  - concepts: pools, Information Liberation Front, BlackNet
  -
2.4.13. "How Can I Learn About Crypto and Cypherpunks Info?"
2.4.14. "Why is there sometimes disdain for the enthusiasm and
   proposals of newcomers?"
  - None of us is perfect, so we sometimes are impatient with
     newcomers. Also, the comments seen tend to be issues of
     disagreement--as in all lists and newsgroups (agreement is
     so boring).
  - But many newcomers also have failed to do the basic reading
     that many of us did literally _years_ before joining this
     list. Cryptology is a fairly technical subject, and one can
     no more jump in and expect to be taken seriously without
     any preparation than in any other technical field.
  - Finally, many of us have answered the questions of
     newcomers too many times to be enthusiastic about it
     anymore. Familiarity breeds contempt.
  + Newcomers should try to be patient about our impatience.
     Sometimes recasting the question generates interest.
     Freshness matters. Often, making an incisive comment,
     instead of just asking a basic question, can generate
     responses. (Just like in real life.)
    - "Clipper sux!" won't generate much response.
2.4.15. "Should I join the  Cypherpunks mailing list?"
  - If you are reading this, of course, you are most likely on
     the Cypherpunks list already and this point is moot--you
     may instead be asking if you should_leave_  the List!
  - Only if you are prepared to handle 30-60 messages a day,
     with volumes fluctuating wildly
2.4.16. "Why isn't the Cypherpunks list encrypted? Don't you believe
   in encryption?"
  - what's the point, for a publically-subscribable list?
  - except to make people jump through hoops, to put a large
     burden on toad (unless everybody was given the same key, so
     that just one encryption could be done...which underscores
     the foolishness)
  + there have been proposals, mainly as a stick to force
     people to start using encryption...and to get the encrypted
     traffic boosted
    - involving delays for those who choose not or can't use
       crypto (students on terminals, foreigners in countries
       which have banned crypto, corporate subscribers....)
2.4.17. "What does "Cypherpunks write code' mean?"
  - a clarifying statement, not an imperative
  - technology and concrete solutions over bickering and
     chatter
  - if you don't write code, fine. Not everyone does (in fact,
     probably less than 10% of the list writes serious code, and
     less than 5% writes crypto or security software
2.4.18. "What does 'Big Brother Inside' Mean?"
  - devised by yours truly (tcmay) at Clipper meeting
  - Matt Thomlinson, Postscript
  - printed by ....
2.4.19. "I Have a New Idea for a Cipher---Should I Discuss it Here?"
  - Please don't. Ciphers require careful analysis, and should
     be in paper form (that is, presented in a detailed paper,
     with the necessary references to show that due diligence
     was done, the equations, tables, etc. The Net is a poor
     substitute.
  - Also, breaking a randomly presented cipher is by no means
     trivial, even if the cipher is eventually shown to be weak.
     Most people don't have the inclination to try to break a
     cipher unless there's some incentive, such as fame or money
     involved.
  - And new ciphers are notoriously hard to design. Experts are
     the best folks to do this. With all the stuff waiting to be
     done (described here), working on a new cipher is probably
     the least effective thing an amateur can do. (If you are
     not an amateur, and have broken other people's ciphers
     before, then you know who you are, and these comments don't
     apply. But I'll guess that fewer than a handful of folks on
     this list have the necessary background to do cipher
     design.)
  - There are a vast number of ciphers and systems, nearly all
     of no lasting significance. Untested, undocumented, unused-
     -and probably unworthy of any real attention. Don't add to
     the noise.
2.4.20. Are all the Cypherpunks libertarians?
2.4.21. "What can we do?"
  - Deploy strong crypto, to ensure the genie cannot be put in
     the bottle
  - Educate, lobby, discuss
  - Spread doubt, scorn..help make government programs look
     foolish
  - Sabotage, undermine, monkeywrench
  - Pursue other activities
2.4.22. "Why is the list unmoderated? Why is there no filtering of
   disrupters like Detweiler?"
  - technology over law
  - each person makes their own choice
  - also, no time for moderation, and moderation is usually
     stultifying
  + anyone who wishes to have some views silenced, or some
     posters blocked, is advised to:
    - contract with someone to be their Personal Censor,
       passing on to them only approved material
    - subscribe to a filtering service, such as Ray and Harry
       are providing
2.4.23. "What Can I Do?"
  - politics, spreading the word
  - writing code ("Cypherpunks write code")
2.4.24. "Should I publicize my new crypto program?"
  - "I have designed a crypting program, that I think is
     unbreakable.  I challenge anyone who is interested to get
     in touch with me, and decrypt an encrypted massage."
     
      "With highest regards,
       Babak   Sehari." [Babak Sehari, sci.crypt, 6-19-94]
     
2.4.25. "Ask Emily Post Crypt"
  + my variation on "Ask Emily Postnews"
    - for those that don't know, a scathing critique of
       clueless postings
  + "I just invented a new cipher. Here's a sample. Bet you
     can't break it!"
    - By all means post your encrypted junk. We who have
       nothing better to do with our time than respond will be
       more than happy to spend hours running your stuff through
       our codebreaking Crays!
    - Be sure to include a sample of encrypted text, to make
       yourself appear even more clueless.
  + "I have a cypher I just invented...where should I post it?"
    + "One of the very most basic errors of making ciphers is
       simply to add
      - layer upon layer of obfuscation and make a cipher which
         is nice and
      - "complex".  Read Knuth on making random number
         generators for the
      - folly in this kind of approach.  " 
    + "Ciphers carry the presumption of guilt, not innocence.
       Ciphers
      - designed by amateurs invariably fail under scrutiny by
         experts.  This
      - sociological fact (well borne out) is where the
         presumption of
      - insecurity arises.  This is not ignorance, to assume
         that this will
      - change.  The burden of proof is on the claimer of
         security, not upon
      - the codebreaker.  
  + "I've just gotten very upset at something--should I vent my
     anger on the  mailing list?"
    - By all means! If you're fed up doing your taxes, or just
       read something in the newspaper that really angered you,
       definitely send an angry message out to the 700 or so
       readers and help make _them_ angry!
    - Find a bogus link to crypto or privacy issues to make it
       seem more relevant.
2.4.26. "What are some main Cypherpunks projects?"
  + remailers
    + better remailers, more advanced features
      - digital postage
      - padding, batching/latency
      - agent features
    - more of them
    - offshore (10 sites in 5 countries, as a minimum)
  - tools, services
  - digital cash in better forms
  -
2.4.27. "What about sublists, to reduce the volume on the main list."
  - There are already half a dozen sub-lists, devoted to
     planning meetings, to building hardware, and to exploring
     DC-Nets. There's one for remailer operators, or there used
     to be. There are also lists devoted to similar topics as
     Cypherpunks, including Robin Hanson's "AltInst" list
     (Alternative Institutions), Nick Szabo's "libtech-l" list,
     the "IMP-Interest" (Internet Mercantile Protocols) list,
     and so on. Most are very low volume.
  + That few folks have heard of any of them, and that traffic
     volumes are extremely low, or zero, is not all that
     surprising, and matches experiences elsewhere. Several
     reasons:
    - Sublists are a bother to remember; most people forget
       they exist, and don't think to post to them. (This
       "forgetting" is one of the most interesting aspects of
       cyberspace; successful lists seem to be Schelling points
       that accrete even more members, while unsuccessful lists
       fade away into nothingness.)
    - There's a natural desire to see one's words in the larger
       of two forums, so people tend to post to the main list.
    - The sublists were sometimes formed in a burst of
       exuberance over some topic, which then faded.
    - Topics often span several subinterest areas, so posting
       to the main list is better than copying all the relevant
       sublists.
  - In any case, the Cypherpunks main list  is "it," for now,
     and has driven other lists effectively out of business. A
     kind of Gresham's Law.

2.5 - Crypto
 2.5.1. "Why is crypto so important?"
  + The three elements that are central to our modern view of
     liberty and privacy (a la Diffie)
    - protecting things against theft
    - proving who we say we are
    - expecting privacy in our conversations and writings
  - Although there is no explicit "right of privacy" enumerated
     in the U.S. Constitution, the assumption that an individual
     is to be secure in his papers, home, etc., absent a valid
     warrant, is central. (There has never been a ruling or law
     that persons have to speak in a language that is
     understandable by eavesdroppers, wiretappers, etc., nor has
     there ever been a rule banning private use of encrption. I
     mention this to remind readers of the long history of
     crypto freedom.)
  -  "Information, technology and control of both _is_ power.
     *Anonymous* telecommunications has the potential to be the
     greatest equalizer in history.  Bringing this power to as
     many as possible will forever change the discourse of power
     in this country (and the world)." [Matthew J Miszewski, ACT
     NOW!, 1993-03-06]
 2.5.2. "Who uses cryptography?"
  - Everybody, in one form or another. We see crypto all around
     us...the keys in our pockets, the signatures on our
     driver's licenses and other cards, the photo IDs, the
     credit cards. Lock combinations, door keys, PIN numbers,
     etc. All are part of crypto (although most might call this
     "security" and not a very mathematical thing, as
     cryptography is usually thought to be).
  - Whitticism: "those who regularly
     conspire to participate in the political process are
     already encrypting." [Whit Diffie]
 2.5.3. "Who needs crypto? What have they got to hide?"
  + honest people need crypto because there are dishonest
     people
    - and there may be other needs for privacy
  - There are many reasons why people need privacy, the ability
     to keep some things secret. Financial, personal,
     psychological, social, and many other reasons.
  - Privacy in their papers, in their diaries, in their pesonal
     lives. In their financial choices, their investments, etc.
     (The IRS and tax authorities in other countries claim to
     have a right to see private records, and so far the courts
     have backed them up. I disagree.)
  - people encrypt for the same reason they close and lock
     their doors
  - Privacy in its most basic forms
 2.5.4. "I'm new to crypto--where should I start?"
  - books...Schneier
  - soda
  - sci.crypt
  - talk.politics.crypto
  - FAQs other than this one
 2.5.5. "Do I need to study cryptography and number theory to make a
   contribution?"
  - Absolutely not! Most cryptographers and mathematicians are
     so busy doing their thing that they little time or interest
     for political and entrepreneurial activities.
     Specialization is for insects and researchers, as someone's
     .sig says.
  - Many areas are ripe for contribution. Modularization of
     functions means  people can concentrate in other areas,
     just as writers don't have to learn how to set type, or cut
     quill pens, or mix inks.
  - Nonspecialists should treat most established ciphers as
     "black boxes" that work as advertised. (I'm not saying they
     do, just that analysis of them is best left to experts...a
     little skepticism may not hurt, though).
 2.5.6. "How does public key cryptography work, simply put?"
  - Plenty of articles and textbooks describe this, in ever-
     increasing detail (they start out with the basics, then get
     to the juicy stuff).
  + I did find a simple explanation, with "toy numbers," from
     Matthew Ghio:
    - "You pick two prime numbers; for example 5 and 7.
       Multiply them together, equals 35.  Now you calculate the
       product of one less than each number, plus one.  (5-1)(7-
       1)+1=21.  There is a mathematical relationship that says
       that x = x^21 mod 35 for any x from 0 to 34.  Now you
       factor 21, yeilds 3 and 7.
       
       "You pick one of those numbers to be your private key and
       the other one is your public key.  So you have:
       Public key: 3
       Private key: 7
       
       "Someone encrypts a message for you by taking plaintext
       message m to make ciphertext message c:  c=m^3 mod 35
       
       "You decrypt c and find m using your private key: m=c^7
       mod 35
       
       "If the numbers are several hundred digits long (as in
       PGP), it is nearly impossible to guess the secret key."
       [Matthew Ghio, alt.anonymous, 1994-09-03]
    - (There's a math error here...exercise left for the
       student.)
 2.5.7. "I'm a newcomer to this stuff...how should I get started?"
  - Start by reading some of the material cited. Don't worry
     too much about understanding it all.
  - Follow the list.
  - Find an area that interests you and concentrate on that.
     There is no reason why privacy advocates need to understand
     Diffie-Hellman key exchange in detail!
  + More Information
    + Books
      - Schneier
      - Brassard
    + Journals, etc
      - Proceedings
      - Journal of Cryptology
      - Cryptologia
    - Newsgroups
    - ftp sites
 2.5.8. "Who are Alice and Bob?"
 2.5.9. "What is security through obscurity"?
  - adding layers of confusion, indirection
  - rarely is strong in a an infromation-theoretic or
     cryptographic sense
  - and may have "shortcuts" (like a knot that looks complex
     but which falls open if approached the right way)
  - encryption algorithms often hidden, sites hidden
  - Make no mistake about it, these approaches are often used.
     And they can add a little to the overall security (using
     file encyption programs like FolderBolt on top of PGP is an
     example)...
2.5.10. "Has DES been broken? And what about RSA?"
  - DES: Brute-force search of the keyspace in chosen-plaintext
     attacks is feeasible in around 2^47 keys, according to
     Biham and Shamir. This is about 2^9 times easier than the
     "raw" keyspace. Michael Wiener has estimated that a macine
     of special chips could crack DES this way for a few
     thousand dollars per key. The NSA may have such machines.
  - In any case, DES was not expected to last this long by many
     (and, in fact, the NSA and NIST proposed a phaseout some
     years back, the "CCEP" (Commercial COMSEC Endorsement
     Program), but it never caught on and seems forgotten today.
     Clipper and EES seem to have grabbed the spotlight.
  - IDEA, from Europe, is supposed to be much better.
  - As for RSA, this is unlikely. Factoring is not yet proven
     to be NP-co
2.5.11. "Can the NSA Break Foo?"
  - DES, RSA, IDEA, etc.
  - Can the government break our ciphers?
2.5.12. "Can brute-force methods break crypto systems?"
  - depends on the system, the keyspace, the ancillary
     information avialable, etc.
  - processing power generally has been doubling every 12-18
     months (Moore's Law), so....
  - Skipjack is 80 bits, which is probably safe from brute
     force attack for 2^24 = 1.68e7 times as long as DES is.
     With Wiener's estimate of 3.5 hours to break DES, this
     implies 6700 years using today's hardware. Assuming an
     optimistic doubling of hardware power per year (for the
     same cost), it will take 24 years before the hardware costs
     of a brute force attack on Skipjack come down to what it
     now costs to attack DES. Assuming no other weaknesses in
     Skipjack.
  - And note that intelligence agencies are able to spend much
     more than what Wiener calculated (recall Norm Hardy's
     description of Harvest)
2.5.13. "Did the NSA know about public key ideas before Diffie and
   Hellman?"
  + much debate, and some sly and possibly misleading innuendo
    - Simmons claimed he learned of PK in Gardner's column, and
       he certainly should've been in a position to know
       (weapons, Sandia)
    -
  + Inman has claimed that NSA had a P-K concept in 1966
    - fits with Dominik's point about sealed cryptosystem boxes
       with no way to load new keys
    - and consistent with NSA having essentially sole access to
       nation's top mathematicians (until Diffies and Hellmans
       foreswore government funding, as a result of the anti-
       Pentagon feelings of the 70s)
2.5.14. "Did the NSA know about public-key approaches before Diffie
   and Hellman?"
  - comes up a lot, with some in the NSA trying to slyly
     suggest that _of course_ they knew about it...
  - Simmons, etc.
  - Bellovin comments (are good)
2.5.15. "Can NSA crack RSA?"
  - Probably not.
  - Certainly not by "searching the keyspace," an idea that
     pops up every few months . It can't be done. 1024-bit keys
     implies roughly 512-bit primes, or 153-decimal digit
     primes. There are more than 10^150 of them! And only about
     10^73 particles in the entire universe.
  - Has the factoring problem been solved? Probably not. And it
     probably won't be, in the sense that factoring is probably
     in NP (though this has not been proved) and P is probably
     not NP (also unproved, but very strongly suspected). While
     there will be advances in factoring, it is extremely
     unlikely (in the religious sense) that factoring a 300-
     digit number will suddenly become "easy."
  - Does the RSA leak information so as to make it easier to
     crack than it is to factor the modulus? Suspected by some,
     but basically unknown. I would bet against it. But more
     iffy than the point above.
  + "How strong is strong crypto?"
    - Basically, stronger than any of the hokey "codes" so
       beloved of thriller writers and movie producers. Modern
       ciphers are not crackable by "telling the computer to run
       through all the combinations" (more precisely, the number
       of combinations greatly exceeds the number of atoms in
       the universe).
2.5.16. "Won't more powerful computers make ciphers breakable?"
  + The effects of increasing computer power confer even
     *greater* advantage to the cipher user than to the cipher
     breaker. (Longer key lengths in RSA, for example, require
     polynomially more time to use, but exponentially more time
     to break, roughly speaking.) Stunningly, it is likely that
     we are close to being able to use key lengths which cannot
     be broken with all the computer power that will ever exist
     in the universe.
    + Analogous to impenetrable force fields protecting the
       data, with more energy required to "punch through" than
       exists in the universe
      - Vernor Vinge's "bobbles," in "The Peace War."
    - Here I am assuming that no short cuts to factoring
       exist...this is unproven, but suspected. (No major
       shortcuts, i.e., factoring is not "easy.")
    + A modulus of thousands of decimal digits may require more
       total "energy" to factor, using foreseeable approaches,
       than is available
      - reversible computation may help, but I suspect not much
      - Shor's quantum-mechanical approach is completely
         untested...and may not scale well (e.g., it may be
         marginally possible to get the measurement precision to
         use this method for, say, 100-digit numbers, but
         utterly impossible to get it for 120-digit numbers, let
         alone 1000-digit numbers)
2.5.17. "Will strong crypto help racists?"
  - Yes, this is a consequence of having secure virtual
     communities.  Free speech tends to work that way!
  - The Aryan Nation can use crypto to collect and disseminate
     information, even into "controlled" nations like Germany
     that ban groups like Aryan Nation.
  - Of course, "on the Internet no one knows you're a dog," so
     overt racism based on superficial external characteristics
     is correspondingly harder to pull off.
  - But strong crypto will enable and empower groups who have
     different beliefs than the local majority, and will allow
     them to bypass regional laws.
2.5.18. Working on new ciphers--why it's not a Cypherpunks  priority
   (as I see it)
  - It's an issue of allocation of resources. ("All crypto is
     economics." E. Hughes) Much work has gone into cipher
     design, and the world seems to have several stable, robust
     ciphers to choose from. Any additional work by crypto
     amateurs--which most of us are, relative to professional
     mathematicians and cipher designers--is unlikely to move
     things forward significantly. Yes, it could happen...but
     it's not likely.
  + Whereas there are areas where professional cryptologists
     have done very little:
    - PGP (note that PRZ did *not* take time out to try to
       invent his own ciphers, at least not for Version
       2.0)...he concentrated on where his efforts would have
       the best payoff
    - implementation of remailers
    - issues involving shells and other tools for crypto use
    - digital cash
    - related issues, such as reputations, language design,
       game theory, etc.
  - These are the areas of "low-hanging fruit," the areas where
     the greatest bang for the buck lies, to mix some metaphors
     (grapeshot?).
2.5.19. "Are there any unbreakable ciphers?"
  - One time pads are of course information-theoretically
     secure, i.e., unbreakable by computer power.
  + For conventional ciphers, including public key ciphers,
     some ciphers may not be breakable in _our_ universe, in any
     amount of time. The logic goes as follows:
    - Our universe presumably has some finite number of
       particles (currently estimated to be 10^73 particles).
       This leads to the "even if every particle were a Cray Y-
       MP it would take..." sorts of thought experiments.
       
       But I am considering _energy_ here. Ignoring reversible
       computation for the moment, computations dissipate energy
       (some disagree with this point). There is some uppper
       limit on how many basic computations could ever be done
       with the amount of free energy in the universe. (A rough
       calculation could be done by calculating the energy
       output of stars, stuff falling into black holes, etc.,
       and then assuming about kT per logical operation. This
       should be accurate to within a few orders of magnitude.)
       I haven't done this calculation, and won't here, but the
       result would likely be something along the lines of X
       joules of energy that could be harnessed for computation,
       resulting in Y basic primitive computational steps.
       
       I can then find a modulus of 3000 digits or 5000 digits,
       or whatever, that takes *more* than this number of steps
       to factor. Therefore, unbreakable in our universe.
  - Caveats:
     
     1. Maybe there are really shortcuts to factoring. Certainly
     improvements in factoring methods will continue. (But of
     course these improvements are not things that convert
     factoring into a less than exponential-in-length
     problem...that is, factoring appears to remain "hard.")
     
     2. Maybe reversible computations (a la Landauer, Bennett,
     et. al.) actually work. Maybe this means a "factoring
     machine" can be built which takes a fixed, or very slowly
     growing, amount of energy. In this case, "forever" means
     Lefty is probably right.
     
     3. Maybe the quantum-mechanical idea of Peter Shor is
     possible. (I doubt it, for various reasons.)
     
2.5.20. "How safe is RSA?" "How safe is PGP?" "I heard that PGP has
   bugs?"
  - This cloud of questions is surely the most common sort that
     appears in sci.crypt. It sometimes gets no answers,
     sometimes gets a rude answer, and only occasionally does it
     lead to a fruiful discussion.
  - The simple anwer: These ciphers appear to be safe, to have
     no obvious flaws.
  - More details can be found in various question elsewhere in
     this FAQ and in the various FAQs and references others have
     published.
2.5.21. "How long does encryption have to be good for?"
  - This obviously depends on what you're encrypting. Some
     things need only be safe for short periods of time, e.g., a
     few years or even less. Other things may come back to haunt
     you--or get you thrown in prison--many years later. I can
     imagine secrets that have to be kept for many decades, even
     centuries (for example, one may fear one's descendents will
     pay the price for a secret revealed).
  - It is useful to think _now_ about the computer power likely
     to be available in the year 2050, when many of you reading
     this will still be around. (I'm _not_ arguing that
     parallelism, etc., will cause RSA to fall, only that some
     key lengths (e.g., 512-bit) may fall by then. Better be
     safe and use 1024 bits or even more. Increased computer
     power makes longer keys feasible, too.).

2.6 - PGP
 2.6.1. There's a truly vast amount of information out there on PGP,
   from current versions, to sites, to keyserver issues, and so
   on. There are also several good FAQs on PGP, on MacPGP, and
   probably on nearly every major version of PGP. I don't expect
   to compete here with these more specialized FAQs.
  - I'm also not a PGP expert, using it only for sending and
     receiving mail, and rarely doing much more with it.
  - The various tools, for all major platforms, are a specialty
     unto themselves.
 2.6.2. "Where do I get PGP?"
 2.6.3. "Where can I find PGP?"
  - Wait around for several days and a post will come by which
     gives some pointers.
  - Here are some sites current at this writing: (watch out for
     changes)
 2.6.4. "Is PGP secure? I heard someone had...."
  - periodic reports, urban legend, that PGP has been
     compromised, that Phil Z. has been "persuaded" to....
  + implausible for several reasons
    - Phil Z no longer controls the source code by himself
    - the source code is available and can be inspected...would
       be very difficult to slip in major back doors that would
       not be apparent in the source code
    - Phil has denied this, and the rumors appear to come from
       idle speculation
  + But can PGP be broken?
    - has not been tested independently in a thorough,
       cryptanalytic way, yet (opinion of tcmay)
    - NSA isn't saying
    + Areas for attack
      + IDEA
        - some are saying doubling of the number of rounds
           should be donee
      - the random number generators...Colin Plumb's admission
 2.6.5. "Should I use PGP and other crypto on my company's
   workstations?"
  - machines owned by corporations and universities, usually on
     networks, are generally not secure (that is, they may be
     compromised in various ways)
  - ironically, most of the folks who sign all their messages,
     who use a lot of encryption, are on just such machines
  - PCs and Macs and other nonnetworked machines are more
     secure, but are harder to use PGP on (as of 1994)
  - these are generalizations--there are insecure PCs and
     secure workstations
 2.6.6. "I just got PGP--should I use it for all my mail?"
  - No! Many people cannot easily use PGP, so if you wish to
     communicate with them, don't encrypt everything. Use
     encryption where it matters.
  - If you just want more people to use encryption, help with
     the projects to better integrate crypto into existing
     mailers.
 2.6.7. NSA is apparently worried about PGP, worried about the spread
   of PGP to other countries, and worried about the growth of
   "internal communities" that communicate via "black pipes" or
   "encrypted tunnels" that are impenetrable to them.

2.7 - Clipper
 2.7.1. "How can the government do this?"
  - incredulity that bans, censorship, etc. are legal
  + several ways these things happen
    - not tested in the courts
    - wartime regulations
    + conflicting interpretations
      - e.g., "general welfare" clause used to justify
         restrictions on speech, freedom of association, etc.
      + whenever public money or facilities used (as with
         churches forced to hire Satanists)
        - and in this increasingly interconnnected world, it is
           sometimes very hard to avoid overlap with  public
           funding, facilities, etc.
 2.7.2. "Why don't Cypherpunks develop their won competing encryption
   chip?"
  + Many reasons not to:
    - cost
    - focus
    - expertise
    - hard to sell such a competing standard
  - better to let market as a whole make these choices
 2.7.3. "Why is crypto so frightening to governments?"
  + It takes away the state's power to snoop, to wiretap, to
     eavesdrop, to control
    - Priestly confessionals were a major way the Church kept
       tabs on the locals...a worldwide, grassroots system of
       ecclesiastical narcs
  + Crypto has high leverage
    + Unlike direct assaults with bombs, HERF and EMP attacks,
       sabotage, etc, crypto is self-spreading...a bootstrap
       technology
      - people use it, give it to others, put it on networks
      - others use it for their own purposes
      - a cascade effect, growing geometrically
      - and undermining confidence in governments, allowing the
         spread of multiple points of view (especially
         unapproved views)
 2.7.4. "I've just joined the list and am wondering why I don't see
   more debate about Clipper?"
  - Understand that people rarely write essays in response to
     questions like "Why is Clipper bad?" For most of us,
     mandatory key escrow is axiomatically bad; no debate is
     needed.
  - Clipper was thoroughly trashed by nearly everyone within
     hours and days of its announcement, April 16, 1993.
     Hundreds of articles and editorials have condemned it.
     Cyperpunks currently has no active supporters of mandatory
     key escrow, from all indications, so there is nothing to
     debate.

2.8 - Other Ciphers and Crypto Products

2.9 - Remailers and Anonymity
 2.9.1. "What are remailers?"
 2.9.2. "How do remailers work?" (a vast number of postings have
   dealt with this)
  - The best way to understand them is to "just do it," that
     is, send a few remailed message to yourself, to see how the
     syntax works. Instructions are widely available--some are
     cited here, and up to date instructions will appear in the
     usual Usenet groups.
  - The simple view: Text messages are placed in envelopes and
     sent to a site that has agreed to remail them based on the
     instructions it finds. Encryption is not necessary--though
     it is of course recommended. These "messages in bottles"
     are passed from site to site and ultimately to the intended
     final recipient.
  - The message is pure text, with instructions contained _in
     the text_ itself (this was a fortuitous choice of standard
     by Eric Hughes, in 1992, as it allowed chaining,
     independence from particular mail systems, etc.).
  - A message will be something like this:
     
     ::
     Request-Remailing-To: remailer@bar.baz
     
     Body of text, etc., etc. (Which could be more remailing
     instructions, digital postage, etc.)
     
     
  - These nested messages make no assumptions about the type of
     mailer being used, so long as it can handle straight ASCII
     text, which all mailers can of course. Each mail message
     then acts as a kind of "agent," carrying instructions on
     where it should be mailed next, and perhaps other things
     (like delays, padding, postage, etc.)
  - It's very important to note that any given remailer cannot
     see the contents of the envelopes he is remailing, provided
     encryption is used. (The orginal sender picks a desired
     trajectory through the labyrinth of remailers, encrypts in
     the appropriate sequence (last is innermost, then next to
     last, etc.), and then the remailers sequentially decrypt
     the outer envelopes as they get them.  Envelopes within
     envelopes.)
 2.9.3. "Can't remailers be used to harass people?"
  - Sure, so can free speech, anonymous physical mail ("poison
     pen letters"), etc.
  - With e-mail, people can screen their mail, use filters,
     ignore words they don't like, etc. Lots of options. "Sticks
     and stones" and all that stuff we learned in Kindergarten
     (well, I'm never sure what the the Gen Xers learned....).
  - Extortion is made somewhat easier by anonymous mailers, but
     extortion threats can be made in other ways, such as via
     physical mail, or from payphones, etc.
  - Physical actions, threats, etc. are another matter. Not the
     domain of crypto, per se.

2.10 - Surveillance and Privacy
2.10.1. "Does the NSA monitor this list?"
  - Probably. We've been visible enough, and there are many
     avenues for monitoring or even subscribing to the List.
     Many aliases, many points of presence.
  - some concerns that Cypherpunks list has been infiltrated
     and is a "round up list"
  - There have even been anonymous messages purporting to name
     likely CIA, DIA, and NSA spooks. ("Be aware.")
  - Remember, the list of subscribers is _not_ a secret--it can
     be gotten by sending a "who cypherpunks" message to
     majordomo@toad.com. Anyone in the world can do this.
2.10.2. "Is this list illegal?"
  - Depends on the country. In the U.S., there are very strong
     protections against "prior restraint" for published
     material, so the list is fairly well -protected....shutting
     it down would create a First Amendment case of major
     importance. Which is unlikely. Conspiracy and sedition laws
     are more complex to analyze; there are no indications that
     material here or on the list is illegal.
  - Advocacy of illegal acts (subversion of export laws,
     espionage, etc.) is generally legal. Even advocating the
     overthrow of the government.
  - The situation in other countries is different. Some
     countries ban unapproved encryption, so this list is
     suspect.
  - Practically speaking, anyone reading this list is probably
     in a place which either makes no attempt to control
     encryption or is unable to monitor what crosses its
     borders.
2.10.3. "Can keystrokes really be monitored remotely? How likely is
   this?"
  - Yes. Van Eck, RF, monitors, easy (it is claimed) to build
     this
  - How likely? Depends on who you are. Ames, the KGB spy, was
     probably monitored near the end, but I doubt many of us
     are. The costs are simply too high...the vans outside, the
     personnel needed, etc.
  - the real hazards involve making it "easy" and "almost
     automatic" for such monitoring, such as with Clipper and
     EES. Then they essentially just flip a switch and the
     monitoring happens...no muss, no fuss.
2.10.4. "Wouldn't some crimes be stopped if the government could
   monitor what it wanted to?"
  - Sure. This is an old story. Some criminals would be caught
     if their diaries could be examined. Television cameras in
     all homes would reduce crimes of .... (Are you listening,
     Winston?).
  - Orwell, fascism, surveillance states, what have you got to
     hide, etc.

 
2.11 - Legal
2.11.1. "Can encryption be banned?"
  - ham operators, shortwave
  - il gelepal, looi to waptime aolditolq
  + how is this any different from requiring speech in some
     language?
    - Navaho code talkers of WW2,,,,modern parallel
2.11.2. "Will the government try to ban encryption?"
  - This is of course the major concern most of us have about
     Clipper and the Escrowed Encryption Standard in general.
     Even if we think the banning of crypto will ultimately be a
     failure ("worse than Prohibition," someone has said), such
     a ban could make things very uncomfortable for many and
     would be a serious abridgement of basic liberties.
  - We don't know, but we fear something along these lines. It
     will be difficult to enforce such a ban, as so many avenues
     for communication exist, and encrypted messages may be hard
     to detect.
  - Their goal, however, may be _control_ and the chilling
     effect that using "civil forfeiture" may have on potential
     crypto users. Like the drug laws. (Whit Diffie was the
     first to emphasize this motivation.)
2.11.3. "How could encryption be banned?"
  - most likely way: restrictions on networks, a la airwaves or
     postal service
  - could cite various needs, but absent a mechanism as above,
     hard to do
  - an outright  ban, enforced with civil forfeiture penalties
  - wartime sorts of policies (crypto treated as sedition,
     treason...some high-profile prison sentences)
  - scenario posted by Sandfort?
2.11.4. "What's the situation about export of crypto?"
  + There's been much debate about this, with the case of Phil
     Zimmermann possibly being an important test case, should
     charges be filed.
    - as of 1994-09, the Grand Jury in San Jose has not said
       anything (it's been about 7-9 months since they started
       on this issue)
  - Dan Bernstein has argued that ITAR covers nearly all
     aspects of exporting crypto material, including codes,
     documentation, and even "knowledge." (Controversially, it
     may be in violation of ITAR for knowledgeable crypto people
     to even leave the country with the intention of developing
     crypto tools overseas.)
  - The various distributions of PGP that have occurred via
     anonymous ftp sources don't imply that ITAR is not being
     enforced, or won't be in the future.
2.11.5. "What's the legal status of digital signatures?"
  - Not yet tested in court. Ditto for most crypto protocols,
     including digital timestamping, electronic contracts,
     issues of lost keys, etc.
2.11.6. "Can't I just claim I forgot my password?"
2.11.7. "Is it dangerous to talk openly about these ideas?"
  - Depends on your country. In some countries, perhaps no. In
     the U.S., there's not much they can do (though folks should
     be aware that the Cypherpunks have received a lot of
     attention by the media and by policy makers, and so a vocal
     presence on this list very likely puts one on a list of
     crypto trouble makers).
  - Some companies may also feel views expressed here are not
     consistent with their corporate policies. Your mileage may
     vary.
  - Sedition and treason laws are not likely to be applicable.
  - some Cypherpunks think so
  - Others of us take the First Amendment pretty seriously:
     that _all_ talk is permissable
  - NSA agents threatened to have Jim Bidzos killed
2.11.8. "Does possession of a key mean possession of *identity*?"
  - If I get your key, am I you?
  - Certainly not outside the context of the cryptographic
     transaction. But within the context of a transaction, yes.
     Additional safeguards/speedbumps can be inserted (such as
     biometric credentials, additional passphrases, etc.), but
     these are essentially part of the "key," so the basic
     answer remains "yes." (There are periodically concerns
     raised about this, citing the dangers of having all
     identity tied to a single credential, or number, or key.
     Well, there are ways to handle this, such as by adopting
     protocols that limit one's exposure, that limits the amount
     of money that can be withdrawn, etc. Or people can adopt
     protocols that require additional security, time delays,
     countersigning, etc.)
  + This may be tested in court soon enough, but the answer for
     many contracts and crypto transactions will be that
     possession of key = possession of identity. Even a court
     test may mean little, for the types of transactions I
     expect to see.
    - That is, in anonymous systems, "who ya gonna sue?"
  - So, guard your key.

2.12 - Digital Cash
2.12.1. "What is digital money?"
2.12.2. "What are the main uses of strong crypto for business and
   economic transactions?"
  - Secure communications. Ensuring privacy of transaction
     records (avoiding eavesdroppes, competitors)
  - Digital signatures on contracts (will someday be standard)
  - Digital cash.
  - Reputations.
  - Data Havens. That bypass local laws about what can be
     stored and what can't (e.g., silly rules on how far back
     credit records can go).
2.12.3. "What are smart cards and how are they used?"
  + Most smart cards as they now exist are very far from being
     the anonymous digital cash of primary interest to us. In
     fact, most of them are just glorified credit cards.
    - with no gain to consumers, since consumes typically don't
       pay for losses by fraud
    - (so to entice consumes, will they offer inducements?)
  - Can be either small computers, typically credit-card-sized,
     or  just cards that control access via local computers.
  + Tamper-resistant modules, e.g., if tampered with, they
     destroy the important data or at the least give evidence of
     having been tampered with.
    + Security of manufacturing
      - some variant of  "cut-and-choose" inspection of
         premises
  + Uses of smart cards
    - conventional credit card uses
    - bill payment
    - postage
    - bridge and road tolls
    - payments for items received electronically (not
       necessarily anonymously)

2.13 - Crypto Anarchy
2.13.1. "What is Crypto Anarchy?"
  - Some of us believe various forms of strong cryptography
     will cause the power of the state to decline, perhaps even
     collapse fairly abruptly. We believe the expansion into
     cyberspace, with secure communications, digital money,
     anonymity and pseudonymity, and other crypto-mediated
     interactions, will profoundly change the nature of
     economies and social interactions.
     
     Governments will have a hard time collecting taxes,
     regulating the behavior of individuals and corporations
     (small ones at least), and generally coercing folks when it
     can't even tell what _continent_ folks are on!
     
     Read Vinge's "True Names" and Card's "Ender's Game" for
     some fictional inspirations. "Galt's Gulch" in cyberspace,
     what the Net is rapidly becoming already.
     
     I call this set of ideas "crypto anarchy" (or "crypto-
     anarchy," as you wish) and have written about this
     extensively. The magazines "Wired" (issue 1.2), "Whole
     Earth Review" (Summer, 1993), and "The Village Voice" (Aug.
     6th, 1993) have all carried good articles on this.
2.13.2. The Crypto Anarchist Manifesto
  - a complete copy of my 1988 pastiche of the Communisto
     Manifesto is included in the chapter on Crypto Anarchy.
  - it needs rewriting, but for historical sake I've left it
     unchanged.
  - I'm proud that so much of it remains accurate.
2.13.3. "What is BlackNet?"
  - BlackNet -- an experiment in information markets, using
     anonymous message pools for exchange of instructions and
     items. Tim May's experiment in guerilla ontology.
  - BlackNet -- an experimental scheme devised by T. May to
     underscore the nature of anonymous information markets.
     "Any and all" secrets can be offered for sale via anonymous
     mailers and message pools. The experiment was leaked via
     remailer to the Cypherpunks list (not by May) and thence to
     several dozen Usenet groups by Detweiler. The authorities
     are said to be investigating it.
2.13.4. "What effect will crypto have on governments?"
  - A huge topic, one I've been thinking about since late 1987
     when it dawned on me that public key crypto and anonymous
     digital cash systems, information markets, etc. meant the
     end of governments as we know them. (I called this
     development "crypto anarchy." Not everyone is a fan of it.
     But it's coming, and fast.)
  - "Putting the NSA out of business," as the NYT article put
     it
  - Espionage is changing. To pick one example, "digital dead
     drops." Any message can be sent through an untraceable path
     with remailers....and then posted in encrypted form in a
     newsgroup readable in most countries, including the Former
     Soviet Union. This means the old stand by of the microfilm
     in a Coke can left by a certain tree on a rural road--a
     method fraught with delays, dangers, and hassles--is now
     passe. The same message can be send from the comfort of
     one's home securely and untraceably. Even with a a digital
     signature to prevent spoofing and disinformation. This spy
     can be a Lockheed worker on the Aurora program, a SIGINT
     officer at Woomera, or a disgruntled chip designer at
     Motorola.  (Yes, a countermeasure is to limit access to
     personal computers, to run only standard software that has
     no such crypto capability. Such embargoes may already apply
     to some in sensitive positions, and may someday be a
     condition of employment.)
  - Money-laundering
  - Tax collection. International consultants. Perpetual
     tourists. Virtual corporations.
  - Terrorism, assassination, crime, Triads, Yakuza, Jamaicans,
     Russian Mafia...virtual networks... Aryan Nation gone
     digital
2.13.5. "How quickly could something like crypto anarchy come?"
  - Parts of it are happening already, though the changes in
     the world are not something I take any credit for. Rather,
     there are ongoing changes in the role of nations, of power,
     and of the ability to coerce behaviors. When people can
     drop out of systems they don't like, can move to different
     legal or tax jurisdictions, then things change.
  + But a phase change could occur quickly, just as the Berlin
     Wall was impregnable one day, and down the next.
    - "Public anger grows quietly and explodes suddenly. T.C.
       May's "phase change" may be closer than we think. Nobody
       in Russia in 1985 really thought the country would fall
       apart in 6 years." [Mike Ingle, 1994-01-01]
2.13.6. "Could strong crypto be used for sick and disgusting and
   dangerous purposes?"
  - Of course. So can locked doors, but we don't insist on an
     "open door policy" (outside of certain quaint sorority and
     rooming houses!) So do many forms of privacy allow
     plotters, molestors, racists, etc. to meet and plot.
  - Crypto is in use by the Aryan Nation, by both pro- and anti-
     abortion groups, and probably by other kinds of terrorists.
     Expect more uses in the future, as things like PGP continue
     to spread.
  - Many of us are explicity anti-democratic, and hope to use
     encryption to undermine the so-called democratic
     governments of the world
2.13.7. "What is the Dining Cryptographers Problem, and why is it so
   important?"
  + This is dealt with in the main section, but here's David
     Chaum's Abstract, from his 1988 paper"
    - Abstract: "Keeping confidential who sends which messages,
       in a world where any physical transmission can be traced
       to its origin, seems impossible. The solution presented
       here is unconditionally or cryptographically secure,
       depending on whether it is based on one-time-use keys or
       on public keys. respectively. It can be adapted to
       address efficiently a wide variety of practical
       considerations." ["The Dining Cryptographers Problem:
       Unconditional Sender and Recipient Untraceability," David
       Chaum, Journal of Cryptology, I, 1, 1988.]
    -
  - DC-nets have yet to be implemented, so far as I know, but
     they represent a "purer" version of the physical remailers
     we are all so familiar with now. Someday they'll have have
     a major impact. (I'm a bigger fan of this work than many
     seem to be, as there is little discussion in sci.crypt and
     the like.)
2.13.8. "Why won't government simply ban  such encryption methods?"
  + This has always been the Number One Issue!
    - raised by Stiegler, Drexler, Salin, and several others
       (and in fact raised by some as an objection to my even
       discussing these issues, namely, that action may then be
       taken to head off the world I describe)
  + Types of Bans on Encryption and Secrecy
    - Ban on Private Use of Encryption
    - Ban on Store-and-Forward Nodes
    - Ban on Tokens and ZKIPS Authentication
    - Requirement for public disclosure of all transactions
    + Recent news (3-6-92, same day as Michaelangelo and
       Lawnmower Man) that government is proposing a surcharge
       on telcos and long distance services to pay for new
       equipment needed to tap phones!
      - S.266 and related bills
      - this was argued in terms of stopping drug dealers and
         other criminals
      - but how does the government intend to deal with the
         various forms fo end-user encryption or "confusion"
         (the confusion that will come from compression,
         packetizing, simple file encryption, etc.)
  + Types of Arguments Against Such Bans
    - The "Constitutional Rights" Arguments
    + The "It's Too Late" Arguments
      - PCs are already widely scattered, running dozens of
         compression and encryption programs...it is far too
         late to insist on "in the clear" broadcasts, whatever
         those may be (is program code distinguishable from
         encrypted messages? No.)
      - encrypted faxes, modem scramblers (albeit with some
         restrictions)
      - wireless LANs, packets, radio, IR, compressed text and
         images, etc....all will defeat any efforts short of
         police state intervention (which may still happen)
    + The "Feud Within the NSA" Arguments
      - COMSEC vs. PROD
    + Will affect the privacy rights of corporations
      - and there is much evidence that corporations are in
         fact being spied upon, by foreign governments, by the
         NSA, etc.
  + They Will Try to Ban Such Encryption Techniques
    + Stings (perhaps using viruses and logic bombs)
      - or "barium," to trace the code
    + Legal liability for companies that allow employees to use
       such methods
      - perhaps even in their own time, via the assumption that
         employees who use illegal software methods in their own
         time are perhaps couriers or agents for their
         corporations (a tenuous point)
2.13.9. "Could anonymous markets facilitate repugnant services, such
   as killings for hire?"
  - Yes, though there are some things which will help lessen
     the full impact.
  - To make this brutally concrete, here's how escrow makes
     murder contracts much safer than they are today to
     negotiate. Instead of one party being caught in an FBI
     sting, as is so often the case when amateurs try to arrange
     hits, they can use an escrow service to insulate themselves
     from:
     
     1. From being traced, because the exchanges are handled via
     pseudonyms
     
     2. From the killer taking the money and then not performing
     the hit, because the escrow agent holds the money until the
     murder is verified (according to some prototocol, such a
     newspaper report...again, an area for more work,
     thankfully).
     
     3. From being arrested when the money is picked up, as this
     is all done via digital cash.
     
     There are some ways to reduce the popularity of this
     Murder, Incorporated system. (Things I've been thinking
     about for about 6 years, and which we discussed on the
     Cypherpunks list and on the Extropians list.)

2.14 - Miscellaneous
2.14.1. "Why can't people just agree on an approach?"
  - "Why can't everyone just support my proposal?"
  - "I've proposed a new cipher, but nobody's interested...you
     Cypherpunks just never _do_ anything!"
  - This is one of the most consistently divisive issues on the
     list. Often a person will become enamored of some approach,
     will write posts exhorting others to become similarly
     enamored, urging others to "do something!," and will then,
     when no interest is evidenced, become irate. To be more
     concrete, this happens most often with various and sundry
     proposals for "digital money." A close second is for
     various types of "Cypherpunks activism," with proposals
     that we get together and  collect a few million dollars to
     run Ross Perot-type advertisements urging people to use
     PGP, with calls for a "Cypherpunks radio show," and so on.
     (Nothing wrong with people doing these things, I suppose.
     The problem lies in the exhortation of _others_ to do these
     things.)
  - This collective action is always hard to achieve, and
     rightly so, in my opinion. Emergent behavior is more
     natural, and more efficient. And hence better.
  + the nature of markets, agents, different agendas and goals
    - real standards and markets evolve
    - sometimes because of a compelling exemplar (the Walkman,
       PGP), sometimes because of hard work by standards
       committees (NTSC, electric sockets, etc.)
    - but almost never by simple appeals to correctness or
       ideological rightness
2.14.2. "What are some of the practical limits on the deployment of
   crypto, especially things like digital cash and remailers?"
  + Lack of reliable services
    - Nodes go down, students go home for the summer, downtime
       for various reasons
  - Lack of robustness
2.14.3. "Is crypto dominated by mistrust? I get the impression that
   everything is predicated on mutual mistrust."
  - We lock our doors...does this mean we are lacking in trust?
     No, it means we understand there are _some_ out there who
     will exploit unlocked doors. Ditto for the crypto world.
  - "Trust, but verify," as Ronald Reagan used to say. Mutual
     mistrust can actually make for a more trustworthy
     environment, paradoxical as that may sound. "Even paranoids
     have enemies."
  - The danger in a trusting environment that lacks other
     mechanisms is that "predators" or "defectors" (in game-
     theoretic terms) can exploit this trusting environment.
     Confidence games, scams, renegging on deals, and even
     outright theft.
  - Crypto offers the opportunity for "mutually suspicious
     agents" to interact without explicit "trust."
2.14.4. "Who is Detweiler?"
  + S. Boxx, an12070, ldxxyyy, Pablo Escobar, Hitler, Linda
     Lollipop, Clew Lance Simpleton, tmp@netcom.com, Jim
     Riverman
    - often with my sig block, or variants of it, attached
    - even my phone number
    - he lost his ColoState account for such tactics...
  - electrocrisy
  - cypherwonks
2.14.5. "Who is Sternlight?"
  - A retired policy analyst who is often contentious in Usenet
     groups and supportive of government policies on crypto
     policy. Not nearly as bad as Detweiler.

2.15 - More Information and References
2.15.1. "Where can I find more information?"
  - Well, this is a start. Also, lots of other FAQs and Mosaic
     home pages (URLs) exist, encompassing a vast amount of
     knowledge.
  - As long as this FAQ is, it can only scratch the surface on
     many topics. (I'm especially amused when someone says
     they've looked for a FAQ on some obscure topic. No FAQ is
     likely to answer all questions, especially obcure ones.)
  - Many articles and papers are available at the
     ftp.csua.berkeley.edu
     site, in pub/cypherpunks. Look around there. The 1981 Chaum
     paper on untraceabel e-mail is not (too many equations for
     easy scanning), but the 1988 paper on Dining Cryptographers
     Nets is. (I laboriously scanned it and OCRed it, back when
     I used to have the energy to do such thankless tasks.)
  + Some basic sources:
    + Sci.crypt FAQ, published regularly, Also available by
       anonymous ftp at rtfm.mit.edu. And in various URLs,
       including:
      - URLs for sci.crypt FAQ: xxxxxx
    - RSA Data Security Inc. FAQ
    - Bruce Schneier's "Applied Cryptography" book, 1993. Every
       reader of this list should get this book!
  - The "online generation" tends to want all material online,
     I know, but most of the good stuff is to be found in paper
     form, in journals and books. This is likely to be the case
     for many years to come, given the limitation of ASCII, the
     lack of widespread standards (yes, I know about LaTex,
     etc.), and the academic prestige associated with bound
     journals and books. Fortunately, you can _all_ find
     universit libraries within driving range. Take my advice:
     if you do not spend at least an entire Saturday immersing
     yourself in the crypto literature in the math section of a
     large library, perusing the "Proceeedings of the Crypto
     Conference" volumes, scanning the textbooks, then you have
     a poor foundation for doing any crypto work.
2.15.2. "Things are changing quickly. Not all of the addresses and
   URLs given here are valid. And the software versions... How
   do I get the latest information?"
  - Yes, things are changing quickly. This document can't
     possibly keep up with the rapid changes (nor can its
     author!).
  - Reading the various newsgroups is, as always, the best way
     to hear what's happening on a day to day basis. Web pages,
     gopher, archie, veronica, etc. should show the latest
     versions of popular software packages.
2.15.3. "FUQs: "Frequently Unanswered Questions"?"
  - (more to be added)
  - With 700 or more people on the Cypherpunks list (as of 94-
     09), it is inevitable that some FAQs will go unanswered
     when newbies (or others) ask them. Sometimes the FUQs are
     ignored because they're so stale, other times because to
     answer them is to continue and unfruitful thread.
  + "P = NP?"
    - Steve Smale has called this the most important new
       unsolved problem of the past half-century.
    - If P were (unexpectedly) proved to be NP
  + Is RSA and factoring in NP?
    - not yet proved
    - factoring might be easier
    - and RSA might be easier than factoring in general (e.g.,
       chosen- and known-plaintext may provide clues)
  - "Will encryption be outlawed? What will happen?"
  + "Is David Sternlight an NSA agent?"
    - Seriously, David S. is probably what he claims: a retired
       economist who was once very senior in government and
       corporate policy circles. I have no reason to doubt him.
    - He has views at odds with most of us, and a baiting style
       of expressing his views, but this does not mean he is a
       government agent as so many people claim.
    - Not in the same class as Detweiler.