Hal writes:
The notion of a "cryptographically tamperproof software module" is interesting, but I'm not sure such a thing exists or could exist. The secure offline cash systems I have seen rely on tamper-resistant HARDWARE modules which at least exist although this requirement would be very inconvenient.
Quite a bit of work has already been done on this concept. Basically one generates a very large sequence of machine instructions which computes the image of the output of an algorithm under a strong cipher from the image of the input under the cipher. A controlled amount of redundant information is added to both the input and output. This yields a piece of code so obtuse and complex that nothing may be gleaned about what algorithm it is executing by observing it run. Figuring out what it actually is doing is a cryptanalytically hard problem. Also, determining a way of modifying the code which does not break it is a similarly hard problem. Once encased in such a module, an algorithm may be distributed with no fear that it will be stolen. This raises interesting poblems with software patents, since one can not tell from such a module whether it is performing a function in a way which infringes. Of course, there is a severe performance penalty to be paid for such protection. But in the case of digital cash, it could provide a mechanism for implementing a secure offline system without special hardware.
Again, I don't know how you handle the case of two almost-simultaneous attempts to redeem the same note (or piece of cash). Both notes are identical, so having the two notes gives you no more information than having just one, hence if one note is anonymous so will two be. You know someone is cheating in this situation, but who? One of the redeemers may have stolen a copy of the cash from the other; the two redeemers may be working together; or the note maker may be working with one of the redeemers having slipped them a copy of the note as soon as it was presented for redemption. How can a court decide who is right?
Assuming the transactions are done via a tamperproof module distributed by the issuer, and the math is arranged such that using a note in multiple transactions reveals the perpetrator, the system prevents anonymous double-spending while still providing all the benefits of digital cash. Of course, you could claim that someone was in possession of your tamperproof module and associated passwords, but it is your responsibility to guard these and report them stolen promptly, just as with credit cards and PINs. P.S. Is anyone worried that the Netherlands seems on the verge of banning PGP? Wasn't this country once a hacker's paradise? -- Mike Duvos $ PGP 2.3a Public Key available $ mpd@netcom.com $ via Finger. $
Mike Duvos wrote:
P.S. Is anyone worried that the Netherlands seems on the verge of banning PGP? Wasn't this country once a hacker's paradise?
This has been apparent for a while now, with numerous reports that several European countries are far along in adopting Clipper-type systems. Possibly under cooperative arrangements with the USA. As for the Netherlands being a hacker's paradise....recall that telephone and other services are under the control of the "PTT" (Postal, Telegraph, and Telephone monopoly) that's so common in European countries. If they say "no modems may be attached," that's the law. (I don't know the current status, but at one time there were severe restrictions, heavy fees, etc.) Ask the guys at Hactic, De Zwarte Star, and BILWET (Amsterdam Association for the Dissemination of Illegal Science) about the surveillance done on them by the BVD, the Binnenlandse Veilegheids Dienst, the Dutch Internal Security Service. France essentially bans all crypto--enforcement may be another matter (ask SDECE). One of our Norwegian members recently reported on proposed legislation in his country. Britain is taking steps. And what is going on in Germany, with the Bundesnachrichtendienst (BND), their version of the CIA, asking for and receiving broad new surveillance powes. (And Germany's version of the FBI, the Bundeskriminalamt (BKA), is getting into the wiretap business in a big way.) "Orderly societies" like those in Europe prize order and control over the "cowboy" aspects of America. Just because the American debate over Clipper and Digital Telephony is so loud and angry here in the U.S. is no reason to believe that the same measures are not already being put into place in Europe and parts of Asia. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway."
On Thu, 24 Mar 1994, Timothy C. May wrote:
As for the Netherlands being a hacker's paradise....recall that telephone and other services are under the control of the "PTT" (Postal, Telegraph, and Telephone monopoly) that's so common in European countries. If they say "no modems may be attached," that's the law. (I don't know the current status, but at one time there were severe restrictions, heavy fees, etc.)
European telecommunication is (slowly) being deregulated and demonopolized. For instance we now have two competing companies offering mobile telephony services in Norway -- not bad for a country of just 4 million people :-)
"Orderly societies" like those in Europe prize order and control over the "cowboy" aspects of America. Just because the American debate over Clipper and Digital Telephony is so loud and angry here in the U.S. is no reason to believe that the same measures are not already being put into place in Europe and parts of Asia.
Perhaps the problem is that we don't have a "critical mass" of concerned people. The EU is not as integrated as the US (and Norway is not even a member!) so these matters are usually left to individual (and small) countries. -- Rolf ---------------------------------------------------------------------- Rolf Michelsen Phone: +47 73 59 87 33 SINTEF DELAB Email: rolf.michelsen@delab.sintef.no 7034 Trondheim Office: C339 Norway ----------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Quite a bit of work has already been done on this concept. Basically one generates a very large sequence of machine instructions which computes the image of the output of an algorithm under a strong cipher from the image of the input under the cipher. A controlled amount of redundant information is added to both the input and output. This yields a piece of code so obtuse and complex that nothing may be gleaned about what algorithm it is executing by observing it run. Figuring out what it actually is doing is a cryptanalytically hard problem. Also, determining a way of modifying the code which does not break it is a similarly hard problem.
Once encased in such a module, an algorithm may be distributed with no fear that it will be stolen. This raises interesting poblems with software patents, since one can not tell from such a module whether it is performing a function in a way which infringes.
Fascinating!! Almost unbelievable! Can you provide references? John E. Kreznar | Relations among people to be by jkreznar@ininx.com | mutual consent, or not at all. -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLZJwqMDhz44ugybJAQHYDQP/Qz7MyegFvt8DlwOlE81DjDTlogZeui8Q SvOzliEsPJmuepPFNzltTp8W9AsWSKI3oq4608TmCO5A0oLlMiEhGKbsjxIuWZ5d GjNUmOMVqtU3kPmp3ZfluXKW87z5Wx6KUXcibhVilTG0POC8KOboOPYjXaPWjr9j MnFs7yG/dU4= =E5iE -----END PGP SIGNATURE-----
Quite a bit of work has already been done on this concept. Basically one generates a very large sequence of machine instructions which computes the image of the output of an algorithm under a strong cipher from the image of the input under the cipher. A controlled amount of redundant information is added to both the input and output. This yields a piece of code so obtuse and complex that nothing may be gleaned about what algorithm it is executing by observing it run. Figuring out what it actually is doing is a cryptanalytically hard problem. Also, determining a way of modifying the code which does not break it is a similarly hard problem.
Once encased in such a module, an algorithm may be distributed with no fear that it will be stolen. This raises interesting poblems with software patents, since one can not tell from such a module whether it is performing a function in a way which infringes.
Fascinating!! Almost unbelievable!
Can you provide references?
This is not new. It's been used for years by software companies in copy-protection schemes. Ask anyone who's ever "cracked" software. Copy-protection systems rely on the fact that someone can not easily find and remove the algorythm which impedes duplication. There are three common ways of preventing this. First, the code is encrypted in layers and modules. Each module decrypts the next layer and rescrambles or erases the last. This prevents the attacker from getting an overall view of the program, as it is never all accessable at once, but it can be viewed in peices as it executes. Secondly, several layers of interpreted code can be used. Each layer interprets the next. In this way, no assembly language code ever exists in plaintext (except the first level interpreter). Finally, the program checksums itself to prevent tampering. These methods can never provide foolproof protection, but they can slow down attacks considerably. Even the most determined attacks can be delayed for weeks or months. But if they want it bad enough, they can probably reverse-engineer it - as has been said before, crypto is all economics. I've considered such possibilities for digital cash, but even if the algorithm could not be derived from the cryptographically protected software, it really doesn't solve the double-spending problem. You can just copy the entire module, along with all the money, and spend it twice (on seperate victims, of course). And all those layers of encryption can make it unbearably slow.
This is not new. It's been used for years by software companies in copy-protection schemes. Ask anyone who's ever "cracked" software. Copy-protection systems rely on the fact that someone can not easily find and remove the algorythm which impedes duplication. There are three common ways of preventing this. First, the code is encrypted in layers and modules. Each module decrypts the next layer and rescrambles or erases the last. This prevents the attacker from getting an overall view of the program, as it is never all accessable at once, but it can be viewed in peices as it executes. Secondly, several layers of interpreted code can be used. Each layer interprets the next. In this way, no assembly language code ever exists in plaintext (except the first level interpreter). Finally, the program checksums itself to prevent tampering. These methods can never provide foolproof protection, but they can slow down attacks considerably. Even the most determined attacks can be delayed for weeks or months. But if they want it bad enough, they can probably reverse-engineer it - as has been said before, crypto is all economics.
I've considered such possibilities for digital cash, but even if the algorithm could not be derived from the cryptographically protected software, it really doesn't solve the double-spending problem. You can just copy the entire module, along with all the money, and spend it twice (on seperate victims, of course). And all those layers of encryption can make it unbearably slow.
Ever been on a "private" bbs, or talked to peole who (talk to people, who talk to people, etc.)have been on one? You get software released on 4 Jun (for example), on 6 June it's cracked, and by 7 June, it is available on every single continent (barring Antarctica - although i'm not certain about that - supposedly there are equally private internet nodes around somewhere...). While the might of bands like Paranoimia, Skid Row, and Razor 1911 are usually concentrated on games, their expertise applies equally well to "serious" software - it's just that games are more marketable/popular and thus get the crackers' names to more people. PS - the example above is an overestimate - it often happens that software is cracked and distributed within HOURS of release. MJH * * Mikolaj J. Habryn dichro@tartarus.uwa.edu.au * "Life begins at '040." PGP Public key available by finger * "Spaghetti code means job security!"
participants (6)
-
jkreznar@ininx.com -
Matthew J Ghio -
Mikolaj Habryn -
mpd@netcom.com -
Rolf Michelsen -
tcmay@netcom.com