That 70's Crypto Show (Remailers, science and engineering)

[dmolnar]

On Wed, 27 Dec 2000, Bill Stewart wrote:

> fewer talks on new stuff people are doing and more on
> some commercial business (maybe or maybe not run by cypherpunks)
> doing their product or non-technical talks by EFF lawyer types.

I'm in the midddle of composing a reply to Tim's message (which is getting
bigger every time I sit down to finish it, ominously enough). One of the
points that has popped into my mind so far is that while we've had
academic crypto research since the 80s, thanks to Rivest, Shamir, Aldeman,
Diffie, Hellman, and others willing to defy the NSA, we have _not_ had a
similar tradition of commercial cryptography - or at least, not a
tradition of companies obtaining money for cryptographic *protocols* as
opposed to ciphers.

It seems to me that it took a long while for people to even recognize that
there was more to cryptography than secrecy. Maybe it happened quickly in
academia, but it doesn't seem to have filtered out quickly (and then
there's still the chilling effect from export controls). This is one of
the reasons why the early Cypherpunk work is so damn important -- it
showed the amazing, powerful things you can do given cryptography and a
little cleverness, and it did so to a (comparatively) wide audience!

Even after "everyone" knows that you can do, say, cryptographic voting,
there's still the question of "who's going to pay for it?"

That question seems to have found a partial answer with the
Internet/Web/"e-commerce" frenzy. The thing is, that is *new*, only 4 or 5
years old. Before, you could go out and say "I want to go commercialize
neat protocol X," and good luck to you...today, you might get funding.
Until you get that funding, you can't start the engineering work that's
required to take a protocol from the "cool CRYPTO paper" stage to the
"real world product." 

Before Tim jumps on me, yes, I know there were early electronic markets,
and yes, electronic trading was around before the Web. Yes, these could
have been viable markets for digital cash, fair exchange protocols,
whatever. Even electronic voting could and did get started earlier
(though not using cryptographic techniques AFAIK) I do not dispute
this! It simply seems to me that the climate today has the possibility of
demand for such protocols (and more) on a wider scale than previously.

> of crypto out of math and CS areas and into engineering.
> Mojo Nation, for example, is partly interesting because it's not just 
> Yet Another Encrypted Music Sharing Product - it's mixing the
> crypto with economic models in ways that are intellectually complex,
> even if they're somewhat at the hand-waving level
> rather than highly precise.

Maybe it will force smart people to move the mix from the hand-waving
level to something highly precise. Insh'allah. 

> Cool.  Are the proceedings on line anywhere?  (Or is it only
> for people who know the secret keys...)

The 2nd and 3rd are, via Springer-Verlag LINK service. Tables of contents
are free; you should be able to recover the papers from their authors'
home pages (use Google!). If you can't find something, e-mail me. 

Page for past proceedings:
http://chacs.nrl.navy.mil/IHW2001/past-workshops.html

Page for IHW 2001:
http://chacs.nrl.navy.mil/IHW2001/

Unfortunately, the TOC for the first IHW is not online, nor do the papers
seem to be available. You can extract the papers from Petitcolas'
bibliography at 
http://www.cl.cam.ac.uk/users/fapp2/steganography/bibliography/index.html

and may be able to get some of the papers that way. I note a previous
message from Hal Finney which has some links as well
http://www.inet-one.com/cypherpunks/dir.1997.05.15-1997.05.21/msg00298.html
(I haven't tried them)

I should state up front that the workshops are a little heavy on
watermarking papers, which may not be of too much interest to cypherpunks.
The papers on breaking watermarks, on the other hand, may be of more
interest. :-)



> >On the other hand, we can oppose this to the fact that we 
> >have a bunch of remailers, and they seem to work. 
> >They may be unreliable, but no one seems
> >to have used padding flaws to break a remailer, as far as we know. 
> 
> Arrgh!  Dave, just because nobody's known to have broken them
> doesn't mean that nobody's succeeded in breaking them
> (without us knowing they've succeeded), 

[snip a well-deserved beating]

Well, this is what I get for trying to moderate myself. Everything you say
is correct - of course. I actually agree with you! I mentioned this
because I wanted to avoid playing the part of a "theoretical Cassandra," 
which is something I do too often. (In fact, if I'm not mistaken, that's
part of what Tim's response about different adversary models attempts to
speak to - the fact that traditional cryptographic models assume a
maximally powerful adversary, while we might want a finer grained
hierarchy of adversaries and their effects...)

-David