1993-08-19 - Re: Crypto Protocols are Hard to Analyze

Header Data

From: szabo@netcom.com (Nick Szabo)
To: tcmay@netcom.com (Timothy C. May)
Message Hash: 429a58df0dc8d6580b078b2e676b39276ae4242e0afe51250bfadca412a5daf4
Message ID: <9308190206.AA16644@netcom.netcom.com>
Reply To: <9308182038.AA05720@netcom.netcom.com>
UTC Datetime: 1993-08-19 02:06:10 UTC
Raw Date: Wed, 18 Aug 93 19:06:10 PDT

Raw message

From: szabo@netcom.com (Nick Szabo)
Date: Wed, 18 Aug 93 19:06:10 PDT
To: tcmay@netcom.com (Timothy C. May)
Subject: Re: Crypto Protocols are Hard to Analyze
In-Reply-To: <9308182038.AA05720@netcom.netcom.com>
Message-ID: <9308190206.AA16644@netcom.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain



Tim May: 
> Crypto protocols are _hard_ to analyze! 

Agreed, alas.

> I'm currently trying to analyze a digital cash "coupon" system proposed by
> Nick Szabo,

Whoa nelly!  "S&H greenstamps" and another recent idea I've bounced
off Tim refer to a LEGAL "protocol".  S&H greenstamps are
"coupons" that can be used to "win" a wide variety of items from
several participating companies; they are not just coupons good for 
discount on a specific item or the products & services of a specific 
company ("Disney Dollars").  S&H greenstamps got into some legal hot 
water for being too close to a privately issued currency, but 
nevertheless they are still around.  S&H greenstamps make a good legal 
"edge case".

From an object-oriented point of view, "E-greenstamps" inherit
digital cash and add legal structure.  Here I am assuming that 
E-greenstamps or other business/legal manifestations of digital cash can 
be implemented with Chaum's protocol, providing "Pretty Good Digital 
Cash" in the cryptographic sense.   The "Chaum off the shelf" 
assumption.  If there are holes in Chaum's scheme, or major problems 
with implementing it in software, I'd like to hear more, but "S&H 
greenstamps" concept doesn't address software security issues.

> "premature productization"?)

I think it's good to discuss business and legal issues -- cf.
the excellent thread on methods of converting physical to/from digital
cash.  If we think the work ends with implementing a 
good cryptographic protocol, we are sadly mistaken.  Perhaps that's 
where the work of "cypherpunks" ends, but I have a broader vision of
crypto-anarchy that covers the legal, business, and in general
social issues as well.  Any group that wants to seriously
deploy cryptography in the real world has to discuss these as well.
And indeed we do -- does PGP infringe on patents, is it proper
for a remailer operater to read or record what goes through his system, 
etc.  

Crypto-anarchy will really take off when the (real, spendable) money
starts flowing.   Thus we should examine a wide variety of business
concepts.  The "speculative business plan" is a great way to do this.
Of course cypherpunks are mostly hackers, and we will 
concentrate on the hacking -- but before crypto-anarchy emerges,
the legal and business problems (eg not driving off customers with
complex or "shady" operations) also have to be solved.  

We do need to be more clear on when we are talking about cryptographic 
protocols ("digital cash"), legal structures ("S&H greenstamps"), and 
business concepts ("commercial remailer"). 

> 1. Our archive site of papers and books is not available to many of the
> folks attempting to develop new protocols. To pick one example: digital
> money in all its various forms. 

I'd love to see some digicash papers on soda.  I also agree on the
need for standardizing terminology in the field of cryptography
and related protocols for remailers, digital cash, etc.  Your
concept of a "Protocol Compiler" to enable testing of new
concepts for anon remailers, digicash, etc. is intriguing. 
We have already started a "tricks database" with the Word Perfect
crypto-cracker on soda; we need to expand that.

Alas, there may be strong incentive for businesses to put hype
before strong crypto substance.  In response, we need to pursue 
the following two activities -- eventually, perhaps creating a separate 
organization for each:

* A "cracker's guild" to break weak cryptography and publicize
the cryptanalysis algorithms (cf. the Word Perfect crypto cracker),
forcing the weak crypto off the market.  For example, if 
NetCash was deployed this organization would crack it.  This
organization might be funded anonymously by those selling strong 
crypto (who have an incentive to debunk their competitor's hype).

* A formal Crypto Auditing Agency that would verify the algorithms
and protocols were secure, without revealing trade secrets.
My next statement may cause hisses & boos, but I think the recent
Crypto-Auditing of Clipper by Denning and other eminent 
cryptologists will be a model widely applied in the commercial
computer security business.   The auditors should be 
able to examine the source and run the programs without revealing
trade secrets.

Nick Szabo				szabo@netcom.com





Thread