The Coming Cryptoanarchic Revolution Laurence Yogman Paper for MIT 6.805/STS085: Ethics and Law on the Electronic Frontier, Fall 1995

Intro

The State will of course try to slow or halt the spread of this technology, citing national security concerns, use of the technology by drug dealers and tax evaders, and fears of societal disintegration. Many of these concerns will be valid; crypto anarchy will allow national secrets to be trade freely and will allow illicit and stolen materials to be traded. An anonymous computerized market will even make possible abhorrent markets for assassinations and extortion. Various criminal and foreign elements will be active users of CryptoNet. But this will not halt the spread of crypto anarchy.

-- Timothy May, in The Crypto Anarchist Manifesto (1)

Is this yet another instance of a mad prophet rambling on about yet another unlikely doomsday schenario? People unfamiliar with the technologies to which May refers are likely to dismiss him as crazy. Whether or not Mr. May is crazy, the technology he's talking about is real, and could have a dramatic impact on the world in the very near future. The technology is known as strong cryptography. That is to say, really good secret codes and their applications.

Recent advances in crytography have shown that it is possible to control information in a wide variety of previously unimagined ways. These new methods require large amounts of computation, but the personal computer revolution is rapidly placing the necessary computational power into the hands of millions. The ephemeral technologies of strong cryptography promise to provide you with powerful and precise control over the privacy and security of your information.

Many institutions operating today, such as all governments, operate by collecting information about people that said people would rather keep to themselves. If the technologies of strong cryptography come into wide use, then these institutions will no longer be able to function as they do today. An informal organization dedicated to helping this technological revolution happen sprung up in 1992. The members of this organization call themselves Cypherpunks, and they generally believe that they are helping to change society for the better, by greatly expanding individual freedom. A subset of the cypherpunks, the Crypo-Anarchists, believe that the technology will inevitably lead to the total collapse of goverment as we know it, an usher in a new, better world of crypto-anarchy.

Both crypto-anarchists and many other cyperpunks are quite confident in their predictions, quite certain what the effects of the technology will be. Timothy May states catagorically that "These developments will alter completely the nature of government regulation, the ability to tax and control economic interactions, the ability to keep information secret, and will even alter the nature of trust and reputation." (1). Vincent Cate, a self identified cryptorebel and cypherpunk, is also quite confident and optimistic: "Regulation of Cyberspace trade will not be possible. It will be impossible to even determine if two parties are doing business, let alone to stop them. Initiation of force in Cyberspace should be less and less of a problem as computer systems get more secure. Impersonation is easily prevented with digital signatures. Reputations will be the main guard against fraud." (2).

Is this confidence in strong cryptography justified? What does this technology do, and will it inevitably lead to the social changes which the cypherpunks describe? Will it lead to the drastic changes the crypto-anarchists describe? Many plausable predictions about the technological and social future have been wrong before. How are we to judge whether the cypherpunks are the leaders of a great new revolution, or just a band of crackpot malcontents? I propose to begin trying to answer this question by examining the cause of the entire debate, the new methods for handling information made possible by strong cryptography.

What are these Guys Talking About?

Before I plunge into a listing of the gadgets of strong cryptography, I'd like to give a quick overview. A great variety of remarkable tools are already in use. Others are in active development. I'll try to cover the basic technologies of symmetric key encryption, public key encryption, digital signatures, anonymous communications, and digital cash. The reader should recognize that this partitioning into subtopics is somewhat arbitrary. The subtopics overlap, and fail to exhaust the entire field. However, I hope that these catagories will help to organize the spectrum of possibilities and reduce the confusion that often results from failing to distinguish between difference applictions and different kinds of cryptography.

An author writing early in this century about the future impact of the internal combustion engine would be ill advised to innundate his reader with a discussion of the details of the manufacturing and operation of the various designs of engine. It would also be unwise for him to much discuss recent advances in the techniques of mass production, even though it was those advances that made the technology possible an practical. However, a discussion of cars, trucks, buses, heavier-than-air flying machines, home electric generators, and gasoline-powered yard equipment would provide the reader with a great deal of insight. Similarly, I will not try to present any details on individual cryptographic algorithms. I will not present the foundational ideas of complexity theory, number theory, and information theory without which the technology wouldn't exist. I do not intend to look inside the "black box" at all. Instead, I'll be describing the gadgets from the outside, purely in terms of what they do.

Strong Symmetric Key Cryptography and Data Security.

Symmetric, or secret key cryptography is the oldest and easiest to understand form of crypto. Given some data and a secret key, the encryption algorithm generates a piece of "cyphertext" which encodes the data in a form that looks like pure gibberish to anyone without the secret key. The mathematical gold standard for strong cryptography requires that an adversary can gain no information about the contents of a message by examining the cyphertext. But anyone who has the cypertext and the key used to encrypt can use the decryption algorithm to reconstuct the original data. Unlike the first, primitive cryptosystems, symmetric key cryptography does not assume that the encoding scheme is secret. The encryption and decryption algorithms are assumed to be publically known. Only your original data and the key used to encrypt it need to be kept private. (3, pp. 96-97)

There are many good uses for symmetric key encryption. Any individual or organization that wishes to keep any piece of information private has a use for strong cryptography. Sensitive files relating to military secrets, affairs of state, and industrial firms with trade secrets already use secret key cryptography. In all the above fields, and well as in the world of electronic commerce, many message senders employ encryption to prevent information from falling into the wrong hands and causing great physical or economic damage. As strong cryptography speads and becomes more commonplace, it could find many legitimate uses. For example, it could be used as a technological reinforcer of attorny-client privilidge, or as a means of protecting medical and finacial information, or as a way of insuring the privacy of diaries and interpersonal communications.

Public Key Cryptography

public key does not enable anyone to decrypt the cyphertext that is so generated. Only people with the private key corresponding to the encrypting public key can decrypt the cyphertext. (3, p.97) Thus, you can send a secure message to someone without having to prepare a shared secret key in advance.

This power to initiate secure communications without using previous shared secrets gives public key cryptography an enourmous advantage over symmetric key cryptography. The secure distribution of secret symmetric keys over insecure channels is quite difficult, and requires elaborate security precautions (4). Several public key cryptography systems are already in use by the cypherpunks and are spreading into the general computer-savy populace. Unfortunately, public key crypto is much more computationally expensive than symmetric key crypto. In order to get the best of both worlds, the first thing that two parties who contact each other using a public key system do is generate an agreed-upon secret key, then switch to symmetric key encryption.

Digital Signatures

To see how digital signatures are possible, consider the following system: The signer encrypts the document using the secret half of a public key cryptography key pair. The resulting cyphertext is a signature. Remember, whatever one key does, the other undoes. Other users can decrypt this cyphertext using the public key, and check whether the decryption matches the document. Only the holder of the private half of the key-pair could have created such a cyphertext signature. Any attempt to alter the message will result in the new message not matching the decryption of the signature. There are many improvements and refinements of this idea which use less extra information to store a signature. What is essential is that digital signatures plus encryption provide an electronic means of creating messages and other documents with several desirable properties. These properties are:

Confidentiality, to provide privacy for a message (protection from disclosure) Authentication, of the identity of the sender of the message Message Integrity, to provide protection for the message from modification Non-repudiation of Origin, so that the sender of a message cannot deny having originated the message,

(Paraphrased from source 6, section 6, Secure Electronic Mail)

Digital signature schemes are spreading hand-in-hand with public key cryptography, often in the same software.

Anonymous remailers, DC nets

One technology which does not strictly speaking require strong cryptography is anonymous electronic communications. Remailers take a message sent to them, strip off information about the sender, and send the message on. Sometimes, just knowing who sent a message to whom when can be a very important piece of information, one which the sender might wish to conceal. Such anonymous communication is already common in the physical world. We use anonymity often when we send an unpopular opinion as a "letter to the editor," when we act as whisleblowers, when we seak help after being victimized yet fear for our privacy, and when we vote.(7)

Given how useful anonymity is in the physical world, it's not surprising that anonymous remailers are already quite popular. Yet current remailer systems do have one property that the cypherpunks regard as a serious flaw: the remailers have to be trusted to strip off and forget information about the sender, or at least keep that information secret. Faith in this assumption was shaken recently when the International Church of Scientology was able to force the operator of a major remailer, anon.penet.fi, to disclose the identity of a whistleblower against the church.(8) This obviously defeats the entire purpose of anonymity. The cypherpunks have some solutions to this problem. The most mind-bending is the concept of DC-nets, which allow the electronic messages to be publically revealed without any computer other than the sender's ever having any information about the identity and location of the sender. DC-nets require no special equipment. They can be created using any existing network, some simple software, and a large enough starting pool of anonymous communicators.(9)

Anonymous communications plus digital signatures allow for verified psuedonyms. Without revealing their true identity, individuals can digitally sign using a psuedonym. This allows for verification that multiple anonymous messages all originate with the same individual, assuming keys are kept secure. The possibility of these virtual identities is one of the most important ideas of the cypherpunks.

Digital Cash

At first, it may seem impossible to turn bits into bills. After all, bits can be copied ad infinitum, whereas cash relies on the fact that it is conserved in order to retain its value. Also, it would seem that anyone who knows enough to tell valid bills from invalid ones should be able to generate valid bills themselves. But remember digital signatures: the intuitive answer is not always right. Old serial numbers can be retired by the agency that issues digital cash. Digital signatures can be used to validate bills and prevent forgery. Signatures can also be used to create unforgeable proof-of-order and proof-of-payment records. Psuedonymous methods can be used to conceal the identity of individuals. The use of different psuedonyms with different merchants can be used to prevent the cross-correlation of transaction data. In general, it is possible to design digital protocols that allow transactions to take place freely, while requiring individuals "to disclose only the minimum information necessary."(10) The design of digital cash systems is an area of considerable current activity. Which, if any of the competing schemes will catch on remains to be seen.

* This section draws heavily on source 10 throughout.

The Cypherpunk Privacy Agenda

. . . The net effect of computerization is that it is becoming much easier for record-keeping systems to affect people than for people to effect record-keeping systems. Even in non-governmental settings, an individual's control over the use that is made of personal data he gives the organization, or that an organization obtains about his, is lessening. (11, introduction, p.xx)

We recommend against the adoption of any nationwide, standard, personal identification format, with or without the SSN, that would enhance the likelihood of arbitrary or uncontrolled linkage of records about people, particularly between government or government-supported automated personal data systems.(11, introduction, p.122)

If two parties have some sort of dealings, then each has a memory of their interaction. Each party can speak about their own memory of this; how could anyone prevent it? One could pass laws against it, but the freedom of speech, even more than privacy, is fundamental to an open society; we seek not to restrict any speech at all. (12)

We must defend our own privacy if we expect to have any. We must come together and create systems which allow anonymous transactions to take place. . . We the Cypherpunks are dedicated to building anonymous systems. We are defending our privacy with cryptography, with anonymous mail forwarding systems, with digital signatures, and with electronic money. Cypherpunks write code. We know that someone has to write software to defend privacy, and since we can't get privacy unless we all do, we're going to write it. (12) With this context in mind, digital cash may make more sense. For the cypherpunks, the purpose of digital cash is simple. Digital cash has the same purpose as the rest of cryptography: the transfer of control of personal information and private lives from the institutions back to the individual. Without digital cash, much of the power of strong cryptography is lost. Money is the primary means whereby we satisfy our needs and wants. We all must engage in many transactions every day in order to function in society. Any institution with a record of the who what where when from whom and for how much of our puchases knows us all too intimately, and has the power to do us great harm, either directly or by not guarding their inforation about us from others. Digital cash provides the same peace of mind and individual control for financial transactions that DC-nets plus encryption brings to ordinary communications.

Full Crypto-Anarchy

Now that we know the technologies, we can understand what might happen in a world taken to the logical extreme. Imagine if the full capabilities of strong cryptography come into common practice. The result is a triad of absolute rights, enforced by the availability of the technology and unlimited by any purely legel distinctions:

First, there is the right to encrypt. This is the cyberspatial analog of a fundamental libretarian doctrine: individuals have a right to defend themselves. Strong encryption is quite unlike physical world weapons in that it is purely defensive, and is equally effective against adversaries of all sizes. The right to encrypt provides protection against the attacks of individuals, large private organizations, and particularly governments. Strong encryption constitutes a technological implementation of the fourth amendment, except that it protects against all searches and seizures, not just the "unreasonable" ones. The search and seizure of the files in a computer system is quite ineffective if all the files are encrypted. In order to unlock the data, the seizing authority must obtain the cryptographic keys. They will naturally want to force people to turn over the keys. But in any society that respects the fifth amendment, no one should be forced to testify against himself. If the society does not respect the fifth amendment, then it may be neccessary to destroy the keys. With a little advance planning, that deletion could be accomplished in a few keystrokes. Provided that they have the right technology, no one can be forced to get his records to testify against himself. This puts a serious hole in the investigative tools of law enforcement. Some would say that it makes law enforcement impossible.

Second, there is the right to free speach. This is an absolute right, enforced by strong cryptography. Encryption allows you to say anything at all to anyone you trust, without risking giving away any information about what you're talking about to anyone else. The people who are opposed the things you are saying can hardly stop you if they don't even know that you're talking. Through the use of anonymity, even trust of the recipient becomes unneeded. If your anonymity is sound, you can say anything you like, provided that what you say does not in itself reveal your identity. Intellectual property violation, defamation of character, obscenity, harrasment, national security leaks, and advocacy of violence are all well protected by strong cryptography. Taken to the logical extreme, this right to free speach can destroy the publishing, software and entertainment industries, and jeopardize lives and even nations. Third, there is the right to transactions. This is another absolute, technologically enforced right. With good anonymity, signatures, and digital cash, two parties can communicate and agree to any contract, and then fulfill the contract, sometimes entirely in cyberspace, all without ever knowing each other's true identity and without revealing anything to the outside world, not even that either party sent or recieved any communications. The potential total secrecy and convenience of digital cash transactions unfortunately make it an ideal haven for all kinds of unsavory activity. The anonymity of digital cash, combined with the low effort needed to transfer large sums, might make it the ideal medium of exchange for smugglers, in particular drug dealers. Infringement on intellectual property is common enough in cyberspace due to the ease of digital copying. Add the protection of anonymity and now the incentive provided by untracable digital cash, and intelectual property protection is rendered impossible. But much more than just intelectual property is at stake: "Combined with emerging information markets, crypto anarchy will create a liquid market for any and all material which can be put into words and pictures."(1) ** An untracable means of payment like digital cash would prove tremendously useful to the sellers of the obsene. It would also help to make practical the sale of the valuable secrets of any large organization. Imagine if trade secrets and insider information could be sold anonymously to the highest bidder. Now extend this market to include national secrets. Keeping in mind that digital cash transactions can be untraceble, consider what happens if digital cash becomes common: Is taxation still possible? Can governments continue to function? How is the govenment going to collect on transactions it cannot even know exit? Next imagine what the ability to send truely anonymous threats could do for the business of extortion. Imagine what would happen if professional assasins could expand their customer base and enhance their own safety by doing business anonymously. The technology of anonymous untraceable payment has enourmous destructive potential.

** The rest of the paragraph, from the ** forward, draws heavily on (1).

Is it inevitable?

"Arise, you have nothing to lose but your barbed wire fences!"(1)

Unfortunately, it seems that the case for the inevitability of at least some measure of crypto-anarchy is quite strong. First, the development of encryption technology is not going to stop. If anything, it is accelerating. Thomas Huges, a historian of technology, argues that technological systems develop their own momentum. In particular, momentum tends to appear when "Numerous persons develop specialized skills and aquire speciallized knowledge appropriate for the system of which they are a part." (13, p.460) In the case of strong cryptography, I can identify two classes of people who have made such a commitment to the field. First, there are the cypherpunks themselves, who have dedicated themselves to the cause of making this technology happen. Their mantra, "Cypherpunks write code," is sometimes intended as a general admonition to get involved, but can also be interprated more literally as a command to take the theoretical cryptography produced by the mathematicians and turn it into real world software. (14, section 4.5). Strong cryptography has also attracted a large number of fresh talented mathematicians, who have started their professional carreers with work in cryptography. Many of these theorists are probably in the field for life, and will continue to push the frontiers of knowledge outwards untill the limits of the possible are known.

Another great advantage that the developers of strong cryptography enjoy is the practice of wide distribution of freeware and the safety of regulatory arbitrage.(12, 15) information about cryptography is widely copied all over the planet, which provides broad exposure and redundent backups in case of loss or political oppression. Though many nations may make their own restrictive rules concerning crypography, the nature of the Internet allows the information and the young systems to find safe havens. Any nation that tried to eliminate crypto within it's boarders whould either have to shut down its part of the Internet or else find information on crypto leaking across the boarder from places with less restrictive rules. A working RSA crytosytem can has even been packed into a four line sig file, and printed on T-shirts.(16)

What about the anarchy part?

Some signs are begining to show that the contradiction of bits you're not allowed to copy will have to be resolved. But even if the resolution of intellectual property issues ends the publishing,entertainment, and software industries as we know them, society should survive and recover. The use of anonymous communications for defamation, harassment etc. has started to happen, but it doesn't matter all that much. People don't lend the same credence to anonymous messages as they do to identified ones. And most people can survive a little bad-mouthing anyway.

The only dramatically dangerous part of strong crypto is wide-spread untracable anonymous electronic payment for illegal goods and services. This backround is essential in order to make possible the "abhorent" markets of full crypto-anarchy. So far, digital cash has barely gotten off the ground. Some authors have suggested that even full-blown digital cash wouldn't mean the end of civilization :) Vincent Cate proposes that strong crypto and regulatory arbitrage will end government in cyberspace, but that physical space will remain quite regulable.(2) Hal Finney has proposed that digital cash will be unable to displace the existing monetary infrastructure, and will just end up as just a professional's share of the already existing cash economy, while the rest of the world continues without major change.(16) Wouldn't that be an anti-climax?

I might add that over-hyping of the changes due to cryptography is actually counterproductive. To the extent that law enforcement believes these projections, the government will oppose simple cryptographic technologies that do have an important role to play in preserving privacy.

Hal Finney

hfinney@shell.portal.com

Sources Cited

2. "tax-free-in-cyberspace.html" by Vincent Cate. ftp://furmint.nectar.cs.cmu.edu/security/cypheressay/tax-free-in-cyberspace.html

3. "The Search for Provably Secure Cryptosystems" by Shafi Goldwasser. Proceedings of Symposia in Applied Mathematics, pp. 89-113, Volume 42, 1990.

4. "The Kerberos Network Authentication Service (V5)", an internet-dreaft by John Kohl. file://athena-dist.mit.edu/pub/kerberos/doc/V5REV5-1.PS

5. Cryptography: A New Dimension in Computer Data Security, by Carl H. Meyer and Stephen M. Matyas, published 1982 by John Wiley & Sons, Inc.

6. "TR CS94-12 - Authorisation and Privacy in a Networked World" by Lawrie Brown. gopher://gopher.adfa.oz.au/00/About%20ADFA/Computer%20Science/Technical%20Reports /TR%20CS94-12%20-%20Authorisation%20and%20Privacy%20in%20a%20Networked%20World

7. Untitled, URL http://www.clas.ufl.edu/~avi/NII/wsj_avi-response.txt http://www.clas.ufl.edu/~avi/NII/wsj_avi-response.txt

8. Untitled, URL http://www.tezcat.com/~wednsday/penet.pr http://www.tezcat.com/~wednsday/penet.pr

9. "The Dining Cryptographers Problem: Unconditional Sender Untraceability," D. Chaum, (invited) Journal of Cryptology, vol. 1 no. 1, 1988, pp. 65-75. Also available at ftp.csua.berkeley.edu in pub/cypherpunks/papers

10. "Security without Identification:Card Computers to make Big Brother Obsolete" by D. Chaum, http://digicash.support.nl/publish/bigbro.html

11. Records, Computers, and the Rights of Citizens, Report of the Secretary's Advisory Committee on Automated Personal Data Systems. U.S. Dept. of Health, Education & Welfare, 1973.

12. "A Cypherpunk's Manifesto" by Eric Hughes ftp://alex.sp.cs.cmu.edu/security/cypheressay/cypherpunk-manifesto

13. American Genesis by Thomas P. Hughes, Penguin Boooks 1989

14. THE CYPHERNOMICON by Timothy C. May http://www-swiss.ai.mit.edu/6095/articles/cyphernomicon/CP-FAQ

15. "Regulatory-arbitrage" by Eric Hughes ftp://alex.sp.cs.cmu.edu/security/cypheressay/regulatory-arbitrage

16. "export-a-crypto-system sig" http://dcs.ex.ac.uk/~aba/rsa/

17. "crypto-impact" ftp://alex.sp.cs.cmu.edu/security/cypheressay/crypto-impact