Crypto Protocols are Hard to Analyze

[tcmay@netcom.com (Timothy C. May)]

Fellow Cypherdroids,

Crypto protocols are _hard_ to analyze! Speaking for myself, keeping the
many combinations and permutations of crypto terms, channels, spoofing
scenarios, and whatnot, straight is very confusing.

This should be no great revelation to any of you who've tried to closely
follow the protocols for digital cash (coins, coupons, certificates of
deposit, blinded notes, and even "S&H Green Stamps"). Analyzing and finding
flaws (often subtle) in cryptographic and digital money protocols is
time-consuming.

I'm currently trying to analyze a digital cash "coupon" system proposed by
Nick Szabo, and Hal Finney last night posted his initial analysis of the
"NetCash" scheme proposed recently. And the physical Cypherpunks meetings
have recently been dominated by fairly gory details ("gory" means highly
detailed and potentially confusing) of such new proposed systems as "Twain
(tm)," an anonymous remailer (and its associated pieces, like "Clemens
(tm)"...don't ask me to explain, as I got lost in the process!), and
"Digital Silk Road (tm)" (and its own associated pieces, "Joule (tm),"
"INDRA (tm)," etc.).

(Sidenote: I get worried when so many new protocols are already being given
names and being, to various degrees, "productized." Could this be a case of
"premature productization"?)

And anyone who looks at the "Advances in Cryptology-CRYPTO 'xx" books, the
books where the main crypto results are published (along with "EuroCrypt,"
"AusCrypt," and "AsiaCrypt"...mostly all published by Springer-Verlag in
their silver-grey paperback series), will quickly see the explosion of
complex protocols.


What's the connection with Cypherpunks?

After all, we all know this stuff is complex, so what's the big deal?

I argue that a group such as ours, devoted to actually exploring and
perhaps deploying modern crypto ideas, should try to *do something* about
the combinatorial explosion of concepts, terms, and confusing protocols.

It has been said about AI that 90% of the work is currently just
reinvention of terms of yore, with new ideas mainly being rehashes of
things invented 10 or 20 years earlier. My fear is that "digital money," to
name just one example, is showing the same sort of thing, with lots of new
terms for basic ideas, lots of complicated protocols which are (admittedly)
hard to analyze (to try to break, to try to spoof, to "game against"). Many
of these complex protocols simply _won't_ get analyzed in enough detail, if
only because there aren't enough of us to do the analyses.

(The obvious danger of _not_ analyzing a digital money scheme in enough
detail, with enough paranoid motivation, is that it gets deployed and then
broken by someone who knows how to break it--someone who has studied a
similar problem and knows the points of weakness, someone who is just
lucky, whatever. This could wipe out the developers, sow mistrust amongst
the Cypherpunks/crypto community, etc.)

Evidence that "protocols are hard to analyze" lies in the fact that only
recently has basic public-key crypto begun to spread...and there are still
lots of folks looking for weaknesses in PGP, for example. Almost nothing
using more recent protocols has shown up....no "Pretty Good Digital Cash,"
not "Pretty Good Digital Timestamping," etc. (Though our own remailers,
while very far from even Chaum's 1981 system, are interesting. Let's just
not think of them as "cryptographic" in any sense...they rely almost
totally on simple trust, a major cryptographic no-no.)

More complicated protocols, like the "Dining Cryptographers Problem"
(Chaum's paper on this should still be in the "soda" archives), are just a
_piece_ of what's needed for our longterm Cypherpunks future (which I
choose to call "crypto anarchy"), and yet analysis of it consumes
_hundreds_ of pages (see, for example, the Jurgen Bos Ph.D. thesis I
distributed a year ago at the first Cypherpunks meeting.)

Am I proposing anything constructive here?

First, I am not proposing limiting the universe of discourse on this List
in any way. Folks will always be free to say whatever they like, to use
whatever terms they wish. Second, I'm not pushing a particular agenda...at
least I hope I am not.

Here are some suggestions, some things to mull over.

1. Our archive site of papers and books is not available to many of the
folks attempting to develop new protocols. To pick one example: digital
money in all its various forms. The several proposals for digital cash
(digital postage, NetCash, S&H green stamps, Cayman Islands deposits, etc.)
are sometimes repeats of work done years ago--and shown to be flawed in
major ways. 

Workers in this field should of course plan to acquire _all_ of the
relevant papers, and probably should be at this year's "Crypto" conference
(too late now). There just is no excuse for trying to "reinvent the wheel"
when folks who are working full-time on something have already tilled the
field (to mix some metaphors). It may be true that gifted amateurs can
sometimes discover something the experts have not (after all, our fellow
Cypherpunk Whit Diffie was in some sense a "gifted amateur" in the mid-70s,
when nearly all "serious" cryptologists worked for the NSA), but it happens
fairly rarely. 

We need to encourage serious workers to obtain and read all of the
previously published material (the "Information Liberation Front," from
which little has been heard lately, can only scan and OCR a tiny fraction
of the papers that are relevant, and even then can't reasonably handle
equations and mathematical arguments).

2. We should agree on some terms, somehow, so that we're using a *common
language* and not wasting huge amounts of time trying to deduce what Alice
means by "return receipt" versus what Bob means when he uses the same term.
(For example, Eric Messick calls his things "onions," suggesting multiple
layers of "return postage guaranteed" envelopes. This may be a great idea,
and even a great name (which we may all be using in 5 years), but it is
potentially confusing, I think you'll agree.)


(Formal crypto papers often use their own terminology, and those of us who
read the papers have to convert from, say, "blobs" (a Chaum/Brassard term),
to the terms favored by others. A few "Schelling points" for terms have
appeared, usually with some groundbreaking or widely read paper, but
cryptologists continue to reinvent their own terms, sometimes because they
haven't understood the work of others, sometimes because of "NIH.")

3. The lack of a FAQ is not really the issue, as the issues I'm talking
about here go somewhat deeper than nearly any FAQ will ever go. Possibly a
much-expanded "Glossary" (also in the "soda" archives) could be used to
ensure more of us are using the standard terms.

4. I recommend we _not_ spend a lot of time at Cypherpunks meetings on
detailed protocols, as these are notoriously hard for people to follow,
except in broad outlines. People "space out" on the details and teh devil's
in the details. 

Rather, more detailed written papers are the best way, I think, to convey
complicated ideas. Written papers force the writers to more carefully state
their assumptions, their reliance on previous works, and to then more
carefully work through their line of reasoning. Readers who are interested
can then work through the papers in as much detail as they wish. Sometimes
it takes many hours to work through a protocol. For example, I must've
spent 10 hours going through Chaum's DC-Net paper, drawing pictures, going
back to his 1981 paper on "mixes," and generally reading and rereading.
(Then I spent even more time explaining it in a series of essays to the
Extropians mailing list, before this list existed.)

5. Eric Hughes and I toyed with the idea of creating a "protocol analysis
language," or at least a toolkit for describing and diagramming protocols
(inspired by the Chaum-school "triangle" diagrams, which place the
"Customer," the "Shop," and the "Bank" in a triangle and then analyze who
knows what, where the bits flow, who can prove what, etc.).

Here's just the most basic and initial look at such a diagram:


                   Customer
                   /      \
                  /        \           (I won't add all the other stuff)
                 /          \
               Shop---------Bank


(The "nouns" then have channels, actions ("verbs"), etc. associated with
them. The digital money protocols are themselves complicated, involving
"bit commitment," "blinding," and the like. And then there are the
complications of any of these entities attempting to "break" the system, to
steal money, to spend a digital token more than is authorized, to trace the
flow of money, etc. Collusion, spoofing, etc. It gets confusing very fast.)


Nothing has so far come of this idea, but it seems to me to be a shame that
we're just drawing chicken marks on paper or on whiteboards (and losing
most of the audience along the way, at least in terms of the all-important
details). Complicated protocols--and the digital money constellation of
ideas is just one--demand more powerful tools. 

(Speculatively, what I would someday hope to see is a kind of "Protocol
Compiler," with functional specs (possibly written in a very higl-level
language) transformed/rewritten to the best set of protocols available. The
building blocks would be various forms of encryption, of reputations, of
blinding, and so on. Each of the building blocks could be analyzed
separately and improved upon....and probably bought from specialized
developers. I know of no work along these lines, though. But I would not be
at all surprised to find that some groups are doing something like
this--the combinatorial explosion of possibilities makes hand-analysis
problematic.)

Well, enough for now. Let me know what you think.

With lots of new ideas for digital cash, remailers, mixes, digital betting
schemes, coupons, postage, data havens, digital voting, and all the rest,
we'll soon be drowning in protocols none of us have the time--or specific
expertise--to analyze.

Right now the crypto enthusiasts and amateurs are still stuck at the
"Here's my idea for a new cipher...can you break it?" level, not even
having reached the level of proposing new public key systems. We are
beginning to see proposals on the Net for new digital money systems
(NetCash being the most recent example). Over the next several years, there
may be an explosion of these new proposals. Analyzing and quickly debunking
them (when they need debunking, as most do...I am not saying this in a
disdainful way, just noting reality....nothing is gained by the adoption of
weak schemes) will be a challenge.

Perhaps one Cypherpunks goal could be to maintain a publicly accessible
database (in hypertext, even, using the World Wide Web or similar) of
published techniques, of how to break or spoof them, of tips and tricks,
and so on. (Yes, I am interested in working on something like this.)

Best wishes,


-Tim May


--
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: by arrangement
Note: I put time and money into writing this posting. I hope you enjoy it.