This message below didn't get any discussion. Too bad. The issues
were and are important ones. We talked about them more in the 1992-3
period, with a later flurry in 1995 (I remember, because I can
picture myself in my new house, writing and reading such articles).
Comments below.
At 10:21 PM -0700 7/25/00, Ray Dillinger wrote:
>There are a number of programs out there that implement "encrypted
>message" and "digital signature" protocols, but I've been reading
>here and there about all these other protocols:
>
>Digital Cash
>Secure Marketplace
>Secure Auction
>Fair Cointoss
>Oblivious Transfer
>Secret Sharing
>Secret splitting
>Proof of Membership
>
>etc....
>
>And I've seen implementations of only two of them:
>
>Digital cash has been done by a few companies, but so far
>none that I'd call cryptographically secure *and* transferable
>between end-users. Moreover, none of these companies backs
>their currency with anything having intrinsic value -- which
>is something you just have to do unless you're a country, I
>think, or what you have is not a currency at all. (in fact,
>there's a few *countries* whose currencies I wouldn't trust
>right now...)
>
>and the fair coin toss was implemented for some online gaming
>junk as a special case of a fair die roll.
>
>Isn't there any piece of software that knows how to do a bunch
>of these protocols?
This is the key question, no pun intended. A kind of language for
generating complex protocols was something Eric Hughes and I
discussed at length before even holding the first meeting of what
became the Cypherpunks group. Your list above accurately summarizes
all the protocols which _ought_ to be generatable.
To elaborate on "generatable," something like a "CAD program for
crypto" is what we were talking about. Bob Baldwin, when he was at
MIT, had a "Cryptographer's Workbench"--more focussed on what we
think of ciphers than on the building blocks for financial crypto,
trading systems, reputations, etc. But in the direction we're talking
about.
The ideas Eric and I were so excited about can be summarized thusly:
"Let's take the abstract math and CS ideas from the various Crypto
Conference papers and actually reify them in working code."
Another way of looking at this is to imagine a "small world" based on
simple exchanges between the residents of that world, Alice and Bob
and their various friends and opponents (Charles, Dora, Eve, etc.).
Flipping coins, doing all-or-nothing disclosures, running DC Nets,
trading secrets, passing reputations, and so on. All the stuff we are
interested in for other reasons, but implemented in a kind of "Crypto
World."
Assuming certain cryptographic core operations (RSA
signing/encryption, mod exponentiation, random number generation--the
CPU-intensive stuff and possibly patented/copyrighted stuff--the
"cool project" would then be to implement the stuff in the various
Crypto Conference Proceedings.
Alas, it hasn't happened. Not even the _developers_ of the various
protocols described above have runnable demos!!!! (At least none I've
seen or heard of.)
We expected the DC Net Protocol, even the version extant as of 1992
(Chaum, Pfitzmann, et. al.), to be implemented by now in Perl, or
Python, or Smalltalk, or whatever. Java was supposed to make gluing
together things as applets easy. Didn't happen, at least not for
crypto.
I'm not sure why this situation is the way it is.
There are crypto libraries, like Crypto++, but they fall far short of
providing building blocks such as you list above.
A motivation for generating these protocols, even if slightly
imperfect and not "ready for prime time" financial transactions, is
to allow for simulations of behavior in systems where the players or
agents have cryptographic capabilties. Kind of a Vernor Vinge "True
Names" or Neal Stephenson world in which players can flip fair coins,
gamble, create subliminal channels, experiment with steganography,
buy and sell bits untraceably, and all the usual fun stuff of the
Cypherpunks canon.
Alas, we're mired at the level of very basic protocols. Even spinning
CPU cycles on which cipher is the best replacement for DES. Groan.
(Not saying that's not an important type of crypto for some people to
think about...)
I started some work on using Smalltalk to build an "actor" (a la
Hewitt) system for little "Alice actors" and "Bob actors" and
suchlike to interact with each other via these protocols. Haven't
gotten very far. Maybe if I were 22 years old instead of 48 years old
I could muster the single-minded focus to make progress.
Age causes several effects. Slowing down of thinking is really not
one of them...I think I'm as smart now as I was when I was 22. But
what happens, and I've seen this a lot, is that it becomes
increasingly hard to dedicate big chunks of one's life to some bit of
minutiae. This is why young men tend to focus for several years on
some rare type of caterpillar, or some obscure mathematical theory,
and so on. As people get older, they become more general. The
prospect of toiling away for several years on a very focused project
becomes less attractive. They also "know too much" about how
projects can fail, about how their results are likely to be used,
etc. Which is a long way of saying that I'm probably not going to put
thousands of man-hours into building my ideas of a protocol
generator! Even though five years from now I may look back and say to
myself: "You know, if you devoted the time you did to the Cypherpunks
list to Python or Squeak, you could have made a lot of progress." It
just doesn't seem to work out that way.
And there's the issue of recruiting helpers and suchlike. Few large
software projects happen with just one person (Phil Z. did PGP 1.0,
but it was essentially DOA. PGP 2.0 was a project with about half a
dozen participants, and it's the one that got used.).
I do a lot better writing anarcho-capitalist screeds than I would
ever do recruiting helpers on a software project like this.
I would certainly encourage people to look into this. The core crypto
is already there: RSA operations (soon to be unencumbered), modular
exponentiations, blinding (still encumbered, but there are the
"agnostic" workarounds discussed by Barnes and Goldberg), etc. And
there are powerful languages like Python (they tell me) for gluing
together such things.
There is absolutely no reason why a "Crypto World" cannot be built,
with more and more of these protocols that Ray lists not implemented
with varying degrees of efficiency and robustness. Even if crudely
implementing, exploring interactions in this Crypto World would be
interesting, and possibly useful in the Real World.
--Tim May
--
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May | Crypto Anarchy: encryption, digital money,
ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets,
"Cyphernomicon" | black markets, collapse of governments.