cryptography vs. mass surveillancecms16.item.ntnu.no/slides/rogaway.pdf · before snowden 2014...
TRANSCRIPT
1 / 35
Imagecredit:“AdventuresinAnima3on3D”(2004)PhillipRogawayDepartmentofComputerScienceUniversityofCalifornia,Davis,USA
Cryptographyvs.MassSurveillance
WiththankstoS8gMjølsnesandBri<aHaleforinvi3ngmeandarrangingmyvisit!
TalkforCryptovs.MassSurveillance:TheUneasyRela8onshipworkshop14November2016Trondheim,Norway
2 / 35
The3tleimaginesthetwostandinginopposi8on.Dothey?
Fromadescrip8vestandpoint:no.Cryptohasnotbeeneffec3veatcurtailingmasssurveillance…andmostcryptographersdonotseethisasourrole.
Fromanorma8vestandpoint:maybe.Manythinkcryptographyshouldstandinopposi3ontomasssurveillance.Butnotatallclearthatitcould.
Oughtimpliescan.
WHYhasn’tcryptohelped?
CANcryptohelp?
Cryptographyvs.MassSurveillance
3 / 35
Cryptography–thescienceofsecurecommunica8ons.
Masssurveillance–thespectacularfailuretosecurecommunica3ons.
Youwouldthink• thesewouldbeinopposi3on,andthat• cryptographerswouldbeaghastbymasssurveillancerevela3ons.
You’dbewrong.Mostofmycommunitydoesn’tseeaconnec3on,andthinksthingsaregoinggreat.
4 / 35
ArosyassessmentofCS
Computerscienceismarkinganepicalchangeinhumanhistory.Weareconqueringanewandvastscien3ficcon3nent.…Virtuallyallareasofhumanac3vity…[and]virtuallyallareasallareasofhumanknowledge…arebenefi]ngfromourconceptualandtechnicalcontribu3ons.…Longlivecomputerscience!
CryptographerSilvioMicali
TuringAwardacceptancespeech15June2013
Abouta1.5weeksaaertheini3alSnowdenrevela3ons(Verizon+PRISM)
5 / 35
2013IACR-sponsoredconferences156papers(3067pages)0paperswiththeword“surveillance”
BeforeSnowden
2014IACR-sponsoredconferences155papers(2910pages)1paperwiththeword“surveillance”(mine)
AQerSnowden
2015:1paper2016:3papers
Cryptographersdon’tcareaboutmasssurveillance
2011:0papers2012:0papers
(workon)
6 / 35
The Summer of Snowden 2013
7 / 35
Whywasn’tIpayingmorea<en8ontothisearlier?
1993ClipperChip1980
200920021983
BillBinney
ThomasDrake
KirkWiebe
MarkKlein
DianeRoark
8 / 35
2013/451CandidateIndis8nguishabilityObfusca8onandFunc8onalEncryp8onforallcircuitsSanjamGargandCraigGentryandShaiHaleviandMarianaRaykovaandAmitSahaiandBrentWaters2013/454HowtoUseIndis8nguishabilityObfusca8on:DeniableEncryp8on,andMoreAmitSahaiandBrentWaters2013/471Obfusca8ngConjunc8onsZvikaBrakerskiandGuyN.Rothblum2013/500Obfusca8ngBranchingProgramsUsingBlack-BoxPseudo-FreeGroupsRanCaneEandVinodVaikuntanathan2013/509ReplacingaRandomOracle:FullDomainHashFromIndis8nguishabilityObfusca8onSusanHohenbergerandAmitSahaiandBrentWaters2013/557Black-BoxObfusca8onford-CNFsZvikaBrakerskiandGuyN.Rothblum2013/563VirtualBlack-BoxObfusca8onforAllCircuitsviaGenericGradedEncodingZvikaBrakerskiandGuyN.Rothblum2013/601Two-roundsecureMPCfromIndis8nguishabilityObfusca8onSanjamGargandCraigGentryandShaiHaleviandMarianaRaykova2013/631Protec8ngObfusca8onAgainstAlgebraicA<acksBoazBarakandSanjamGargandYaelTaumanKalaiandOmerPanethandAmitSahai2013/641Indis8nguishabilityObfusca8onvs.Auxiliary-InputExtractableFunc8ons:OneMustFallNirBitanskyandRanCaneEandOmerPanethandAlonRosen2013/642Mul8partyKeyExchange,EfficientTraitorTracing,andMorefromIndis8nguishabilityObfusca8onDanBonehandMarkZhandry2013/643ThereisnoIndis8nguishabilityObfusca8oninPessilandTalMoranandAlonRosen2013/650OnExtractability(a.k.a.Differing-Inputs)Obfusca8onEleMeBoyleandKai-MinChungandRafaelPass2013/665TheImpossibilityofObfusca8onwithaUniversalSimulatorHenryCohnandShafiGoldwasserandYaelTaumanKalai2013/668Obfusca8onforEvasiveFunc8onsBoazBarakandNirBitanskyandRanCaneEandYaelTaumanKalaiandOmerPanethandAmitSahai
Cryptographers–toobusywithiOtono8ceSnowden?
9 / 35
10 / 35 ReleasedbyDerSpiegel,Sept9,2013
11 / 35
Nohumanunderstandswhat’sgoingon
Execu3veorder12333 FISA
FISAAA
PATRIOTAct
HSPD-23PPD-20 FreedomAct CALEA
ECPA
ACLU+ProPublica
12 / 35
Howmanycopiesofthecommunica3onsarearchived,bywhom,forhowlong?Whatalgorithmsareapplied–orwillbeapplied–tothedata?Whatisthedatacombinedwith?Whenmightahumananalystbecomeinvolved?Whatconsequencesmightstemfromthecommunica3onscontent?
Thebasicsarenotknown
Secrecy+Complexity• Reducesthepossibilityofeffec3vereform.• Isitselfanexerciseoftradecraa.
Phone,EmailSkype,SMS,
PGP/Windows,…
Phil Mihir
13 / 35
Whilethere’snooneanswer,thereisonethemeexplainingthedisinclina>ontohelp:
It’stheculture,stupid.
Socryptographershavebeendisinclinedtoworkonmasssurveillance,anddon’tseecryptoasrelevant.
ButWHY?
Amorespecificanswer.Withabitofanexplana3on.
14 / 35
Fromwheredidthisdisciplinaryculturecome?
15 / 35
[GM]Goldwasser,Micali–STOC1982(JCSS84)Probabilis3cencryp3onandhowtoplaymentalpokerkeepingsecretallpar3alinforma3on[GMR]Goldwasser,Micali,Rivest–FOCS84(SIAM88)A“paradoxical”solu3ontothesignatureproblem[GMR]Goldwasser,Micali,Rackoff–STOC85(SIAM89)Theknowledgecomplexityofinterac3veproofsystems[GMW1]Goldreich,Micali,Wigderson–FOCS86(JACM91)Proofsthatyieldnothingbuttheirvalidityandamethodologyofcryptographicprotocoldesign[GMW2]Goldreich,Micali,Wigderson–STOC87HowtoplayanymentalgameorAcompletenesstheoremforprotocolswithhonestmajority
ShafiGoldwasser SilvioMicaliRonRivest
• Abranchoftheory• Problemselec8on:aesthe8cs,philosophy
• Youthful• Iconic,paradigma8cworksthat
capturedtheimagina8on
MITLabforComputerScienceTheoryofComputa8onGroupCryptography–mid-1980’s
Foundingethos.Cryptoistheory,philosophy,andimagina3on.
Embeddedethos.Thisethosremainsdominant,con3nuallyrenewedbytechnicalandnontechnicalchoices.
16 / 35
Scien8ficrealismCisasitisbecauseofthenatureofrealityCisinevitableCisobjec3ve,ahistorical,andpoli3callyneutralCisbutsuperficiallyshapedbythedisciplinarycultureCisascience.Wediscoverit.
Whatiscryptography?Philosophically…Sociologically…
“TheScienceWars”asprojectedontomycorneroftheworld
cryptographicresearchisindeedpartofscience.Thisasser3onisempiricalanditreferstothecurrentsociologyofthediscipline;thatis,webelievethatthevastmajorityofthemembersofthisresearchcommunityiden3fythemselvesasscien3sts…OnPost-ModernCryptography,OdedGoldreich,2006
C=moderncryptography
17 / 35
thebodyofworkourcommunityhasproducedislesstheinevitableconsequenceofwhatweaimtostudythanthecon3ngentconsequenceofsensibili3esandassump3onswithinourdisciplinaryculture…Iwouldclaimthatcryptography,eveninitsmostpureandscien3ficpersona,isquitestronglyconstructed.PracSce-OrientedProvable-SecurityandtheSocialConstrucSonofCryptography,P.Rogaway,2009
Socialconstruc8onismCneednotbeasitis.ItisnotinevitableCisnotdeterminedbythenatureofthings.ClookslikeitdoesduetosocialandhistoricalforcesCisshapedbythedisciplinarycultureCisatechnology.Weinventit.
“TheScienceWars”asprojectedontomycorneroftheworld
Whatiscryptography?Philosophically…Sociologically…
C=moderncryptography
18 / 35
Irrelevance.Imagina3on-genesisworkcan’tactuallyfindaroutetoprac3ce.
Whenmostcryptographersareblue…
Hereforfun.Intellectualityassport—pragma3smassmall-mindedness.
Standardiza8onnon-par8cipa8on.Cryptostandardswithoutthecryptographers.
Distancedfromsecurity.Cryptographersdon’tseeevenprominentsecurityproblemsbecauseofcommunitystructure.
Value-neutralview.Themyththatscienceandtechnologyisvalue-neutral.
1 12
811
9
2319
3.Technologyitselfisvalue-neutral:itiswhathumansdowithtechnologythatis
right/wrong.
Endofterm
Beginning-oftermsurveydatafrommyclassECS188“EthicsinanAgeofTechnology”,W13
“Technologyitselfisvalue-neutral:itiswhathumansdowithtechnologythatisrightorwrong.”
StronglyagreeStronglydisagree
19 / 35
D. Chaum, Untraceable electronic mail, return addresses, and digital pseudonyms CACM 1981 (4368 citations)
S. Goldwasser and S. Micali, Probabilistic encryption
STOC82+JCSS 1984 (3733 citations)
Spawned Disjoint Communities
Communityfracture.Spli]ngoffofPETS,symbolicapproachestocrypto,…
GrewintothePETScommunity
GrewintotheIACRcommunity
20 / 35
Y.Lindell
J.Groth
P.Rogaway
Adversariesareno8onal.Wejokeaboutthem.Weseecryptoasagame.
Formostcryptographers…
Adversarialabstrac8on.Trea3ngtheadversaryno3onally.
¹
21 / 35
(U)Threeofthelastfoursessionswereofnovaluewhatever,andindeedtherewasalmostnothingatEurocrypttointerestus(thisisgoodnews!).(U)Therewerenoproposalsofcryptosystems,nonovelcryptanalysisofolddesigns,evenverylivleonhardwaredesign.Ireallydon’tseehowthingscouldhavebeenbeMerforourpurposes.(U)Theconferenceagainofferedaninteres3ngviewintothethoughtprocessesoftheworld’sleading“cryptologists.”ItisindeedremarkablehowfartheAgencyhasstrayedfromtheTruePath.
EUROCRYPT’92report:
Ourirrelevancehasn’tbeenlostonpower
[emphasismine]
Unthreateninglyengaged.We’rehappytodostuffirrelevanttopower.
22 / 35
Whynoreac8on?
• NothingIknowisrelevant.• ThesearepoliScalissues;
Iamnotanexpertonpublic-policy;thisisnotourprofessionalconcern.
Extremespecializa8on.Canrobscien3stsofanysenseofagency.
Ifone’stechnicalworkisn’tevenrelevanttosecurity,howisitsupposedtoberelevanttoasocio-technicalproblemlikethis?
AnOpenLe<erfromUSResearchersinCryptographyandInforma8onSecurity
January24,2014
Media reports since last June have revealed that the US government conducts domes3c and interna3onal surveillance on a massive scale, that it engages indeliberate and covert weakening of Internet security standards, and that it pressures US technology companies to deploy backdoors and other data-collec3onfeatures.AsleadingmembersoftheUScryptographyandinforma3on-securityresearchcommuni3es,wedeploretheseprac3cesandurgethattheybechanged.Indiscriminatecollec3on,storage,andprocessingofunprecedentedamountsofpersonalinforma3onchillfreespeechandinvitemanytypesofabuse,rangingfrommissioncreepto iden3ty thea.Thesearenothypothe3calproblems; theyhaveoccurredmany3mes in thepast. Inser3ngbackdoors, sabotagingstandards,andtappingcommercialdata-centerlinksprovidebadactors,foreignanddomes3c,opportuni3estoexploittheresul3ngvulnerabili3es.Thevalueofsociety-widesurveillanceinpreven3ngterrorismisunclear,butthethreatthatsuchsurveillanceposestoprivacy,democracy,andtheUStechnologysector is readily apparent. Because transparency and public consent are at the core of our democracy, we call upon the US government to subject all mass-surveillanceac3vi3estopublicscru3nyandtoresistthedeploymentofmass-surveillanceprogramsinadvanceofsoundtechnicalandsocialcontrols. Infindingawayforward,thefiveprinciplespromulgatedathvp://reformgovernmentsurveillance.com/provideagoodstar3ngpoint.ThechoiceisnotwhethertoallowtheNSAtospy.Thechoiceisbetweenacommunica3onsinfrastructurethatisvulnerabletoavackatitscoreandonethat,bydefault,isintrinsicallysecureforitsusers.Everycountry,includingourown,mustgiveintelligenceandlaw-enforcementauthori3esthemeanstopursueterroristsandcriminals,butwecandosowithoutfundamentallyunderminingthesecuritythatenablescommerce,entertainment,personalcommunica3on,andotheraspectsof21st-century life.Weurge theUSgovernment to reject society-wide surveillanceand the subversionof security technology, toadopt state-of-the-art,privacy-preservingtechnology,andtoensurethatnewpolicies,guidedbyenunciatedprinciples,supporthumanrights,trustworthycommerce,andtechnicalinnova3on.
h<p://masssurveillance.info/
53signatories58%acceptancerate4.5months>900emails
Topreasonsstatedfornotsigning:
Nopoli8cs.Anunwillingnesstoengageinanything“poli3cal”connectedtooneswork.
23 / 35
Abig-datacandidatewerecentlyinterviewed
I’mabodywithoutasoul.
Dissocia8on.Abeliefthatitisreasonabletodissociateonesethicalbeingfromoneswork.
Someofyourworkcouldhavetroublingapplica3ons.Couldyoudescribeyourpersonalviewonthesocialresponsibili3esofcomputerscien3sts?
24 / 35
“Itoldher[mywife,circa1976]thatwewereheadedintoaworldwherepeoplewouldhaveimportant,in3mate,long-termrela3onshipswithpeopletheyhadnevermetfacetoface.Iwasworriedaboutprivacyinthatworld,andthat’swhyIwasworkingoncryptography.”WhitDiffie,tes8fyingattheNeweggvs.TQPpatenttrial,21November2014
Changingmo8va8ons
Changingmo8va8ons.Current-genera3oncryptographersaren’tinitformoralorsocio-poli3calreasons.
Careerism.Whatwedoalignswiththeacademicrewardsystem.
(Writelotsofpapersappreciatedenoughtogetinto3er-1venues.Bringinplentyofmoney.)
RalphMerkle–Mar8nHellman--WhitDiffie
25 / 35
DoDFundinginCryptography,2000-2015
0
10
20
30
40
50
60
70
80
90
100
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
PercentageofCRYPTOpapersthatacknowledgeUSDoDfundingamongallpapersthatacknowledgeUSextramuralfunding
Sensibili8esforsale.Youdon’tbitethehandthatfeedsyou.
26 / 35
Fear.Youwanttoavractmoreaven3ontoyourself!?
27 / 35
Whyarethestrongestcrypto-advocatesnon-cryptographers?
Missingaqtude.Welacktheenergyandsenseofpurposeofthecypherpunks.
AmissingaEtude–thatofthecypherpunks.
StevenLevy,“CryptoRebels”,Wired,May/June1993.
TimMay–EricHughes–JohnGilmore
Butwediscoveredsomething.Ouronehopeagainsttotaldomina3on.Ahopethatwithcourage,insightandsolidaritywecouldusetoresist.Astrangepropertyofthephysicaluniversethatwelivein.¶Theuniversebelievesinencryp3on.¶Itiseasiertoencryptinforma3onthanitistodecryptit.JulianAssange,2012
…Wemustdefendourownprivacyifweexpecttohaveany.Wemustcometogetherandcreatesystemswhichallowanonymoustransac3onstotakeplace.…¶WetheCypherpunksarededicatedtobuildinganonymoussystems.Wearedefendingourprivacywithcryptography,withanonymousmailforwardingsystems,withdigitalsignatures,andwithelectronicmoney.EricHughes,1993
In words form history, let us speak no more of faith in man, but bind him down frommischiefbythechainsofcryptography.EdwardSnowden,2013
28 / 35
Privacyisapersonalgood
Inherentlyinconflict
Securityisacollec8vegood
Encryp3onhasdestroyedthebalance.Privacywins
RiskofGoingDark.
Thebadguysmaywin
“Going-Dark”Framing U.S.FBIDirectorJamesComey
29 / 35
Makespeopleconforming,
fearful,boring.S3flesdissent
Surveillanceisan
instrumentofpower
Tiedtocyberwarandassassina8ons
Technologymakesitcheap
Privacyisasocialgoodrarelyinconflictwithsecurity
Thecostsofsurveillancearenotbornequally
DrawingbysixyearolddaughterofSteveMann
Misframing.Accep3ngafic33ousstorylineofwhatsurveillanceisfor.
“Golden-AgeofSurveillance”Framing
30 / 35
Crypto
Crypto-for-PrivacyCrypto-for-SecurityCrypto-for-CryptoCrypto-for-Power
Maybecryptowillsaveus
31 / 35
Maybecryptowillsaveus
1. Encryp3onworks,andhasanaturaldemocra3zingtendency.2. Cryptographersanddevelopersaresmart,3. Andtheworkcanberelevant.4. Metadataconcealmentispossible,andisalreadydone(inTor).5. End-to-endanddeviceencryp3onisbecomingpopular.6. Open-source,open-hardwaremovementofferspromise.7. Morecryptographersarebecominginterestedinprivacy.8. Andareavendingtothepoli3calimplica3onsofourwork.9. Wecanrebalancewhatwedotoputmoreemphasisoncrypto-for-privacy.
32 / 35
1. Mostofthecryptocommunityisbusythinkingaboutotherthings.2. Architecturecanmakecryptosupportthepowerfulorthepowerless.3. Endpointsareinsecure,codeisbuggy.4. Securityisa“weak-link”property,andcryptoisrarelythatlink.5. Usablesecurityhasprovenelusive.6. Nomoralcompunc3onamongcomputerscien3sts,engineers.7. Privacy-enhancingadd-onsaddcomplexityandreduceu3lity.Economic
incen3vesoaenwrong.Enormousvaluegainedbymininginforma3onflows.Valueflowstocorpora3onsandgovernments.
8. Legalprotec3onsareweak,legalinstruments(eg,NSLs)arestrong,mostjudgesdon’tunderstandtechnology.
9. Intelligenceagencieshaveenormousbudgets,operatebeyondthereachoflaw.Anything-goesmentality(even,eg,subver3ngstandardiza3onprocess).Shieldedbycomplexity,secrecy,partnerships,legalinven3on,linguis3cinven3on.
10. Opensourceisnopanacea(Linus’slaw:“givenenougheyeballs,allbugsareshallow”.NO)11. Monitoringinphysicalspace:facialrecogni3on,license-platereaders,…12. It’sallinthemetadata–andconcealingmetadatahard.13. Declineofthegeneral-purposecomputer.14. Successfulframingbygovernment15. Technologymavers,butpolicy,law,adherencetolawmavermore.16. Corpora3sm/Public-private“partnership”hasneverbeenstronger.
Butprobablynot
33 / 35
WHYhasn’tcryptohelped?
CANcryptohelp?
Cryptographershavebeendisinclinedtohelp.Thereasonsforthisarerootedinthedisciplinaryculture.
Onsomemavers–yes.Howmuchofadentcanwerealis3callymake??Wewon’tknowwithouttrying.
34 / 35
AuthoritarianismFearmongeringJingoism
Corpora8smMilitarism
RacismIncarcera8ons
Assassina8onsFascism
“eventuallytherewillbea3mewherepolicieswillchange,becausetheonlythingthatrestrictstheac3vi3esofthesurveillancestatearepolicy.…Andbecauseofthat,anewleaderwillbeelected,they’llfliptheswitch,…andtherewillbenothingthepeoplecandoatthatpointtoopposeit,andit’llbeturnkeytyranny.–E.Snowden,June6,2013
35 / 35
Safelyensconcedatthetopoftheworld?
Noway.
36 / 35
37 / 35
1. Foundingethos.Cryptoistheory,philosophy,andimagina3on.2. Embeddedethos.Thisethosremainsdominant,con3nuallyrenewedbytechnical/nontechnicalchoices.3. Hereforfun.Intellectualityassport—pragma3smassmall-mindedness.4. Irrelevance.Imagina3on-genesisworkcan’tactuallyfindaroutetoprac3ce.5. Distancedfromsecurity.Becauseofcommunitystructure.6. Standardiza8onnon-par8cipa8on.Cryptographicstandardswithoutthecryptographers.7. Value-neutralview.Themyththatscienceandtechnologyisvalue-neutral.8. Communityfracture.Spli]ngoffofPETS,symbolicapproachestocrypto,…9. Adversarialabstrac8on.Trea3ngtheadversaryno3onally.10. Unthreateninglyengaged.We’rehappytodostuffirrelevanttopower.11. Extremespecializa8on.Canrobscien3stsofanysenseofagency.12. Nopoli8cs.Anunwillingnesstoengageinanything“poli3cal”connectedtooneswork.13. Dissocia8on.Abeliefthatitisreasonabletodissociateonesethicalbeingfromoneswork.14. Changingmo8va8ons.Current-genera3oncryptographersaren’tinitformoralorpoli3calreasons.15. Careerism.Whatwedoalignswiththeacademicrewardsystem.16. Sensibili8esforsale.Youdon’tbitethehandthatfeedsyou.17. Ins8tu8onalamorality.Theprominenceofeconomicnarra3vestocrowdoutallothers18. Fear.Youwanttoavractevenmoreaven3ontoyourself?19. Missingaqtude.Welacktheenergyandsenseofpurposeofthecypherpunks.20. Misframing.Accep3ngafic33ousstorylineofwhatmasssurveillanceisfor.21. Rou8niza8on.Peoplequicklyaccepttheirnewreality,andevencometothinkit’sgood.
WHYdisinclinedtohelp
38 / 35
WilliamDavidon,1927-2013ProfessorofPhysicsHaverfordCollege,1961-1991
Theendofdissent
FBIbranchofficeinMedia,Pennsylvania.Burglarizedin1971bytheteamheadedupby
SeeBevyMetsger,TheBurglary,2014
39 / 35
WARISPEACEFREEDOMISSLAVERYIGNORANCEISSTRENGTH
1949
1999–present
Rou8niza8on.Peoplequicklyaccepttheirnewreality,andevencometothinkit’sgood.
Sani8za8onofadystopia
YevgenyZamya3n(1921)
40 / 35
UCEngineeringDeans,“UCEngineeringAnalysis,OutcomesandProposalforFutureGrowth”(2014).Presenta8ontoJ.Napolitano
Ins8tu8onalamorality
Ins8tu8onalamorality.Thetendencyofeconomicnarra3vestocrowdoutallothers,andindividualtomirrortheamoralstancesoftheirorganiza3ons.