All of these papers are in Draft form. You should reference them as working drafts; please consult with the author as to current status. Comments are welcome as are suggestions for publication!
Sorted roughly by current working status, with 'complete' papers at the top. Postscript is sometimes available with an uppercase PS suffix and this may be recommended for Internet Explorer users as that browser does not display the HTML very well.
Abstract.
What do people mean when they say something is secure?
Shamir's 1st law says absolute security does not exist, yet the popular press and the security buying process is inundated in secure product. For some of these products, there may be merit in the term, but for many it is more debatable. Such differences of meaning and applicability suggest low efficiency in the market for security, as well as a blackspot on the claim for security as a robust science.
One way to define 'secure' is to apply the economics theory and terminology of Pareto efficiency. This simple structure gives an easy way to categorise and choose among alternates, and identifies when an optimum has been reached. We suggest that this meaning may already be in wide spread usage, intuitively, among security practitioners and the popular press.
Pareto-Secure was one of the three papers presented in the founding issue of Advances in Financial Cryptography . As editor, publisher and chief gopher that was an easy decision for me! FC++ as it is known for short is a pre-publication drafts circle designed to polish our work before going out to a 'real publication'.
Abstract.
The digitally signed receipt, an innovation from financial cryptography, presents a challenge to classical double entry bookkeeping. Rather than compete, the two melded together form a stronger system. Expanding the usage of accounting into the wider domain of digital cash gives 3 local entries for each of 3 roles, the result of which I call triple entry accounting.
This system creates bullet proof accounting systems for aggressive uses and users. It not only lowers costs by delivering reliable and supported accounting, it makes much stronger governance possible in a way that positively impacts on the future needs of corporate and public accounting.
A new paper that attempts to meld our ground-breaking digital issuance innovations with classical accountancy. In Financial Cryptography it is an article of faith that double entry bookkeeping has taken a broadside from the digital certificate, and is expected to sink any year now. Instead, I look at how the two can work together and emerge stronger for their contributions.
Triple Entry Accounting was one (which earnt lots of comments) of the three papers presented in the second issue of Advances in Financial Cryptography .
The Market for Silver Bullets (pdf)
Abstract.
What is security?
As an economic “good” security is now recognised as being one for which our knowledge is poor. As with safety goods, events of utility tend to be destructive, yet unlike safety goods, the performance of the good is very hard to test. The roles of participants are complicated by the inclusion of agressive attackers, and buyers and sellers that interchange.
This essay hypothesises that security is a good with insufficient information, and rejects the assumption that security fits in the market for goods with asymmetric information. Security can be viewed as a market where neither buyer nor seller has sufficient information to be able to make a rational buying decision. Drawing heavily from Michael Spence's “Job Market Signaling,” these characteristics lead to the arisal of a market in silver bullets as participants herd in search of best practices, a common set of goods that arises more to reduce the costs of externalities rather than achieve benefits in security itself.
This paper is part of a group of papers emerging from an investigation into Information Security and Signalling. This is a difficult paper, and is advancing slowly, but I think its proposals are very important. See also the (complete) Pareto-Secure paper above.
Abstract.
Analysis of the architecture and message flows of Instant Messaging and Payments systems reveal that they are very similar; more so than would be expected for applications that are nominally separated in the user's minds.
This paper examines merging payments and messaging for the Internet.
In terms of Financial Cryptography, this paper presents a core result based on merging payments and messaging. The system has been built and it works. The results indicate that much of the last two decades work in automated systems in trade may have been unbalanced at minimum, and likely impractical.
Abstract.
Open Governance is a form of security whereby a business engages partners and the user public in protecting assets under management. Open governance arose in the unregulated environment of Internet Payment Systems.
Yet the techniques developed are universally applicable, and in some cases have decided advantages, even when applied to the regulated or non-payment sectors. Use of these techniques and the overall philosophy, in concert with conventional techniques, can reduce dramatically internal risks and costs.
Public Key Infrastructure (PKI) has now passed its first decade of activity on the Internet, but has yet to break out of pathetically small revenues. Reasons and factors contributing to the failure are many and varied. Is it that the PKI is a solution looking for a problem? That it doesn't solve the problems that it claims? Or that it is too expensive? Perhaps the military objectives failed to cross-over to the commercial sector?
This review attempts to list all of the issues that are unresolved, contentious, or questionable, at least as they are known to this author.
I've been collecting information on the flaws in PKI - public key infrastructure - for many a year now. Many researchers have written quite strong papers on single aspects, but nobody that I know of has dared to collate and integrate these criticisms. At some point, this list should be edited and cleaned out of its skeptical personality, and submitted for publication as a review.
Abstract.
What is security?
Collected random thoughts and models.
Note that the bulk of the content was moved into The Market for Silver Bullets at revision 1.17.
See also Pareto-secure and The Market for Silver Bullets.
Abstract. The patterns paradigm has arisen in the object oriented world to document those coding tasks that seem to repeat frequently enough to need common names and common architectures. Patterns, once documented, assist communication, and provide shortcuts to existing code.
Cryptographic coding is a small subset of coding. It includes many tasks of a very varied nature, in part because the demands of the higher level application are so varied, and so divergent from the nature of cryptography. Yet, patterns emerge.
This draft note is a first cut attempt to list those patterns, with some brief explanation of each.
Abstract.
Opportunistic Cryptography can be used to protect a wide variety of applications. It has come to the fore with successful applications such as SSH and OpenPGP. It stands in contrast to more statically minded, no-risk approaches such as SSL, which has been deployed only at unacceptable expense.
We introduce a framework to compare different approaches and levels to opportunistic distribution of keys We call this SPOCK ratings, as a catchy acronym. Each increasing number indicates a better and more intelligent protection for the application.
SPOCK is Self-Protection using Opportunistic Keys. It was knocked out on the basis of there being a layered set of advances in key use, but whether it hangs together is an open question.
Also see the Financial Cryptography Blog and the main published Papers Page. I now run a pre-publication review circle called Advances in Financial Cryptography. If you have a draft in good reading order, ready for some peer-help in getting it polished, let me know.