7 February 2023

# The Moral Character of Cryptographic Work (2015)

Phillip Rogaway

Department of Computer Science

University of California, Davis, USA

rogaway@cs.ucdavis.edu

December 2015

(minor revisions March 2016)

Abstract. Cryptography rearranges power: it configures who
can do what, from what. This makes cryptography an inherently
political
tool, and it confers on the field an intrinsically moral dimension.
The Snowden revelations motivate a reassessment of the political and moral positioning
mass surveillance constitutes a failure of our field. I believe that it does.
I call for a community-wide effort to develop more effective means to resist
mass surveillance. I plead for a reinvention of our disciplinary culture to attend
not only to puzzles and math, but, also, to the societal implications of our
work.

Keywords: cryptography · ethics · mass surveillance · privacy
· Snowden · social responsibility

Preamble. Most academic cryptographers seem to think that
our field is a fun, deep, and politically neutral game—a set of puzzles
involving communicating parties and notional adversaries. This vision of who
we are animates a field whose work is intellectually impressive and rapidly
produced, but also quite inbred and divorced from real-world concerns. Is
this what cryptography
should be like? Is it how we should expend the bulk of our
intellectual capital?

For me, these questions came to a head with the Snowden disclosures of 2013.
If cryptography’s most basic aim is to enable secure communications, how
could it not be a colossal failure of our field when ordinary people
lack even a modicum of communication privacy when interacting electronically?
Yet I soon realized that most cryptographers didn’t see it this way. Most seemed
to feel that the disclosures didn’t even implicate us cryptographers.

I think that they do. So I want to talk about the moral obligations of
cryptographers, and my community as a whole. This is not a topic
cryptographers routinely discuss. In this post-Snowden era, I think it needs
to be.

## Part 1: Social responsibility of scientists and engineers

A famous manifesto. I’d like to begin with a story—a true
story.1 To set the stage, it is London, the summer of 1955. A
roomful of reporters have assembled for a press conference in Caxton Hall, a
red brick building in Westminister. The media have been summoned in a plan
hatched by Bertrand Russell, with some help from the editor of
The Observer
newspaper. The reporters don’t know just why they are here, having only
been told that a team of the world’s leading scientists were ready to release
something of world-wide significance. The press knows that Bertrand Russell is
involved. With Einstein’s recent death, Russell has become the world’s most famous
living intellectual.

Russell has been in his home, hiding, all week. All day long the phone
rings, the doorbell rings. Reporters are trying to find out what is this big
announcement. Russell’s wife and his housekeeper make excuses and shoo the
reporters away.

As the press conference begins, the reporters learn from Russell and
accompanying physicist Joseph Rotblat that they have not been
assembled to hear of some new scientific discovery, but to receive a
prepared, political statement. It’s a fairly brief statement, but it’s been
signed by eleven2 of the world’s leading scientists—nine of them Nobel
laureates. Albert Einstein is among the signatories, signing just days before
he became ill and died.

The document would become known as the Russell–Einstein manifesto.3 I hope that its contents are known to you. It speaks of the existential threat
to mankind posed by nuclear weapons. It’s final passage sounds desperately plaintive
as Russell writes:

We appeal, as human beings, to human beings: Remember your humanity, and
forget the rest. If you can do so, the way lies open to a new Paradise; if
you cannot, there lies before you the risk of universal death.4

The reporters ask questions and soon warm to the manifesto’s importance. The
next day, the manifesto is carried as front-page news of most the world’s
major newspapers. For the next several days, at least, it is the talk of the
world.

The Russell–Einstein manifesto galvanized the peace and disarmament
movements. It led to the Pugwash conferences, for which Joseph Rotblat and
the conference-series itself would eventually win the Nobel Peace Prize
(1995). Rotblat credits the manifesto for helping to create the conditions
that gave rise to the Nuclear Non-Proliferation Treaty (NPT, 1970).5
In his Nobel Peace Prize acceptance speech, Rotblat explains:

From my earliest days I had a passion for science. But science, the exercise
of the supreme power of the human intellect, was always linked in my mind
with benefit to people. I saw science as being in harmony with humanity. I
did not imagine that the second half of my life would be spent on efforts to
avert a mortal danger to humanity created by science.6

Two modes of behaving politically. I begin with the
Russell–Einstein manifesto to remind you of two things: first, that
technical work itself can implicate politics; and second, that some
scientists, in response, do take on overtly political roles. These two ways to
behave politically are different (even if, to people like Rotblat, they go hand-in-hand).
Let’s look at each.

Implicit politics. A scientist engages in what I’ll call
implicit
politics by influencing power relations as a byproduct of technical work. Politics
is about power—who has how much of it, and what sort. The nuclear bomb is the
ultimate expression of coercive power; it is politics incarnate. Had Rotblat
shunned every ostensibly political role in his life, his life’s work would still
have been political. Immensely, if implicitly, so.

But we don’t need the specter of mushroom clouds to be dealing with
politically relevant technology: scientific and technical work routinely
implicates politics. This is an overarching insight from decades of work at the
crossroads of science, technology, and society.7 Technological
ideas and technological things are not politically neutral: routinely, they
have strong, built-in tendencies. Technological advances are usefully
considered not only from the lens of how they work, but also
why
they came to be as they did, whom they help, and whom they
harm. Emphasizing the breadth of man’s agency and technological options, and
borrowing a beautiful phrase of Borges, it has been said that
innovation is a garden of forking paths.8

Still, cryptographic ideas can be quite mathematical; mightn’t this
make them relatively apolitical? Absolutely not. That cryptographic work is deeply
tied to politics is a claim so obvious that only a cryptographer could fail to
see it. Thus I’ll devote considerable time to this claim. But let me first speak
of the second way for scientist to behave politically.

Overt politics. A scientist can engage in overt
politics through the mechanisms of activism and participatory democracy. In writing
the Russell–Einstein manifesto and in rolling it out the way he did, Russell
was working masterfully in this domain. Russell was not
had won the Nobel prize in literature, and was a well-known social critic and
anti-war activist.

The ethic of responsibility. Bertrand Russell’s breadth was
extraordinary. But the mere existence of the politically engaged
intellectual doesn’t suggest that this pairing is at all representative. To
what extent are
scientists and engineers socially engaged? And to what extent do societal norms
demand that they be?9

Nowadays, an ethic of responsibility is preached in university
courses and advocated by professional organizations. It is the doctrinal
view. The putative norm contends that scientists and engineers have an
obligation to select work that promotes the social good (a
positive right), or, at the very least, to refrain from work that
damages mankind or the environment (a
negative right).10 The obligation stems from three basic
truths: that the work of scientists and engineers transforms society; that
this transformation can be for the better or for the worse; and that what we
do is arcane enough that we bring an essential perspective to public
discourse. The socially engaged scientist is expected to bring a normative
vision for how work in his or her field should impact society. He or
she aims to steer things in that direction.

To be sure, decision making under the ethic of responsibility is not easy.
It can be impossible to foresee if a line of work is going to be used for
good or for ill. Additionally, the for-good-or-for-ill dichotomy can be
simplistic and subjective to the point of meaninglessness. Still, despite
such difficulties, the socially engaged scientist is supposed to
investigate, think, and decide what work he will or will not do, and what
organizations he will or will not work for. The judgment should be made
without over-valuing one’s own self-interest.

Historical events shaping the ethic of responsibility. The ascendancy
of the ethic of responsibility was shaped by three historical events of World
War 2 and its aftermath.

1. The first, already touched on, was the experience of the
atomic scientists. After the war, with science left in a position both
revered and feared, prominent physicists became public figures. Some became
outspoken in their advocacy for peace, or their opposition to further
weapons development. Recall the widespread concerns from physicists to
Reagan’s Strategic Defense Initiative (SDI)11 or Hans Bethe’s
famous letter to Bill Clinton where he argued against another round of U.S.
nuclear-weapons development.12 A willingness to
speak truth to power13 became a tradition among
physicists—one that, I think, continues to shape physicists’ identity.14

As an example, recall the pepper-spray incident of 2011 at my own campus,
the University of California, Davis.15 Carrying out the
Chancellor’s instructions to clear “Occupy” protesters, police officer John
Pike pepper-sprayed students who sat, arms linked, on the university’s
central quad. Videos of the event went viral,16 while memes of
Officer Pike casually pepper-spraying anything became a second
Internet sensation. But the observation I’d like to make is that, in the
aftermath of the incident, the
only UCD department outside the humanities to condemn the
Chancellor or call for her resignation was Physics.17 The
Chancellor was mystified. She understood the strong reaction from our
(underfunded and politically liberal) English department, but she didn’t
anticipate complaints from a (well-funded and generally conservative)
Physics department.18 What the Chancellor might not have internalized
is that physicists retain a post-war legacy not only of snuggling up close to
power, but also of nipping at its ankles.

2. A second historical event that helped shape the post-war
view of moral responsibility was the Nuremberg trials (1945–1946). While the
defense repeatedly proffered that the accused were simply following orders,
this view was almost universally rejected: following orders did not
efface legal or moral culpability. The Nuremberg trials began with the
Medical Case, the prosecution of 23 scientists, physicians, and other senior
officials for gruesome and routinely fatal medical experiments on prisoners.19

Years later, as though in sequel, the world would watch in nervous
fascination the trial of Adolf Eichmann (1961). Hannah Arendt’s
controversial portrayal of Eichmann would come to be formative in shaping
our understanding of what, ethically, had transpired during the Holocaust.
She wrote of the utter ordinariness of the man.20
Arendt’s book on the trial, memorably subtitled
The Banality of Evil, would be published the same year (1963) as
Stanley Milgram’s classical experiments on obedience, where Milgram produced
the stunning (and widely repeated) finding that a large fraction of
volunteers would follow a whitecoated scientist’s gentle urging to deliver
apparently life-threatening shocks to someone they thought was a fellow test
subject.21

3. Finally, I would mention the rise of the environmental
movement as contributing to the rise of an ethic of responsibility. While
environmentalism dates to the mid-nineteenth century and before, as a
significant social movement, the 1962 publication of Rachel Carson’s
Silent Spring is a milestone. Her book painted a picture of the end
of life not by the drama of nuclear warfare, but the disappearance of songbirds,
silenced by the routine if oversized activities of chemical manufacturing and
non-specific pesticides.

The good scientist. The three experiences I have just
described implied a
democratization of responsibility. Scientists had to assume
responsibility for what they did, for technology would take us to a very dark
place if they did not. Stripped of ethical restraint, science would bring a world
of nightmare bombs, gas chambers, and macabre human experiments. It would bring
a dying, poisoned world.

And so, in the decades following the war, the ethic of responsibility
became— at least rhetorically—the doctrinal norm. Increasing numbers of
scientists and engineers, as well as their professional organizations, began
to engage on issues of social responsibility. The Pugwash Conferences began
in 1955. The National Society of Professional Engineers adopted a code of
ethics in 1964 that gave primacy to social responsibility. As its first
imperative, the code says that “Engineers, in the fulfillment of their
professional duties, shall hold paramount the safety, health, and welfare of
the public.” Similar language would spread across other codes of ethics,
including those of the ACM and IEEE.22 The Union of Concerned
Scientists was formed at MIT in 1969—the same year a work stoppage at MIT,
coordinated with 30 other universities, enjoyed substantial student,
faculty, and administrative support. It called for a realignment of research
directions away from military pursuits and towards human needs. Computer
Professionals for Social Responsibility (CPSR) began its work opposing the
SDI in 1983.23
That same year, the IACR was founded, its self-described mission not only to
advance the theory and practice of cryptology but also, lest we forget, to serve
the public welfare.24 The Electronic Frontier Foundation (EFF) and
Privacy International (PI) were both formed in 1990, and became effective advocates
in such matters as the defeat of the Clipper Chip. All of this is but a sampling
of the overt politics from scientists and engineers.

Against this backdrop, the figure of the brilliant but humane scientist
became a cultural motif. Jonas Salk had wiped out polio. Einstein became a
cultural icon, one unfazed by the inconvenience of his death. The image of
him sticking out his tongue may be the most widely recognizable photograph
of any scientist, ever. Richard Feynman would be painted in equally colorful
ways, the no-nonsense genius pounding on bongo drums and shoving black
rubbery stuff into ice water. Gene Roddenberry’s Star Trek imagined
a future that featured the scientist–humanist–hero as one team, if not one
individual. Carl Sagan, speaking gently to the camera in episodes of
Cosmos
(1980), seemed the real-life embodiment of this aspirational package.

The ethic of responsibility in decline. And yet, for all I
have said, the scientist or engineer seriously concerned about the social
impact of his work is, I think, so rare as to be nearly a matter of myth.
Never during the cold war, nor in any of the subsequent US wars, did US
companies have difficulty recruiting or retaining the hundreds of thousands
of scientists and engineers engaged in building weapons systems.25
Universities like my own were happy to add their support; the University of California
would, for decades, run the USA’s nuclear weapons design laboratories.26
In nearly 20 years advising students at my university, I have observed that a
wish for right livelihood27
almost never figures into the employment decisions of undergraduate computer
science students. And this isn’t unique to computer scientists: of the five most
highly ranked websites I found on a Google search of
deciding among job offers, not one suggests considering the
institutional goals of the employer or the social worth of what they do.28

the ethical responsibilities of computer scientists. Some respond like a
deer in headlights, unsure what such a question could even mean. One recent
faculty candidate, a data-mining researcher whose work seemed a compendium
of DoD-funded projects for socially reprehensible aims, admitted that she
felt no social responsibility. “I am a body without a soul,” she earnestly
explained. It was sincere—and creepy.

Stanley Fish, a well-known literary theorist, professor, and dean,
admonishes faculty not to pursue research programs rooted in
values. (His 2012 book is titled Save the World on Your Own Time.)

do your job; don’t try to do someone else’s job…; and don’t let anyone
with the obligation to save the world; that’s not your job as an academic…

Marx famously said that our job is not to interpret the world, but to
change it. In the academy, however, it is exactly the reverse: our job is
not to change the world, but to interpret it.29

Perhaps such amorality, however revolting, is harmless in Fish’s
intellectual realm: one doesn’t particularly expect literary theory to
change the world. But scientists and engineers do just that. A refusal to
direct the change we do is both morally bankrupt and ingracious. Our work as
academics, we should never forget, is subsidized by society.30

So far I have not said why the post-war ethic-of-responsibility didn’t catch
on. I could give multiple answers, starting with the rise of radical
individualism.31 But I prefer to focus on something else: extreme
technological optimism.

Technological optimism. Technological optimists believe that
technology makes life better. According to this view, we live longer, have more
freedom, enjoy more leisure. Technology enriches us with artifacts, knowledge,
and potential. Coupled with capitalism, technology has become this extraordinary
tool for human development. At this point, it is central to mankind’s mission.
While technology does bring some unintended consequences, innovation itself will
see us through.

Technological optimism animates everyone from school children to Turing
Award winners. Accepting his 2012 Turing Award, Silvio Micali, said that

Computer science is marking an epical change in human history. We are
conquering a new and vast scientific continent. … Virtually all areas of
human activity… [and] virtually all areas of human knowledge… are benefiting
from our conceptual and technical contributions. … Long live computer
science!32

If you’re a technological optimist, a rosy future flows from the wellspring
of your work. This implies a limitation on ethical responsibility. The
important thing is to do the work, and do it well. This even becomes a moral
imperative, as the work itself is your social contribution.

But what if computer science is not benefiting man? Technological
pessimists like Jacques Ellul, Herbert Marcuse, and Lewis Mumford certainly
didn’t think that it was. They saw modern technology as an interlocking,
out-of-control system that, instead of fulfilling human needs, engendered
pointless wants and deadlier weapons. Man is becoming little more than the
sex organs of the machine world.33

Taking a less “extreme” view,34 technological contextualists35 acknowledge the concerns of the pessimists, but emphasize man’s essential agency
and the malleability of technology. Contextualism dominates the dialectic of
technology studies.

The ethic of responsibility is always paired with the contextualist view of
sociotechnology. At some level, this must be so: a normative need vanishes
if, in the garden of forking paths, all paths lead to good (or, for that
matter, to bad). But it is technological optimism that most people buy into,
especially scientists and engineers. And unbridled technological optimism
undermines the basic need for social responsibility.

Conclusion to part 1. Ultimately, I think the post-war turn
towards social responsibility in science and engineering was less a turn
than a sideways glance. While the rhetoric of responsibility would provide
cover from technology’s critics, few scientists or engineers would ever come
to internalize that their work embodied socially relevant values. If
any operationally significant way, well, I think we didn’t get the memo.

So let me retransmit it. It says that your moral duties extend beyond the
imperative that you personally do no harm: you have to try to promote the
social good, too. Also, it says that your moral duties stem not just from
your stature as a moral individual, but, also, from the professional
communities to which you belong: cryptographer, computer scientist,
scientist, technologist.

With few exceptions, the atomic scientists who worked on disarmament were
not the same individuals as those who built the bomb. Their
colleagues—fellow physicists—did that. Cryptographers didn’t turn the
Internet into an instrument of total surveillance, but our colleagues—fellow
computer scientists and engineers—did that. And cryptographers have some capacity to help.

But you will only believe that claim if you recognize that cryptography can
influence power relations. I suspect that many of you see no real connection
between social, political, and ethical values and what you work on. You don’t
build bombs, experiment on people, or destroy the environment. You don’t spy
on populations. You hack math and write papers. This doesn’t sound ethically
laden. I want to show you that it is.

## Part 2: The political character of cryptographic work

Scientist or spy? There’s an irony in discussing the claim that
cryptographic work is political, and it is this: to someone unconnected to the
field, and also to the crypto-hobbyist, the claim may seem obviously true. But
to the young researcher who spends his life writing papers in cryptography, the
claim may seem just as obviously false. What gives?

The outsider’s view of cryptography might be based on cinematic portrayals.
Films like Sneakers (1992), Pi (1998), A Beautiful Mind (2001), Enigma
(2001), Traveling Salesman (2012), Citizenfour (2014), and The Imitation
Game (2014) depict cryptography as a field intertwined with politics.
Cryptographers are the brilliant and handsome mathematicians that power
needs to have working on its side. We are, I am happy to report, heroic
geniuses. A little crazy, to be sure, but that just adds to the luster.

Similarly, the crypto hobbyist may have read historical accounts
dealing with cryptography, like the books of James Bamford or David Kahn.36
Such accounts demonstrate that, historically, cryptography is about
power. It’s a realm in which governments spend enormous sums of money,37
and maybe not unwisely: the work shapes the outcome of wars, and undergirds diplomatic
and economic maneuvering.38

Yet no academic cryptographer would confuse historical or fictional accounts
of cryptography with what we actually do. Our discipline investigates
academic problems that fall within our disciplinary boundaries. Pick up a
Springer proceedings or browse ePrint papers and our field looks utterly non-political. If power is anywhere in the picture, it is in the abstract
capacities of notional adversaries39 or, in a different branch of
our field, the power expenditure, measured in watts, for some hardware. We work
on problems that strike us as interesting or scientifically important. We’re
not aiming to advance the interests of anything but science itself (or, perhaps,
one’s own career).

So distinct claims about cryptography’s connectedness to power stem, at
least in part, from radically different archetypes of what the cryptographer
is: scientist or spy. The NSA/GCHQ employee who hacks Gemalto to implant
malware and steal SIM keys40 is just as deserving of being called
a “cryptographer” as the MIT-trained theorist who devises a new approach for
functional encryption. Both are dealing in questions of privacy, communications,
adversaries, and clever techniques, and we would do well to emphasize these commonalities
if we want to see our disciplinary universe in context or nudge it towards greater
relevance.

Academic cryptography used to be more political. The ascendance
of a new cryptographer archetype—the academic cryptographer—fails to really explain
our politically detached posture. For one thing, academic cryptographers were
once more concerned with our field’s sociopolitical dimensions. Some even came
to cryptography for such reasons. Consider, for example, this fragment of Whit
Diffie’s testimony at the Newegg trial. Speaking of his wife, Diffie says:

I told her that we were headed into a world where people would have
important, intimate, long-term relationships with people they had never met
face to face. I was worried about privacy in that world, and that’s why I
was working on cryptography.41

Diffie and his advisor, Martin Hellman, have long evinced a concern for
sociopolitical problems touching technology. You see it in their criticism
of DES’s key length,42 in Hellman’s activism on nuclear
disarmament,43 in Diffie’s book on the politics of wiretapping
with Susan Landau,44 and in his co-invention of forward secrecy.45
You see it in the New Directions paper:46
when the authors boldly begin “We stand today on the brink of a revolution in
cryptography,” the anticipated revolution was not, at least primarily, the theory
community bringing forth mind-altering notions of provable security, simulatability,
or multiparty computation.47 The authors were interested in
technological changes that were transpiring, and concomitant social
opportunities and needs.48

Still more ostensibly political is David Chaum’s body of scientific work,
which thoroughly embeds concerns for democracy and individual autonomy.
Chaum’s 1981 paper49Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms, [Chaum81], suggests that a crucial privacy goal when sending an email is
to hide who is communicating with whom. The metadata, in modern
political parlance. The author offered mix nets for a solution.50

Chaum would go on to provide the founding ideas for anonymous electronic
cash and electronic voting. His papers would routinely draw on overtly
political motivations.51 In a recent conversation, Chaum
expressed surprise at the extent to which academics gravitated to a
field—cryptography—so connected to issues of power.52

Stripping out the politics. But as academics gravitated to cryptography,
they tended to sanitize it, stripping it of ostensible connectedness to power.
Applied and privacy-related work drifted outside of the field’s core venues,
the IACR conferences. It is as though a chemical synthesis would take place,
transforming this powerful powder into harmless dust.

Consider that there is now a conference named “Real World Cryptography”
(RWC).53 There is humor—but maybe gallows humor—that a field with
a genesis and capability as real-world as ours should find reason to create
a venue so named.54 Ask a colleague in Graphics or Cloud
Computing how it would fly in their community if someone started a conference
called Real World Computer Graphics (RWCG 2015) or Real World Cloud Computing
(RWCC 2016). They will laugh.

An especially problematic excision of the political is the marginalization
within the cryptographic community of the secure-messaging problem,55 an instance of which was the problem addressed by [Chaum81].
Secure-messaging is the most fundamental privacy problem in cryptography:
how can parties communicate in such a way that nobody knows who said what.
More than a decade after the problem was introduced, Rackoff and Simon would
comment on the near-absence of attention being paid to the it.56
Another 20-plus years later, the situation is this: there is now a mountain of
work on secure-messaging, but it’s unclear what most of it actually
does. A recent systemization-of-knowledge article57
paints a picture of a cryptographic task enjoying a flourishing of ad hoc solutions,
but little of it arising from the cryptographic community, as narrowly construed,
or tied to much theory.58 While one could certainly claim that this
is true for almost all practical security goals that employ cryptography, I think
the case is different for secure-messaging: here the work feels almost intentionally
pushed aside.

Children of [Chaum81] and [GM82]. Why would I make such a
claim? An illuminating case study is provided by comparing the venues of the
most cited papers citing [Chaum81] and [GM82], Goldwasser and Micali’s
Probabilistic Encryption.59 The two papers appeared
around the same time and have comparable citation counts.60

The [GM82] paper put forward the definitionally centered, reduction-based
approach to dealing with cryptographic problems. It became a seminal work of
the cryptographic community. The most cited papers that cite it appear in
Crypto and Eurocrypt, FOCS, STOC, and ACM CCS.61 The [Chaum81]
paper put forward the secure email problem and suggested a solution. This
paper would be just as seminal—but in spawning work mostly outside the core
cryptographic community. The ten most cited papers that cite Chaum’s paper
appear in venues that, mostly, I had never heard of. Venues not
crypto-focused, like MobiSys and SIGOPS. In fact, the venues for the ten
most cited papers citing [GM82] and the venues for the ten most cited papers
citing [Chaum81] have void intersection. I find this fairly remarkable. It
reflects a research community split into fragments that include a GM-derived
one and a Chaum-derived one, the second fragment not really being a part of
the cryptographic community at all.62

Why did this fragmentation occur? The most obvious explanation has to do
with rigor: [GM82] offered a mathematically precise approach to its subject,
while [Chaum81] did not. So a partitioning might seem to make sense:
cryptographic work that can be mathematically formal goes to the right; ad
hoc stuff, over to the left.

The problem with this explanation is that it’s wrong. The [Chaum81] paper
supports rigor just fine. Indeed provable security would eventually catch up
to mix nets, although the first definition would take more than 20 years to
appear (2003), in a paper by Abe and Imai.63 That the [Chaum81]
paper itself didn’t provide a formal treatment says nothing about the
formalizability of the problem or what communities would later embrace it;
after all, Diffie and Hellman’s paper64 only informally described
trapdoor permutations, public-key encryption, and digital signatures, but
all would be absorbed into the cryptographic fold. Now one might well
counter that the problem addressed by [Chaum81] is more difficult to
formalize than any of the examples just named. That’s true. But it’s simpler
to formalize than MPC,65 say, which would quickly gain entrée and
stature in the cryptographic community—even
without definitions or proofs. So, ultimately, neither
formalizability nor complexity goes far to explain why secure-messaging
has been marginalized.

comparing the introductions to the most-cited papers citing [GM82] and the
most-cited papers citing [Chaum81]. Papers citing [GM82] frame problems
scientifically. Authors claim to solve important technical questions. The
tone is assertive, with hints of technological optimism. In marked contrast,
papers citing [Chaum81] frame problems socio-politically. Authors speak
about some social problem or need. The tone is reserved, and explicitly
contextualist views are routine. One observes the exact same distinction in
tone and stated motivations when comparing survey articles.66

In 2015, I attended PETS (Privacy Enhancing Technologies Symposium) for the
first time. Listening to people in this community interact is a bit like
watching the cryptographic community through a lens that magically inverts
most things. The PETS community attends closely to the values embedded in
work. They care about artifacts that support human values. They aim to serve
the users of those artifacts. They’re deeply concerned with the politics and
technology of surveillance. Where, after Chaum, did the moral soul of
academic cryptography go? Maybe it moved to PETS.

There is a lesson in all this. Some might think that a community’s focus is
mostly determined by the technical character of the topic it aims to study.
It is not. It is extra-scientific considerations that shape what gets
treated where.

The cypherpunks. Now there is a group that has long worked
at the nexus of cryptography and politics: the cypherpunks.67 The
cypherpunks emerged in the late 1980’s, unified by a mailing list and some
overlapping values. The core belief is that cryptography can be a key tool
for protecting individual autonomy threatened by power.68

The cypherpunks believed that a key question of our age was whether state
and corporate interests would eviscerate liberty through electronic
surveillance and its consequences, or if, instead, people would protect
themselves through the artful use of cryptography. The cypherpunks did not
seek a world of universal privacy: many wanted privacy for the individual,
and transparency for the government and corporate elites. The cypherpunks
envisioned that one could hack power relations by writing the right code.
Cypherpunk-styled creations—think of Bitcoin, PGP, Tor, and WikiLeaks—were
to be transformative because they challenge authority and address basic
freedoms: freedom of speech, movement, and economic engagement.69

Exactly how such tools are to shape society is not always obvious.
Consider WikiLeaks. The hope is not just that a better informed public will
demand accountability and change. Rather, Assange sees governmental and
corporate abuse as forms of conspiracy that could be throttled by the mere
threat of leaks. Conspiracies are like graphs, the conspirators nodes, the
pairwise relations among them, the edges. Instead of removing nodes or
disrupting links, you can weaken any conspiracy by suffusing it in an
ever-present threat of leaks. The more unjust the conspiracy, the more
likely leaks will occur, and the more damage they will do. As elites become
fearful to conspire, they do so reservedly. The conspiratorial creature’s
blood thickens and it dies.70 It is a fascinating vision.

It is cypherpunks, not cryptographers, who are normally the strongest
advocates for cryptography. Julian Assange writes:

But we discovered something. Our one hope against total domination. A hope
that with courage, insight and solidarity we could use to resist. A
strange property of the physical universe that we live in.

The universe believes in encryption.

It is easier to encrypt information than it is to decrypt it.

We saw we could use this strange property to create the laws of a new
world.71

Similarly, Edward Snowden writes:72

In words from history, let us speak no more of faith in man, but bind him
down from mischief by the chains of cryptography.73

When I first encountered such discourse, I smugly thought the authors were
way over-promising: they needed to tone down this rhetoric to be accurate. I
no longer think this way. More engaged in implementing systems than I’ll
ever be, top cypherpunks understand more than I about insecure operating
systems, malware, programming bugs, subversion, side channels, poor
usability, small anonymity sets, and so on. Cypherpunks believe that despite
such obstacles, cryptography can still be transformative.

Cryptography favors whom? Cypherpunk discourse seems
sometimes to assume that cryptography will benefit ordinary people. But one
has to be careful here. Cryptography can be developed in directions that
tend to benefit the weak
or the powerful. It can also be pursued in ways likely to benefit nobody
but the cryptographer. Let’s look at some examples.

Encryption. One reason people might assume cryptography to benefit
the weak is that they’re thinking of cryptography as conventional encryption.
Individuals with minimal resources can encrypt plaintexts in a manner that even
a state-level adversary, lacking the key, won’t be able to decrypt.

But does it necessarily come out that way? To work, cryptographic primitives
must be embedded into systems, and those systems can realize arrangements of
power that don’t trivially flow from the nature of the tool. In his
typically pithy way, Schneier reminds people that “encryption is just a
bunch of math, and math has no agency.”74 If a content-provider
streams an encrypted film to a customer who holds the decryption key locked
within a hardware or software boundary she has no realistic ability to
penetrate,75 we’ve empowered content providers, not users. If we
couple public-key cryptography with a key-escrow system that the FBI and NSA
can exploit, we empower governments, not people.76

All that said, I do believe it accurate to say that conventional encryption
does embed a tendency to empower ordinary people.
Encryption directly supports freedom of speech. It doesn’t require expensive
or difficult-to-obtain resources. It’s enabled by a thing that’s easily
shared. An individual can refrain from using backdoored systems.77
Even the customary language for talking about encryption suggests a worldview
in which ordinary people—the world’s Alices and Bobs—are to be afforded the opportunity
of private discourse. And coming at it from the other direction, one has to
work
to embed encryption within an architecture that props up power, and one may encounter
major obstacles to success. The Clipper Chip completely failed. Trusted Computing
mostly did.78

IBE? The setting was proposed by Shamir, with Boneh and Franklin, years
later, providing a satisfying, provably secure realization.80 The
aim is to allow a party’s email address, for example, to serve as his public
key. So if Alice already knows the email address for Bob, she won’t need to obtain
his public key to send him an encrypted message: she just encrypts under Bob’s

But this convenience is enabled by a radical change in the trust model:
Bob’s secret key is no longer self-selected. It is issued by a trusted
authority. That authority knows everyone’s secret key in the system. IBE
embeds key escrow—indeed a form of key escrow where a single entity
implicitly holds all secret keys—even ones that haven’t yet been issued. And
even if you do trust the keygenerating authority, a state-level adversary
now has an extremely attractive locus to subpoena or subvert. In the end, from
a personal-privacy point of view, IBE might seem like an enormous leap backwards.

Descriptions of IBE don’t usually emphasize the change in trust model.81 And the key-issuing authority seems never to be named anything like that: it’s
just the PKG, for Private Key Generator. This sounds more innocuous than it is,
and more like an algorithm than an entity. In papers, the PKG further recedes
from view because it is the tuple of algorithms, not the entities that one imagines
to run them, that grounds formal definitions and proofs.

To be clear, I am not condemning IBE as some sort of fascist technology.
That sounds silly. Nor am I suggesting that IBE can’t be refined in ways to
make the trust model less authoritarian.82 Yet one can easily see
the authoritarian tendency built into IBE. And technologies, while adaptable,
are not infinitely so. As they evolve, they tend to retain their implicit orientations.

Differential privacy. Let’s consider differential privacy.83
Dwork says that

$epsilon$

any participant might have about the leakage of her personal information:
even if the participant removed her data from the data set, no outputs…
would become significantly more or less likely.”84

At some level, this sounds great: don’t we want to protect
individuals from privacy-compromising disclosures from corporate or
governmental datasets? But a more critical and less institutionally friendly
perspective makes this definitional line seem off.85 Most
basically, the model implicitly paints the database owner (the curator) as
the good guy, and the users querying it, the adversary. If power would just
agree to fudge with the answers in the right way, it would be fine for it to
hold massive amounts of personal data about each of us. But the history of
data-privacy breaches suggests that the principal threat to us is from the
database owner itself, and those that gain wholesale access to the data (for
example, by theft or secret government programs). Second, the harm
differentialprivacy seeks to avoid is conceived of in entirely
individualistic terms. But privacy violations harm entire communities. The
individualistic focus presupposes a narrow conception of privacy’s value.
Finally,86 differential privacy implicitly presupposes that the
data collection serves some public
good. But, routinely, this is a highly contestable claim. The
alternative of less data collection, or no data collection at all, is rarely
even mentioned. In the end, one must compare the reduction in harm actually
afforded by using differential privacy with the increase in harm afforded by
corporations having another means of whitewash, and policy-makers believing,
quite wrongly, that there is some sort of cryptomagic to protect people from
data misuse.

I recently asked an expert in differential privacy, Ilya Mironov, for his
reaction to my harsh critique. He explained that the abstract roles in
differential-privacy settings need not correspond to business relationships
in the obvious way. For example, a privacy-conscious organization might
choose to make its own analysts access sensitive data through an API that
provides some differential-privacy guarantee, effectively treating its own
employees as “adversaries.” Mironov also explained that there are variant
notions of differential privacy that do not implicitly regard the
database owner as good, and those querying it as bad. He described
differential privacy in the local model,87 where everyone
keeps his data to himself. They can distributively compute the responses to queries.
Fundamentally, Mironov explained, the definition of differential privacy is agnostic
to the data model.

While everything explained makes good sense, I don’t think it changes the
landscape. No actual mechanism can be agnostic to what data resides where.
And at the point when a data-mining architecture and mechanism is laid down,
considerations of efficiency, familiarity, and economics—not to mention
authorities’ fundamental desire to have and to hold the data—make it easy to
predict what will happen: almost always, a centralized design will emerge.
To me, differential privacy may be as authoritarian in its conceptual
underpinnings as IBE.

FHE and iO. Ever since Craig Gentry’s groundbreaking work,88
fully homomorphic encryption (FHE) has been a target of enormous intellectual
capital. In brief, FHE allows you to outsource your data, encrypted under a public
key of your choosing, to a service provider. Later, you can ask that party whatever
answer, not knowing what it means. This is returned to you for decryption.

From a political perspective, FHE sounds empowering—even utopian. The
You sidestep the Faustian bargain that routinely underlies cloud computing.89

But the analysis above is specious. It is quite speculative if FHE will ever
evolve into something practically useful. If you want to assess the
political leanings of something of speculative utility, you shouldn’t just
assume that it will give rise to the touted applications, and then try to
see who would win and who would lose. It’s too conjectural. It is better to
focus on how the pursuit changes us in the here and now.

And on that, I would say that FHE, along with iO,90 have
engendered a new wave of exuberance. In grant proposals, media interviews,
and talks, leading theorists speak of FHE and iO as game-changing
indications of where we have come.91 Nobody seems to emphasize just
how speculative it is that any of this will ever have any impact on practice.
Nor do people emphasize our vanishing privacy, our lousy computer security, or
how little modern cryptography has really done to change this landscape. And
this has consequences. (a) It misleads the public about where we stand. (b) It
shifts financial resources away from areas more likely to have social utility.
(c) It encourages bright young researchers to work on highly impractical directions.
(d) And it provides useful cover to the strongest opponents of privacy: defense
and intelligence agencies.

Let me expand on the last claim. Here is what DARPA Program Director Dan

Imagine a future that says: OK, I have to collect everything for big data
to work because if I knew what wasn’t relevant it wouldn’t be big data.
But I don’t want the government to just willy-nilly look through my
emails: that feels creepy. …

So this guy, Craig Gentry, … showed that you could … take a piece of data,
encrypt it, send it down the wire, never decrypt it, [but] still perform
[computation] … on it. It sounds crazy, except he showed you can do it ….

You could imagine the following: … [Organizations] collect … data but only
in … encrypted form …. Now let’s say you believe there is a bad guy hiding
somewhere in this encrypted data. So, I come up with a bunch of search
terms …. I could then go to a court … [and they] could say “yeah, that
looks reasonable.” I put the search into the engine but … all that comes
out is a number: how many people meet that criteria … You go back to the
FISA court, and say O.K. guys, we have 12. … I picture FISA putting in a
key, and then the Agency putting in a key, and they both turn it. And [at]
that point, for the first time, … are those 12 now revealed.92

Of course, it’s utter nonsense. To begin with, there’s no way to make sense
of who holds what key and what data for FHE to even apply. We’re also told:
that we need to collect everything because, if we didn’t, we wouldn’t have
enough data to have lots of data; that the government will be careful, as it
would be “creepy” if they weren’t; that they’ll get court orders—even,
apparently, to discover the number of people in datasets who satisfy some
specified search criteria; and that to get personally identifiable
information, they’ll need to have the cooperation of the NSA and the
FISA court.

Kaufman’s inchoate interview is but a tiny patch of discourse from an ocean
of misdirection on privacy. It doesn’t impugn FHE, but it does suggest how
power aims to use such work: to let them mumble words that sound
privacy-friendly. Providing strong funding for FHE and iO provides risk-free
political cover. It supports a storyline that cloud storage and computing is
safe. It helps entrench favored values within the cryptographic community:
speculative, theory-centric directions. And it helps keep harmless academics
who could, if they got feisty, start to innovate in more sensitive
directions.

Cryptanalysis. Finally, let me briefly mention
cryptanalysis. One might misinterpret the academic cryptanalytic undertaking
as an attack on the privacy of legitimate users—an attack on the inoffensive
Alice and Bob—which would thus seem to favor power.93 But this is
the opposite of the right view. The reason that academic
cryptographers do cryptanalysis is to better inform the designers and users
of cryptosystems about what is and what is not safe to do. The activity is
not done to surveil people, but to help ensure that people are not
surveilled—at least by cryptanalytic means. And the work routinely has exactly
that effect. The history of WEP provides a nice example.94

When the NSA or GCHQ engage in cryptanalysis, it is for a very different
purpose, and it has a very different effect. Does that mean that
cryptanalysis done by one group of people (spooks) will tend to favor
authority, while cryptanalysis done by another group of people (academics)
will tend in the exact opposite direction? It does. The specific work will
be different; its dissemination will be different; and its impact on human
rights will be different.

Unthreateningly engaged. Of course it hasn’t escaped the
notice of intelligence agencies that the majority of the academic
cryptographic community is unthreateningly engaged. In a declassified
trip-report about Eurocrypt 1992, the NSA author opines, for example:95

There were no proposals of cryptosystems, no novel cryptanalysis of old
designs, even very little on hardware design. I really don’t see how things
could have been better for our purposes.

The NSA’s newsletter in which this report appears would never again mention
that academic cryptographic community.96 Nor did any released
Snowden-derived document discuss anything of our community.97
It’s as though we progressed from a band of philosophers98 worth
a few pages of snarky commentary99 to an assemblage too insignificant
even for that.

Conclusion to part 2. A 2013 essay by Arvind Narayanan
suggests a simple taxonomy for cryptographic work:100 there’s
crypto-for-security
and
crypto-for-privacy. Crypto-for-security is crypto for commercial
purposes. It’s the crypto in TLS, payment cards, and cell phones.
Crypto-for-privacy has social or political aims. Here the author
distinguishes between pragmatic crypto—which is about trying to use
cryptography to retain our predigital privacy—and
cypherpunk crypto—the grander hope of using cryptography to
precipitate sweeping social or political reforms. The author suggests that
crypto-for-security has done well, but crypto-for-privacy has fared badly.

I think Narayanan’s division is illuminating, but he fails to mention that
most academic cryptography isn’t really crypto-for-security or
crypto-for-privacy: it is, one could say, crypto-for-crypto—meaning
that it doesn’t ostensibly benefit commerce or privacy, and it’s quite
speculative if it will ever evolve to do either. Perhaps every field
eventually becomes primarily self-referential. Maybe this is even necessary,
to some extent. But for cryptography, much is lost when we become so
inward-looking that almost nobody is working on problems we could help
with that address some basic human need. Crypto-for-crypto starves cryptofor-privacy,
leaving a hole, both technical and ethical, in what we collectively do.

## Part 3: The dystopian world of pervasive surveillance

Mass surveillance has motivated the contents of this essay, but is it so
serious a thing? Before the Snowden revelations,101 I myself didn’t
really think so. Environmental problems seemed more threatening to man’s future,
and my country’s endless wars seemed more deserving of moral consternation. It
wasn’t until Snowden that I finally internalized that the surveillance issue
was grave, was closely tied to our values and our profession, and was being quite

Law-enforcement framing. The framing of mass
surveillance determines what one thinks it is about.102
And mass surveillance has been brilliantly framed by authority so as to slant
discourse in a particular and predictable direction. Let me describe what I’ll
call the law-enforcement framing, as regularly communicated by
(U.S.) FBI Director James Comey:103

1. Privacy is personal good. It’s about your desire to control personal
2. Security, on the other hand, is a collective good. It’s about living
in a safe and secure world.
3. Privacy and security are inherently in conflict. As you strengthen one,
you weaken the other. We need to find the right balance.
4. Modern communications technology has destroyed the former balance. It’s
been a boon to privacy, and a blow to security. Encryption is especially
threatening. Our laws just haven’t kept up.104
5. Because of this, bad guys may win. The bad guys are terrorists,
murderers, child pornographers, drug traffickers, and money launderers.105 The technology that we good guys use—the bad guys use it too, to escape detection.
6. At this point, we run the risk of Going Dark.106 Warrants will be
issued, but, due to encryption, they’ll be meaningless. We’re becoming a country
of unopenable closets. Default encryption may make a good marketing pitch,
but it’s reckless design. It will lead us to a very dark place.

The narrative is inconsistent with the history of intelligence gathering,
and with the NSA’s own mission statement.107 Yet the narrative’s
uneasy coexistence with reality hasn’t mattered. It is, in fact, beautifully
crafted to frame matters in a way guaranteed to lead discourse where
authority wants it to go. It is a brilliant discourse of fear: fear of
crime; fear of losing our parents’ protection; even fear of the dark. The
narrative’s well-honed deceptiveness is itself a form of

Surveillance-studies framing. Of course there are radically
different ways to frame mass surveillance. Consider the following way to do
so, which follows often-heard thoughts from cypherpunks and surveillance
studies.109

1. Surveillance is an instrument of power.110 It is part of an apparatus
of control. Power need not be in-your-face to be effective: subtle, psychological,
nearly invisible methods can actually be more effective.
2. While surveillance is nothing new, technological changes have given
governments and corporations an unprecedented capacity to monitor
everyone’s communication and movement. Surveilling everyone has became
cheaper than figuring out whom to surveil, and the marginal cost is now
tiny.111 The Internet, once seen by many as a tool for
emancipation, is being transformed into the most dangerous facilitator for
totalitarianism ever seen.112
3. Governmental surveillance is strongly linked to cyberwar. Security
vulnerabilities that enable one enable the other. And, at least in the
USA, the same individuals and agencies handle both jobs. Surveillance is
also strongly linked to conventional warfare. As Gen. Michael Hayden has
explained, “we kill people based on metadata.”113 Surveillance and
assassination by drones are one technological ecosystem.
4. The law-enforcement narrative is wrong to position privacy as an
individual good when it is, just as much, a social good. It is equally
wrong to regard privacy and security as conflicting values, as privacy enhances security as often as it rubs against it.
5. Mass surveillance will tend to produce uniform, compliant, and shallow
people.114 It will thwart or reverse social progress. In a world
of ubiquitous monitoring, there is no space for personal exploration, and no
space to challenge social norms, either. Living in fear, there is no genuine
freedom.
6. But creeping surveillance is hard to stop, because of interlocking
corporate and governmental interests.115 Cryptography offers at
least some hope. With it, one might carve out a space free of power’s reach.

History teaches that extensive governmental surveillance becomes political
in character. As civil-rights attorney Frank Donner and the Church
Commission reports thoroughly document, domestic surveillance under U.S. FBI
director J. Edgar Hoover served as a mechanism to protect the status quo and
neutralize change movements.116 Very little of the FBI’s
surveillance-related efforts were directed at law-enforcement: as the
activities surveilled were rarely illegal, unwelcome behavior would result
in sabotage, threats, blackmail, and inappropriate prosecutions, instead.
For example, leveraging audio surveillance tapes, the FBI’s attempted to get
Dr. Martin Luther King, Jr., to kill himself.117
U.S. universities were thoroughly infiltrated with informants: selected students,
faculty, staff, and administrators would report to an extensive network of FBI
handlers on anything political going on on campus. The surveillance of dissent
became an institutional pillar for maintaining political order. The U.S. COINTELPRO
program would run for more than 15 years, permanently reshaping the U.S. political
landscape.118

Our dystopian future. Where mass surveillance leads has
been brilliantly explored in fictional accounts, starting with Yevgeny
Zamyatin’s 1921 novel We
(which inspired Orwell’s 1984). Set in a future of total
surveillance, the denizens of the “One State” have internalized lessons such
as: “we” is from God, and “I” is from the devil; that imagination is
illness; and that the key to ridding man of crime is ridding him of freedom.

But you don’t have to reach to fictional or historical accounts to
anticipate where we are headed. In a 2012 newsletter column, NSA’s “SIGINT
Philosopher,” Jacob Weber, shares his own vision. After failing an NSA
lie-detector test, he says:

I found myself wishing that my life would be constantly and completely
monitored. It might seem odd that a self-professed libertarian would wish
an Orwellian dystopia on himself, but here was my rationale: If people
knew a few things about me, I might seem suspicious. But if people knew

… A target that119 has no ill will to the U.S., but which is
being monitored, needs better and more monitoring, not less. So if we’re
in for a penny, we need to be in for a pound.120

Shrouded in enormous secrecy and complexity, the basic contours of the
surveillance state are fundamentally unknowable. What is the individual to
do? With everyone’s communication machine monitored, he knows that he’s a de facto
target. Millions of observations are made of his life. He is analyzed by techniques
he cannot remotely understand. He knows that today’s data, and yesterday’s, will
be scrutinized by tomorrow’s algorithms. These will employ sophisticated natural-language
processing, but probably won’t
actually understand human discourse. With all this, the rational individual
has no choice but to watch what he says, and to try to act like everyone else.

The film Citizenfour (2014) is at its best when it manages to sketch the
shape of this emerging world. One reviewer writes of the film

evoking the modern state as an unseen, ubiquitous presence, an abstraction
with enormous coercive resources at its disposal. …

It is everywhere and nowhere, the leviathan whose belly is our native
atmosphere. Mr. Snowden, unplugging the telephone in his room, hiding
under a blanket when typing on his laptop, looking mildly panicked when a
fire alarm is tested on his floor, can seem paranoid. He can also seem to
be practicing a kind of avant-garde common sense. It’s hard to tell the
difference, and [this] … can induce a kind of epistemological vertigo.
What do we know about what is known about us? Who knows it? Can we trust
them?121

To be more prosaic: I pick up the phone and call my colleague, Mihir
Bellare, or I tap out an email to him. How many copies of this communication
will be stored, and by whom? What algorithms will analyze it—now and in the
future? What other data will it be combined with in an attempt to form a
picture of me? What would trigger a human analyst to get involved? Might my
call or email contribute to a tax audit, a negative grant-funding decision,
some Hoover-style dirty tricks, or even an assassination? There is not a
single person who knows the answer to these questions, and those who know

Conclusion to part 3. Ultimately, I’m not much interested in
individual grievances over privacy; I am far more concerned with what surveillance
does to society and human rights. Totalized surveillance vastly diminishes the
possibility of effective political dissent. And without dissent, social progress
is unlikely.

Consider an event like the 1971 burglary of the FBI branch office in Media,
Pennsylvania.122 With the degree of surveillance we now live
under, the whistleblowers—beginning with that feisty physics professor who
led the effort123—would be promptly arrested, and even charged
with espionage. They would have spent years in prison, or even faced
execution. Facing such outcomes and odds, the activists would not have
attempted their daring burglary. In an essay that focuses on remedies for

Where exactly is the maximum tolerable level of surveillance, beyond which
it becomes oppressive? That happens when surveillance interferes with the
functioning of democracy: when whistleblowers (such as Snowden) are likely
to be caught.124

Online and telephone surveillance already results in the imprisonment of
political dissidents around the world,125 and it undergirds my
own country’s drone-assassination program.126 In the U.S.,
Miami-model policing127 has made attending political protests (or
just being near one in your car, or with your phone) an intimidating
proposition. With journalists’ communications routinely monitored,
investigative journalism is under attack.128 Is democracy or social
progress possible in such an environment?

But, despite all these arguments, I am skeptical about rationalist accounts
of ethical affronts, be it mass surveillance or anything else. If we behave
morally, it is not because of rational analyses, but an instinctual
preference for liberty, empathy, or companionship.129 As Schneier
points out, animals don’t like to be surveilled because it makes them feel
like prey, while it makes the surveillor feel like—and act like—a predator.130 I think people know at an instinctual level that a life in which our thoughts,
discourse, and interactions are subjected to constant algorithmic or human monitoring
is no life at all. We are sprinting towards a world that we know, even without
rational thought, is not a place where man belongs.

## Part 4: Creating a more just and useful field

What can we cryptographers realistically do to collectively up our
contribution to crypto-for-privacy? I claim no easy answers. I can offer
only modest ideas.

Secure messaging in the untrusted-server model. Problem
selection is the most obvious aspect in determining our community’s impact,
and secure messaging, in all its forms, remains the most outstanding problem
in crypto-for-privacy. While mix nets, onion routing, and DC nets have all
proven to be highly useful,131
it is not too late to be thinking on new architectures for secure communications.

Consider the following problem, which is inspired by Pond and the PANDA
protocol that it can use.132 The aim is similar to Adam Langley’s
Pond protocol: to create an alternative to email or instant messaging but where
“big brother” is unable to figure out who is communicating with whom. Unlike
Pond, I don’t want to rely on Tor, for we seek security in the face of a global,
active adversary (as well as a clean, provable-security treatment). Tor can always
be layered on top, as a heuristic measure, to hide system participants.

The intent is this. Pairs of people who want to communicate are assumed to
initially share a password. They won’t directly talk with one another;
rather, all communications will go through an untrusted server.
First, parties upgrade their shared password to a strong key with an
anonymous rendezvous
protocol. Thereafter, the sender can deposit a (constant-length) encrypted message
at the server. When a party wants to retrieve his ith message,
he’ll interact with the same server, which gives him a string computed from
the database contents. The value permits the receiver to recover the
intended message—or, alternatively, an indication that there is no such
ith message for him. But, throughout, all the server ever sees are
parties depositing random-looking strings to the server, and parties
collecting random-looking strings from the server, these computed by
applying some non-secret function to the server’s non-secret database.
Neither the server nor an active, global adversary can figure out who has
communicated with whom, or even whether a communications has taken place.
The goal is to do all this as efficiently as possible—in particular, much
more efficiently than the server just handing each recipient its entire
database of encrypted messages.

In ongoing work, colleagues and I are working out a provable-security
treatment for the approach above. It uses conventional, game-based
definition, not the fuzzy concepts or vocabulary from much of the anonymity
literature.133 We hope that the anonymous messaging in this untrusted-server
model will eventually prove practical for the high-latency setting. We will see.

Bigkey cryptography. Let me next describe some recent work
by Mihir Bellare, Daniel Kane, and me that we call
bigkey cryptography.134

The intent of bigkey cryptography is to allow cryptographic operations to
depend on enormous keys—megabytes to terabytes long. We want our keys so
long that it becomes infeasible for an adversary to exfiltrate them. Yet
using such a bigkey mustn’t make things slow. This implies that, with each
use, only a small fraction of the bigkey’s bits will be inspected.

The basic idea is not new: the concept is usually referred to as security in
the
bounded-retrieval model.135 But our emphasis is new: practical
and general tools, with sharp, concrete bounds. We have no objection to using
the random-oracle model to achieve these ends.

Suppose you have a bigkey

$mathbf K$

. You want to use it
for some protocol

$P$

that has been designed to use a conventional-length
key

$mathbf K$

. So choose a random value

$R$

(maybe 256 bits) and hash it to get some number

$p$

of probes
into the bigkey:

$i_1 = H(R, 1) quad i_2 = H(R, 2) quad ldots quad i_p = H(R, p).$

Each probe

$i_j$

points into

$mathbf K$

:
it’s a number between 1 and

$|mathbf K|$

. So you grab the

$p$

bits at those locations and hash them, along with

$R$

, to get a derived key

$K$

:

$K = H'(R, mathbf K[i_1], ldots, mathbf K[i_p]) = mathrm{XKEY}(mathbf K, R).$

Where you would otherwise have used the protocol

$P$

with a
shared key

$K$

, you will now use

$P$

with a
shared bigkey

$mathbf K$

, a freshly chosen

$R$

, this
determining the conventional key

$K = mathrm{XKEY}(mathbf K, R)$

.

We show that derived-key

$K$

is indistinguishable from a uniformly
random key

$K’$

$R$

and can learn lots of information about the bigkey

$mathbf K$

. The result is quantitative, measuring how good the derived key is as a
function of the length of the bigkey, the number of bits leaked from it, the
number of probes

$p$

, the length of

$R$

,
and the number of random-oracle calls.

At the heart of this result is an information-theoretic question we call the
subkey-prediction problem. Imagine a random key

$mathbf K$

$ell < |mathbf K|$

bits of
information about. After that leakage, we select

$p$

random
locations into

$mathbf K$

, give those locations to the

$p$

bits.
How well can it do?

It turns out that the adversary can do better than just recording

$ell$

bits of the key

$mathbf K$

and hoping that lots of probes
fall there. But it can’t do much better. Had nothing been leaked to

$ell = 0$

, then each probe would contribute
about one bit of entropy to the random variable the adversary must guess.
But if, say, half the key is leaked,

$ell leq |mathbf K|/2$

, each probe will now contribute about

$0.156$

bits of entropy.136 The adversary’s chance of winning the
subkey-prediction game will be bounded by something that’s around

$2^{-0.156p}$

$p = 820$

probes for 128-bit security, or twice that for 256-bit security.

I think that the subkey prediction problem, and the key-encapsulation
algorithm based on it, will give rise to nice means for
exfiltration-resistant authenticated-encryption and pseudorandom generators.137 In general, I see bigkey cryptography as one tool that cryptographers can contribute
to make mass surveillance harder.

More examples. Here are a few more examples of crypto-for-privacy
work.

Consider the beautiful paper on Riposte, by Corrigan-Gibbs,
Boneh, and Mazières.138 A user, speaking with others on the
Internet, wants to broadcast a message, such as a leaked document, without
revealing his identity. The network is subject to pervasive monitoring. The
authors develop definitions, protocols, and proofs for the problem,
attending closely to efficiency.139
They implement their schemes. Combining all these elements is rare—and very much
needed.140

Or consider the work of Colin Percival in which he introduced the hash
function scrypt.141 Percival explained that,
when applying an intentionally slow-to-compute hash function to a password
and salt so as to up the cost of dictionary attacks,142 it is
better if the hash function can’t be sped up all that much with custom
hardware. To achieve this aim, computing the hash function shouldn’t just
take lots of time, but lots of (sequentially accessed) memory. This
insightful idea comes from Abadi, Burrows, Manasse, and Wobber, who wanted
to make sure that, for a variety of settings, computing an
intentionally-slow hash function on a high-end system would take roughly as
long as computing it on a low-end system.143 Quite recently, a
Password Hashing Competition (PHC) concluded having chosen a scheme,
Argon2,144 that follows this lead. Meanwhile,
the theory for this sort of hash function has nicely progressed.145
While we don’t yet have good bounds on schemes like scrypt and Argon2, I think
we’re getting there.146

Or consider the paper on the susceptibility of symmetric encryption to mass
surveillance by colleagues and me.147 We discussed
algorithm-substitution attacks, wherein big brother
replaces a real symmetric encryption algorithm by a
subverted
one. Big brother’s aim is to surreptitiously decrypt all encrypted traffic. The
idea goes back to Young and Yung;148 all we did was to rigorously
explore the idea in the context of symmetric encryption. Yet what we found was
disturbing: that almost all symmetric encryption schemes can be easily subverted.
Still, we showed that it is easy to make schemes where this isn’t true.

And then there’s the Logjam paper, showing, for the
umpteenth time, that we must watch out for the cryptanalytic value of
precomputation.149 Attacks should routinely be regarded as a
two-step process: an expensive one that depends on widely shared parameters,
then a cheaper, individualized attack.150
Such thinking goes back to early time-memory tradeoffs,151 and to
many cryptographer’s preference for nonuniform adversaries. It occurs in
practical work, as in attacks on A5/1 in GSM phones.152 And it is
also the model that intelligence agencies seem to gravitate to, as suggested
by the NSA’s attack on FPE scheme FF2 and the fact that they regarded this
attack as serious.153

Choose well. As I hope the examples I have given
illustrate, there are important crypto-for-privacy problems out there, and
they are quite diverse. Choose your problems well. Let values inform your
choice. Many times I have spoken to people who seem to have no real idea
why they are studying what they are. The real answer is often that they
can do it, it gets published, and that people did this stuff before. These are
lousy reasons for doing something.

Introspection can’t be rushed. In the rush to publish paper after paper, who
has the time? I think we should breathe, write fewer papers, and have them
matter more.

• Attend to problems’ social value. Do anti-surveillance research.
• Be introspective about why you are working on the problems you are.

In enumerating example directions for anti-surveillance research, I didn’t
include the kind of work, rather common in the PET (privacy-enhancing
technology) literature, that assumes that there will be pervasive
collection, and then tries to do what one can to minimize misuse.154
Since the immorality occurs at the point of data collection, the aim here is
to try to blunt the impact of the wrong already done. But it is hard to know
how this plays out. I am concerned that the work can play into the hands of those
who seek technical support for a position that says, in effect, “the collect-it-all
approach is inevitable and only temporarily problematic, for, once we figure
this all out, privacy will be handled downstream, when the data is used.” But
pervasive collection itself
chills free-speech and threatens liberal democracy, regardless of what one claims
will happen downstream.155

Practice-oriented provable security. It’s not just the
topics we work on, but how we execute on them that shapes our field’s
direction. For nearly 25 years Mihir Bellare and I have developed that we
call practice-oriented provable security. In a 2009 essay and talk,156
I discussed how various inessential choices engendered a theory of cryptography
that was less useful than necessary. Today, I might number among the important
historical choices (1) a preference for asymptotic analyses
and theorems, and the correspondingly coarse conceptualizations of security
with which this is paired; (2) a preference towards
minimalism, aesthetically construed, as a starting point for reductions;
(3)
the dismissal of symmetric primitives and finite functions as targets of rigorous
inquiry; (4) a tradition of using nonconstructive language
for stating results; (5) the marginalization of secure
messaging; and (6) a condemnatory attitude towards the
random-oracle model, the random-permutation model, the ideal-cipher model,
Dolev-Yao models,157 and any other model deemed non-standard.

Practice-oriented provable security inverts such choices. It retains
provable-security’s focus on definitions and proofs, but these are
understood as tools that earn their value mostly by their utility to
security or privacy. The approach is equally at home in those two realms,
but it has been underused for privacy problems like secure messaging. Better
treating mix-nets and onion routing is an obvious place to start, which
students and I are doing.

• Apply practice-oriented provable security to anti-surveillance problems.

Funding.158 In the United States, it would seem
that the majority of extramural cryptographic funding may now come from the
military.159 From 2000 to 2010, fewer than 15% of the papers at
CRYPTO that acknowledged U.S. extramural funding acknowledged DoD funding.160
In 2011, this rose to 25%. From 2012 to 2015, it rose to 65%.161 Nowadays,
many cryptographers put together a large patchwork of grants, the largest of
which are usually DoD. The following funding acknowledgment isn’t so very atypical:

This work was supported by NSF, the DARPA PROCEED program, an AFOSR MURI
award, a grant from ONR, an IARPA project provided via DoI/NBC, and by
Samsung.162

The military funding of science invariably redirects it163 and
creates moral hazards.164 Yet suggesting to someone that they might
want to reconsider their taking DoD funding may anger even a placid colleague,
for it will be perceived as an assault both on one’s character and his ability
to succeed.

No matter what people say, our scientific work does change in
response to sponsor’s institutional aims. These aims may not be one’s own.
For example, the mission of DARPA is “to invest in the breakthrough
technologies that can create the next generation of [U.S.] national security
capabilities.” Having begun in the wake of Sputnik, the agency speaks of
avoiding technological surprise—and creating it for America’s
enemies.165 In the USA, the NSA advises other DoD agencies on crypto-related
grants. At least sometimes, they advise the NSF. Back in 1996, the NSA tried
to quash my own NSF CAREER award. I learned this from my former NSF program manager,
Dana Latch, who not only refused the NSA request, but, annoyed by it, told me.
An internal history of the NSA reports on the mistake of theirs that allowed
funding the grant leading to RSA.

NSA had reviewed the Rivest [grant] application, but the wording was so
general that the Agency did not spot the threat and passed it back to NSF
without comment. Since the technique had been jointly funded by NSF and the
Office of Naval Research, NSA’s new director, Admiral Bobby Inman, visited
the director of ONR to secure a commitment that ONR would get NSA’s
coordination on all such future grant proposals.166

People are often happy to get funding, regardless of its source. But I would
suggest that if a funding agency embraces values inconsistent with your own,
then maybe you shouldn’t take their money. Institutions have values,
no less than men. Perhaps, in the modern era, they even have more.

Large organizations have multiple and sometimes conflicting aims. Military
organizations with offensive and defensive roles in cybersecurity have COIs
built into their design. Individuals are wrong to assume that their work is
non-military work errantly funded by the military.

In his farewell address of 1961, President Dwight D. Eisenhower introduced
the phrase, and concept, of the military-industrial complex. In an earlier
version of that speech, Eisenhower tellingly called it the
to reverse our complicity in this convergence of interests, maybe we need to
step away from this trough.

None of this was clear to me when I first joined the university. A few years
ago I joined in on a DoD grant proposal (fortunately, unfunded), which I
would not do today. It took me a long time to realize what eventually became
obvious to me: that the funding we take both impacts our beliefs and
reflects on them.

In the end, a major reason that crypto-for-privacy has fared poorly may be
that funding agencies may not want to see progress in this direction,168
and most companies don’t want progress here, either. Cryptographers have internalized
this. Mostly, we’ve been in the business of helping business and government keep
things safe. Governments and companies have become our “customers,” not some
ragtag group of activists, journalists, or dissidents, and not some abstract
notion of the people. Crypto-for-privacy will fare better when
cryptographers stop taking DoD funds and, more than that, start thinking of
a very different constituency for our output.

• Think twice, and then again, about accepting military funding.169
• Regard ordinary people as those whose needs you ultimately aim to satisfy.

whatever you want that is connected to your work, even if it goes against
the wishes of power: your university, corporations, or the state. While
academic freedom seems to be in decline,170 at least for now, it recognizably
persists.

Normally, scientists and other academics don’t actually need or use their
academic freedom: all they really need is funding and skill.171
But crypto-for-privacy may be a rare topic where academic freedom
is useful.172 I suggest that people use this gift. Unexercised,
academic freedom will wither and die.

autonomy to work on what they think is important, without losing their jobs,
even if it’s not what their employer really wants or likes.

• Use the academic freedom that you have.

Against dogma. I think that many cryptographers would do
well to foster a more open-minded attitude to unfamiliar models, approaches,
and goals. The disciplinary narrowing within cryptography’s tier-1 venues
has been pronounced.173 Many people seem to hold rather strident
beliefs about what kinds of work are good. Sometimes it borders on
silliness, as when people refuse to use the word proof for proofs in
the random-oracle model. (Obviously a proof in the random-oracle model is no
less a proof than a proof in any other model.)

As cryptographers, we must always be sensitive, and skeptical, about the
relationship between our models and actual privacy or security.
This doesn’t mean that we should not take models seriously. It means that we
should see them as tentative and dialectical. There’s a lovely aphorism from
statistician George Box, who said that
all models are wrong, but some are useful.174

Cryptography needs useful models. But the assessment of a model’s utility
is itself problematic. We ask of definitions: How clean? How understandable?
How general? What aspects of the computing environment are covered? What does
and doesn’t it imply? The definitional enterprise sits at a juncture of math,
aesthetics, philosophy, technology, and culture. So situated, dogma is disease.

It has been claimed that the mission of theoretical cryptography is to
define and construct provably secure cryptographic protocols and schemes.175
But this is an activity of theoretical cryptography, not its mission. There are
many other activities. One might work on models and results that are completely
rigorous but fall outside of the provable-security framework.176
Or one can take an important protocol as fixed and then analyze it, in whatever
framework works best. The aim for my own work has been to develop ideas that
I hope will contribute to the construction of secure computing systems. In the
symbology of Amit Sahai’s lovely flower-garden,177 theory-minded cryptographers
can be gardeners, growing seeds (hardness assumptions) into flowers (cryptographic
goals); but they can do many other things as well. Which is fortunate, as cryptographic
practice hasn’t benefited all that much from our horticultural activities.

• Be open to diverse models. Regard all models as suspect and dialectical.

A more expansive view. I would encourage cryptographers—especially
young people in our field—to try to get a systems-level view of what is going
on when cryptography is used. You need a way better view of things than a technophobe
like me will ever have.

I remember reading that 2012 paper of Dan Boneh and his coauthors, The Most Dangerous Code in the World,178 and feeling humbled by the fact that there was this entire
universe of code—this middleware—that I didn’t even know
existed, but that could, and routinely did, annul the cryptography
that was there. When the NSA revelations caused people to speculate as to
how Internet cryptography was being defeated, it occurred to me that perhaps
the NSA didn’t need any clever cryptanalysis—what they needed, most of all,
was to buy exploits and hire people with a systems-level view of the
computing ecosystem.

One approach that might be useful for gaining a good vantage is to take an
API-centric view of things.179 Not only are API misunderstandings
a common security problem, but gaps between cryptographic formalizations and
APIs can produce serious cryptographic problems.180 And in the
constructive direction, the notion of online-AE, for example,181 effectively
flows from taking an API-centric view. APIs and “serious” cryptography need stronger
bonds.

Research communities have a general tendency to become inward-looking. As a
community, we have fostered strong relationships to algorithms and
complexity theory, but have done less well attending to privacy research,
programming languages, or the law. We will play a larger social role if we
up our connections to neighbors.

I recently saw a nice talk by Chris Soghoian in which he described his
frustration in trying to get media to report on, or anyone else to care
about, the well-known fact (that is actually not well known) that
cell-phone conversations have essentially no privacy.182 Cryptographers
should be helping with such communications. But I wonder how much we have even
paid attention. For most of us, if it’s not what one’s working on, one doesn’t
really care. There isn’t time.

• Get a systems-level view. Attend to that which surrounds our field.

Learn some privacy tools. I would like to gently suggest
that we cryptographers would do well to learn, and use, contemporary privacy
tools. Very few of us use tools like OTR, PGP, Signal, Tails, and Tor. It’s
kind of an embarrassment—and I suspect our collective work suffers for it.
Christopher Soghoian insightfully remarks: “It’s as if the entire academic
medical community smoked 20 cigarettes a day, used intravenous drugs with
shared needles, and had unprotected sex with random partners on a regular
basis.”183

I’m a bizarre person to advocate in this direction—it’s definitely a case of
the pot calling the kettle black. I am dispositionally uninterested in using
technology, and am incompetent at doing so if I try. I don’t even own a
smartphone. Yet I suspect that there is nothing like experience to motivate
cryptographers to identify and solve the privacy problems that will help us
to transform hard-to-use tools for nerds into transparently embedded
mechanisms for the masses. The first problem I suggested in Section 4 is
something I thought of within days of starting to use Pond.

• Learn some privacy tools. Use them. Improve them.

in our field. People spin fun and fanciful stories. Protocol participants are
a caricatured Alice and Bob. Adversaries are little devils, complete with horns
and a pitchfork. Some crypto talks are so packed with clip-art you can hardly
find the content. I have never liked this, but, after the Snowden revelations,
it started to vex me like never before.

Cryptography is serious, with ideas often hard to understand. When we try to
explain them with cartoons and cute narratives, I don’t think we make our
contributions easier to understand. What we actually do is add in a
layer of obfuscation that must be peeled away to understand what has
actually been done. Worse, the cartoon-heavy cryptography can reshape our
internal vision of our role. The adversary as a \$53-billion-a-year
military-industrial-surveillance complex and the adversary as a
red-devil-with-horns induce entirely different thought processes. If we see
adversaries in one of these ways, we will actually see at a different set of
problems to work on than if we see things in the other. Whimsical

As a graduate student, I wanted our field to feel fantastical. I wanted a
discipline full of space aliens and communicating millionaires. Not only was
it fun, but it stroked my ego, effectively embodying the sentiment: I am a scientist too smart to have to deal with small-minded concerns.

At this point, I think we would do well to put ourselves in the mindset of a
real adversary, not a notional one: the well-funded intelligence
agency, the profit-obsessed multinational, the drug cartel. You have an
enormous budget. You control lots of infrastructure. You have teams of
attorneys more than willing to interpret the law creatively. You have a huge
portfolio of zero-days.185 You have a mountain of self-righteous
Collect it All, Exploit it All, Know it All.186 What would
frustrate you? What problems do you not want a bunch of super-smart academics
to solve?

• Stop with the cutesy pictures. Take adversaries seriously.

A cryptographic commons. Many people see the Internet as some
sort of magnificent commons. This is a fantasy. There are some successful commons
within the Internet: Wikipedia, the free software movement, Creative Commons,
OpenSSL, Tor, and more. But most people turn almost exclusively to services mediated
by a handful of corporations that provide the electronic mail, instant messaging,
cloud storage, and cloud computing, for example, that people use. And they provide
the hardware on which all this stuff sits.

We need to erect a much expanded commons on the Internet. We need to realize
free software and free/open hardware. We need to build systems beyond the
reach of super-sized companies and spy agencies. Such services must be based
on strong cryptography. Emphasizing that prerequisite, we need to expand our
cryptographic commons.

Dreams for such a commons go back to the cypherpunks, who built remailers,
for example, as a communitarian service to enable secure communications.
More recently, Feigenbaum and Koenig articulate such a vision.187
After explaining that centralized cloud services play a central role in enabling
mass surveillance, they call for a grass-roots effort to develop new, global-scale
cloud services based on open-source, decentralized, configuration-management
tools.

We might start small by doing our piece to improve the commons we do have:
Wikipedia. It could become a routine undertaking at IACR conferences and
workshops, or at Dagstuhl meeting, for folks to gather around for an
dealing with cryptography. It’s the sort of effort that will pay off in many
unseen ways.

• Design and build a broadly useful cryptographic commons.

Communications. In advancing our field, well-named notions
have always been important. One has only to think back to
zero-knowledge
(and the competing term minimal-disclosure) to recall how a
beautiful phrase could help catapult a beautiful idea into prominence.
Similarly, the six-letter phrase 33 bits does a remarkably good job
of embodying an important concept without going anywhere near contested
vocabulary.188 In both cryptography and privacy, language is both
formative and fraught.

The word privacy, its meaning abstract and debated, its
connotations often negative, is not a winning word. Privacy is for medical
records, toileting, and sex — not for democracy or freedom. The word
anonymity is even worse: modern political parlance has painted this
as nearly a flavor of terrorism. Security is more winning a word
and, in fact, I spoke of secure messaging instead of
private messaging or anonymous messaging because I think
it better captures what I want conveyed: that a communication whose
endpoints are manifest is not at all secure. A person needs to feel
insecure if using such a channel.

But even the word security doesn’t support a good framing of our
problem: we should try to speak of thwarting mass surveillance more than
enhancing privacy, anonymity, or security. As discussed before, we know
instinctively that ubiquitous surveillance is incompatible with freedom,
democracy, and human rights.189 This makes surveillance a thing against
which one can fight. The surveillance camera and data center make visual our
emerging dystopia, while privacy, anonymity, and security are so abstract as
to nearly defy visual representation.

Concretely, research that aims to undermine objectionable surveillance might
be called anti-surveillance research.190 Tools for this
end would be anti-surveillance technologies.191 And
choosing the problems one works on based on an ethical vision might be
called conscience-based research.

• Choose language well. Communication is integral to having an impact.

Institutional values. This essay might seem to focus on the
ethical weight of each scientist’s personal, professional choices. But I am actually
more concerned about how we, as cryptographers and computer scientists, act in
aggregate. Our collective behavior embodies values—and the institutions we create
do, too.

I do not intend to criticize any particular individual. People should and
will work on what they think to be most valuable. The problem occurs when
our community, as a whole, systematically devalues utility or social worth.
Then we have a collective failure. The failure falls on no one in
particular, and yet it falls on everyone.

Conclusion to it all. Many before me have discussed the
importance of ethics, disciplinary culture, and political context in shaping
what we do. For example, Neal Koblitz asserts that the founding of the
CRYPTO conference in 1981 was itself an act of defiance. He warns of the
corrupting role that funding can play. And he concludes his own essay with
an assertion that drama and conflict are inherent in cryptography, but that
this also makes for some of the field’s fun.192
Susan Landau reminds us that privacy reaches far beyond engineering, and into
law, economics, and beyond. She reminds us that minimizing data collection is
part of the ACM Code of Ethics and Professional Conduct.193

As computer scientists and cryptographers, we are twice culpable when it
comes to mass surveillance: computer science created the technologies that
underlie our communications infrastructure, and that are now turning it into
an apparatus for surveillance and control; while cryptography contains
within it the underused potential to help redirect this tragic turn.194

Authors and filmmakers, futurists and scientists, have laid out many
competing visions for man’s demise. For example, Bill Joy worries about
nanotechnology turning the biosphere into gray goo, or super-intelligent
robots deciding that man is a nuisance, or a pet.195 I don’t lose
sleep over such possibilities; I don’t see them as our likely end. But a creeping
surveillance that grows organically in the public and private sectors, that becomes
increasingly comprehensive, entwined, and predictive, that becomes an instrument
for assassination, political control, and the maintenance of power—well, this
vision doesn’t merely seem possible, it seems to be happening before our eyes.

I am not optimistic. The figure of the heroic cryptographer sweeping in to
save the world from totalitarian surveillance is ludicrous.196 And
in a world where intelligence agencies stockpile and exploit countless vulnerabilities,
obtain CA secret keys, subvert software-update mechanisms, infiltrate private
companies with moles, redirect online discussions in favored directions, and
exert enormous influence on standards bodies, cryptography alone will be an ineffectual
response. At best, cryptography might be a tool for creating possibilities within
contours circumscribed by other forces.

Still, there are reasons to smile. A billion users are getting encrypted
instant messaging using WhatsApp and its embedded Axolotl protocol.197
Two million clients connect using Tor each day.198 Cryptography
papers inspired by the Snowden revelations are starting to come out apace.
More than 50 crypto and security researchers from the U.S.A. signed an open
letter I co-organized deploring society-wide surveillance.199 The
15-author Keys Under Doormats report200 is an explicit attempt
to have cryptographic expertise inform policy.

And it’s not as though crypto-for-privacy is something new or deprecated
within our community. Cryptographers like Ross Anderson, Dan Bernstein, Matt
Blaze, David Chaum, Joan Feigenbaum, Matt Green, Nadia Heninger, Tanja
Lange, Arjen Lenstra, Kenny Paterson, Ron Rivest, Adi Shamir, Nigel Smart,
and Moti Yung, to name just a few, have been attending to practical privacy
long before it started to get trendy (if this is happening). The RWC
(Real World Cryptography) conference is creating a new and healthy mix of participants.

Talks, workshops, and panel discussions on mass surveillance are helping
cryptographers see that dealing with mass surveillance is a problem
within our discipline. Bart Preneel and Adi Shamir have been going around
giving talks entitled Post-Snowden Cryptography, and there were
panel discussions with this title at Eurocrypt 2014 and RSA-CT 2015.

Articles are emerging with titles like “Cryptographers have an ethics
problem.”201 When an attack on Tor by CMU researchers was
allegedly used to provide bulk anonymized data to the FBI, CMU and the
researchers involved were publicly shamed.202 The IACR itself has
been getting more vocal, both with the Copenhagen Resolution203
and the statement on Australia’s Defence Trade Controls Act.204

While our community has embraced crypto-for-privacy less than I would like,
this has been a cultural issue—and culture can change.

I have heard it said that if you think cryptography is your solution, you
don’t understand your problem.205 If this quip is true, then our field
has gone seriously astray. But we can correct it. We need to make cryptography
the solution to the problem: “how do you make surveillance more expensive?”

Dan Bernstein speaks of interesting crypto and
boring crypto. Interesting crypto is crypto that supports plenty of
academic papers. Boring crypto is “crypto that simply works, solidly resists
flippant way,

What will happen if the crypto users convince some crypto researchers to
actually create boring crypto?

No more real-world attacks. No more emergency upgrades. Limited audience
for any minor attack improvements and for replacement crypto.

This is an existential threat against future crypto research.206

If this is boring crypto, we need to go do some.

Cypherpunk cryptography has been described as crypto with an attitude.207
But it is much more than that, for, more than anything else, what the cypherpunks
wanted was crypto with values. And values, deeply felt and deeply
embedded into our work, is what the cryptographic community needs most. And
perhaps a dose of that cypherpunk verve.208

It has been said that just because you don’t take an interest in politics,
doesn’t mean politics won’t take an interest in you.209 Since cryptography
is a tool for shifting power, the people who know this subject well, like it
or not, inherit some of that power. As a cryptographer, you can ignore this landscape
of power, and all political and moral dimensions of our field. But that won’t
make them go away. It will just tend to make your work less relevant or socially
useful.

My hope for this essay is that you will internalize this fact and recognize
it as the starting point for developing an ethically driven vision for what
you want to accomplish with your scientific work.

I began this essay speaking of the Russell–Einstein manifesto, so let me end
there as well, with Joseph Rotblat’s plea from his Nobel prize acceptance
speech:

At a time when science plays such a powerful role in the life of society,
when the destiny of the whole of mankind may hinge on the results of
scientific research, it is incumbent on all scientists to be fully conscious
of that role, and conduct themselves accordingly. I appeal to my fellow
scientists to remember their responsibility to humanity.210

## Acknowledgements

My thanks go first to Mihir Bellare for countless discussions on the topic
of this essay. For years, not only have we collaborated closely on technical
matters, but we have also much discussed the values and sensibilities
implicitly embedded within cryptographic work. Without Mihir, not only would
I have done far less technically, but I would also understand far less about
who cryptographers are.

Ron Rivest not only provided useful comments, but has been much on my mind
as I have agonized over this essay. Many other people have given me
important suggestions and ideas. I would like to thank Jake Appelbaum, Ross
Anderson, Tom Berson, Dan Boneh, David Chaum, Joan Feigenbaum, Pooya
Farshim, Seda G¨urses, Tanja Lange, Chip Martel, Stephen Mason, Chanathip
Namprempre, Ilya Mironov, Chris Patton, Charles Raab, Tom Ristenpart, Amit
Sahai, Rylan Schaeffer, Adi Shamir, Jessica Malekos Smith, Christopher
Soghoian, Richard Stallman, Colleen Swanson, Bj¨orn Tackmann, Helen Thom,
Jesse Walker, Jacob Weber, and Yusi (James) Zhang for their comments,
discussions, and corrections.

My view of what science is and what the scientist should be was strongly
shaped by watching Jacob Bronowski when I was a child.211

All original technical work mentioned in this essay (e.g., what is
described in the first pages of Part 4) was supported by NSF Grant CNS
1228828. But I emphasize that all opinions, findings, conclusions and
recommendations in this essay (and this essay is mostly opinions and
recommendations) reflect the views of the author alone, not necessarily the views
of the National Science Foundation.

Thanks to the Schloss Dagstuhl staff and to the participants of workshop
14401, Privacy and Security in an Age of Surveillance, where ideas
related to this essay were discussed.212

Some of the work on this essay was done while I was a guest professor at
ENS, Paris, hosted by David Pointcheval.

My thanks to the IACR Board for the privilege of giving this year’s IACR
Distinguished Lecture. It is an honor that happens at most once in a
cryptographer’s career, and I have tried my best to use this opportunity
wisely.

This essay owes its existence to the courage of Edward Snowden.