[cryptography] OTR and deniability

Ian G iang at iang.org
Mon Jul 18 19:48:37 EDT 2011

Back in the 1980s, a little thing called public key cryptography gave 
birth to a metaphor called the "digital signature" which some smart 
cryptographers thought to be a technological analogue of the human 
manuscript act of signing.

It wasn't, but this didn't stop the world spending vast sums to 
experiment with it.  They still are, in Europe.  Oh well, that would 
have been OK as long as it didn't hurt anyone.

But it gets worse.  Those same cryptographic dreamers theorised that 
because their mathematics was so damn elegant, the maths couldn't lie. 
So, they could promote a "non-repudiable signature" as a technological 
advance over ink & quill.  The maths was undeniable, right?  Although 
these days we know better, that "non-repudiation" is a crock, we still 
have people running around promoting it, and old text books suggesting 
it as an important cryptographic feature.

Repudiation is a legal right, it's a valuable option within dispute 
resolution, not a mathematical variable to solve out of the equation.

You can't mathematise away legal rights, any more than you can 
democratise poverty away in the middle east, nor militarise pleasure 
away in a random war on drugs.

OTR makes the same error.  It takes a very interesting mathematical 
property, and extend it into the hard human world, as if the words carry 
the same meaning.  Perhaps, once upon a time, in some TV court room 
drama, someone got away with lying about a document?  From this, OTR 
suggests that mathematics can help you deny a transcript?  It can't.  It 
can certainly muddy the waters, it can certainly give you enough rope to 
hang yourself, but what it can't do is give some veneer of "it didn't 
happen."  Not in court, not in the hard world of humans.

I am reminded of a film _A few good men_ which is somewhat apropos of 
those two young kids wasting away in some afghan shithole that passes 
for military justice.  It's that well known scene where Cruise traps 
Nickolson in to undenying his repudiation:

    Kaffee: *Did you order the Code Red* ?
    Col. Jessep: *Youre Goddamn right I did* !


That's repudiation, real life version.  And that's what happens to it, 
as summed up by Kafee afterwards:  "the witness has rights..." 
Mathematics has no place there, as is shown by all the other muddy 
evidence in the case.

On 16/07/11 6:52 AM, Meredith L. Patterson wrote:
> On Fri, Jul 15, 2011 at 6:45 PM, Marsh Ray <marsh at extendedsubset.com
> <mailto:marsh at extendedsubset.com>> wrote:
>     On 07/14/2011 01:59 PM, Steven Bellovin wrote:
>         Put another way, the goal in a trial is not a mathematical proof,
>         it's proof to a certain standard of evidence, based on many
>         different
>         pieces of data.  Life isn't a cryptographic protocol.
>     The interesting thing in this case though is that the person
>     providing the plaintext log file is:
>     a) a convicted felon
>     b) working for the investigators/prosecutors (since before the
>     purported log file's creation?)
>     c) himself skilled in hacking
> Those bullet points are far more likely to be brought up at trial than
> any of the security properties of OTR. Defense counsel has to weigh the
> benefits of presenting evidence -- will it get some point across, or
> will it be lost on the judge/jury?
> I submit that a military judge or a panel of commissioned officers (and
> maybe some enlisted personnel) is unlikely to appreciate the finer
> mathematical points, and more likely to fall back on "but there are
> these logs, right there, and the feds say they're authentic." The
> defense has plenty of Lamo's own documented actions to use to undermine
> his credibility.
> There's much to be said for "baffle them with bullshit" (not that
> there's necessarily any bullshit even involved), but a jury that doesn't
> understand an argument is likely to dismiss it as bullshit.
> Best,
> --mlp
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography

More information about the cryptography mailing list