can a random number be subject to a takedown?

Jon Callas jon at callas.org
Tue May 1 17:33:01 EDT 2007 

On May 1, 2007, at 12:53 PM, Perry E. Metzger wrote:

>
> A lot of sites have been getting DMCA takedowns for the HD-DVD
> processing key that got leaked recently.
>
> My question to the assembled: are cryptographic keys really subject to
> DMCA subject to takedown requests? I suspect they are not
> copyrightable under the criterion from the phone directory
> precedent.

My tongue is slightly in my cheek as I say this: once a random number  
is known, it's not random any more. An idealized property of random  
numbers like keys is that there be no algorithm for producing it that  
is better than guessing. I can presently guess this key with  
probability greater than 2^-128 using this algorithm in a C-like  
pseudocode:

unsigned char* guess_key(void)
{
     unsigned
     char key[] = {0x0a, 0xFa, 0x12, 0x03,
                   0xD9, 0x42, 0x57, 0xC6,
                   0x9E, 0x75, 0xE4, 0x5C,
                   0x64, 0x57, 0x89, 0xC1};

     return key;
}

(Or it would if I'd put the actual AACS key in there.)

The question is if a *specific* key can be taken down. This is open  
to argument, because the DMCA only applies to things that are  
copyrightable, and one can argue that keys are not copyrightable  
convincingly. (Sketch of argument: if keys were copyrightable then I  
could copyright a list of all keys. I can't copyright a database, or  
even a phone book, so the notion that I could copyright a list of all  
numbers in the set [0..N] is absurd.)

As far as anti-circumvention goes, keys themselves can't be used for  
circumvention. Assuming that the above were the AACS key, I couldn't  
use it to circumvent because I don't know the right protocol to use.  
Consider another scenario: one can use a brick to smash a window, but  
possessing a brick does not mean you've broken windows. If I have a  
proper key, but no software, I am not capable of circumventing.  
Likewise, if I had software that could do the crypto, but no key, I'm  
not capable. It is only if I have both the software and the key that  
I have something that *might* be a circumvention device. Even things  
that might be circumvention devices are not always. The test in the  
DMCA is if its primary purpose is for circumvention. This is why  
debuggers are not circumvention devices. It is only when you use the  
potential circumvention device to circumvent that you've done the  
equivalent of throwing the brick through the window.

	Jon

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list