[Cryptography] Conferences, committees, compliance

ianG iang at iang.org
Sun Jan 19 03:42:24 EST 2014 

Today's devil's advocacy post...


On 19/01/14 02:22 AM, Arnold Reinhold wrote:
>> On 2014-01-18 04:28, Arnold Reinhold wrote:
>>> 3. If I were working for NSA tasked with with disrupting the
>>> independent cryptographic community's response to the Snowdon
>>> revelations, I'd be hard pressed to come up with a better idea than
>>> a boycott of the RSA conference.
>>
>> Seems to me that the independent cryptographic community's response to
>> the Snowdon revelations is Jon Callas and Daniel Bernstein.  How does
>> boycotting RSA adversely affect them and what they are doing?
> 
> So Jon and Daniel have it all taken care of?


To a surprising extent, yes.  Certainly in comparison to the committees,
conferences, and also the compliance processes, yes.

Possibly this is just self bias, but I've been yammering on about things
like single modes and single algorithms and single architects for yonks,
and now these guys are starting to do it.  Have a look at CAESAR -- this
ground shift away from 'perfect' block ciphers has only occurred in the
last decade or so.  Why did that take so long?

My answer is this:  cryptographers and cryptoplumbers have really only
started talking together seriously in the last decade or so.

Conferences, committees, compliance processes didn't help that -- the
interfered with it.

(C3 considered evil?)


> We can just relax, and their admirable work, which solves all known and still undiscovered problems, will make its way into every security product by the sheer weight of its superiority?  No protocol issues to resolve? No need for people looking for weaknesses to brainstorm possible attacks? No need for people who are working on similar problems to meet and share issues and solutions? No need for those who still don't get it to hear from those who do? 


If you look back on C3, ask what notable results have come out ... list
them out ... and then look at what the builders have achieved by
themselves.  As just plain engineers.

The list isn't all one way, but there is a surprising amount of stuff
that came from engineers acting alone or in teams of 2.

Skype, Bitcoin, SSH, SSL, were all done initially by engineers.

Then look at all the cryptographer-led ventures:  DigiCash, Peppercoin,
various DRMs.


> I can't think of any discipline where the advocacy, relationship-building and cross fertilization that takes place in a conference is needed more than in cryptography, especially in light of the recent disclosures.  


Yes.  I agree the advocacy, relationship-building and cross
fertilization is needed.

But these processes aren't admitted to much of C3.  Many academic
conferences are captured by their paper-acceptance process, where you
have to be in the acceptance committees, accept crap papers from your
buddies, so they accept your crap papers.  It's a career-building
necessity, if you want academic credibility!  Unfortunately, the more
you win, the more you lose, as these little peer groups isolate
themselves in self-perpetuating crap.

Commercial conferences are captured by the vendors.  That's the main
defence of the RSA conference: "oh, my, where will I go to sell my
stuff?"  Committees are captured by the vendors, who send in their
engineers to make sure they get the least bad deal they can fight for.
Compliance processes are written by the industry leaders to establish
and cost-increase their own position.

These processes are all based on fallacious and expensive assumptions.

Here's one wrong assumption:  cryptographers know how to do
cryptography.  Sounds an odd thing to say, but look at the ones James
names ... they are actually computer scientists.  Programmers.  As much
and even more than they are cryptographers.

Adi said:  "Only the simplest cryptography is used..."  Yet look at what
his peers are working on?

Why is this?  Well, it's like materials science I suppose, the theory is
fine but it only advances to the extent that the practical issues are
sorted out.  Which requires engineers in the field.  And cryptography
was pretty much an ivory tower field for most of its open history, never
came out into the field.

Now, the engineers are learning enough such they don't need them.  Dan
and Jon aren't gods, but they are role models:  learn enough so you can
do it yourself.  It's your job, do it.



iang

More information about the cryptography mailing list