[Cryptography] Quillon Graph

Peter Fairbrother peter at tsto.co.uk
Fri Jan 16 22:55:24 EST 2026 

On 15/01/2026 13:55, Peter Gutmann via cryptography wrote:
> Peter Fairbrother <peter at tsto.co.uk> writes:
> 
>> The laws of secure system design:
>>
>> 1 Someone else is after the stuff you have
> 
> Your mum may love you but everyone else really isn't that interested in you.
> You may be unlucky enough to get caught up in someone's driftnet, but that's
> about it.

Yep - but someone might want to trawl your stuff. Or, like NSA, all of 
everybody's stuff.

Or even your Mum or baby sister (don't ask) might want to get a look at 
your stuff, and you don't want her to.
> 
>> 3 Everywhere can be attacked
> 
> Unless it's on the public Internet, people won't even know it exists, let
> alone try and attack it.

I originally meant the law to be taken as - the storage can be attacked, 
the keying, the cryptography, the implementation, the communications 
etc. etc..

But suppose you have an offline plaintext file which is hidden - you 
have to hide it somewhere, and that somewhere can be attacked.

Now if no-one knows where it is, or even that it exists, it will be hard 
for people to attack it - but perhaps someone gets lucky, or just looks 
everywhere. Or even just everywhere you might hide it.

>> 9 Security is a Boolean
> 
> Security is a floating-point value.  Most of the time all you need to be is
> just good enough.
Can't agree with that at all.

I gave my argument for considering security to be a boolean before, but 
in other circumstances or for other reasons maybe security can be 
considered as a matrix of 1's and 0's with eg different attacks as rows 
and effort as columns - or some other multi-valued construct - but never 
as a simple scalar.

> Also:
> 
> 11. "Don't be a target" is the best security measure you have.

Not sure it's the best, it's kinda fragile. And kind of hard to do reliably.

Note, that would be a method, not a law. I call them laws because, like 
the laws of physics,  they cannae be broken.
> (Rule 11 ties in to all the other variations above.  If you can't comply with
> 11, i.e. your threat model is James Mickens "Mossad doing Mossad things to
> you" then you're going to get compromised no matter what you do).

Point - and yet people do resist forcible interrogation. Even if it's by 
using a cyanide-filled tooth (not really, you can't get enough cyanide 
in a fake tooth - but there are other poisons which would do the job).


Peter F

More information about the cryptography mailing list